File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 11#!/usr/bin/env python3
22
3-
43import angr
54import claripy
65import sys
76
87def main ():
8+ # 載入 chal 執行檔
99 proj = angr .Project ("./chal" , auto_load_libs = False )
10+
11+ # 建立 8 個符號位元組(每個是 8-bit),組成 secret_key
1012 key_bytes = [claripy .BVS (f'key_{ i } , 8 ) for i in range (8 )]
1113 secret_key = claripy .Concat (* key_bytes )
14+
15+ # 初始化 state,將 symbolic input 傳入 stdin
1216 state = proj .factory .full_init_state (stdin = secret_key )
17+
18+ # 加入輸入長度限制(因為 chal.c 會用 strlen 判斷長度必須是 8)
1319 for b in key_bytes :
14- state .solver .add (b >= 0x20 )
20+ state .solver .add (b >= 0x20 ) # 可列印字元
1521 state .solver .add (b <= 0x7e )
22+
23+ # 建立 simulation manager
1624 simgr = proj .factory .simgr (state )
1725
26+ # 設定搜尋目標:當輸出包含 "Correct!",代表成功通過 gate()
1827 def is_successful (state ):
1928 return b"Correct!" in state .posix .dumps (1 )
2029
30+ # 設定排除條件:當輸出包含 "Wrong key!",表示是失敗路徑
2131 def should_abort (state ):
2232 return b"Wrong key!" in state .posix .dumps (1 )
2333
34+ # 探索符合條件的路徑
2435 simgr .explore (find = is_successful , avoid = should_abort )
2536
2637 if simgr .found :
2738 found = simgr .found [0 ]
39+ # 將求得的符號解碼為實際的字串
2840 key = found .solver .eval (secret_key , cast_to = bytes )
2941 sys .stdout .buffer .write (key )
3042 else :
3143 print ("No solution found." )
3244
33-
3445if __name__ == '__main__' :
3546 main ()
You can’t perform that action at this time.
0 commit comments