1Project/solution.py

## solution.py
import angr

p = angr.Project('./task_0.elf', auto_load_libs=False)

# Create a blank state
st = p.factory.blank_state()

# Constrain to be non-null and non-newline:
for _ in xrange(12):
    k = st.posix.files[0].read_from(1)
    st.se.add(k != 0)
    st.se.add(k != 10)

 # Reset the symbolic stdin's properties and set its length.
st.posix.files[0].seek(0)
st.posix.files[0].length = 12

# Construct a SimulationManager to perform symbolic execution.
# Step until there is nothing left to be stepped.
sm = p.factory.simgr(st)
sm.run()

# Get the stdout of every path that reached an exit syscall. The flag
# should be in one of these!
out = ''
for pp in sm.deadended:
    out = pp.posix.dumps(1)
    if 'Done' in out:
        print 'Result: ', out
        print 'Flag is (hex): ', pp.posix.dumps(0).encode('hex')
        print 'Flag is:', pp.posix.dumps(0)
        fo = open('solution2.txt', 'wb')
        fo.write(pp.posix.dumps(0))
	import angr

	p = angr.Project('./task_0.elf', auto_load_libs=False)

	# Create a blank state
	st = p.factory.blank_state()

	# Constrain to be non-null and non-newline:
	for _ in xrange(12):
	k = st.posix.files[0].read_from(1)
	st.se.add(k != 0)
	st.se.add(k != 10)

	# Reset the symbolic stdin's properties and set its length.
	st.posix.files[0].seek(0)
	st.posix.files[0].length = 12

	# Construct a SimulationManager to perform symbolic execution.
	# Step until there is nothing left to be stepped.
	sm = p.factory.simgr(st)
	sm.run()

	# Get the stdout of every path that reached an exit syscall. The flag
	# should be in one of these!
	out = ''
	for pp in sm.deadended:
	out = pp.posix.dumps(1)
	if 'Done' in out:
	print 'Result: ', out
	print 'Flag is (hex): ', pp.posix.dumps(0).encode('hex')
	print 'Flag is:', pp.posix.dumps(0)
	fo = open('solution2.txt', 'wb')
	fo.write(pp.posix.dumps(0))