adambpa/babymix.py

## babymix.py
#!/usr/bin/env python3

import angr
import claripy
import time

def solve():
	proj = angr.Project("./babymix",
			     main_opts = {"base_addr": 0},
			     auto_load_libs = False)

	password_bytes = [claripy.BVS("byte_%d" % i, 8) for i in range(22)]
	password_bytes_ast = claripy.Concat(*password_bytes + [claripy.BVV(b'\n')])

	st = proj.factory.full_init_state(
		args=['./babmix'],
	 	add_options=angr.options.unicorn,
		stdin=password_bytes_ast
	)

	for k in password_bytes:
		st.solver.add(k < 0x7f)
		st.solver.add(k > 0x20)

	sm = proj.factory.simulation_manager(st)
	sm.run()

	out = b''
	for pp in sm.deadended:
		out = pp.posix.dumps(1)
		if b'Correct!' in out:
			out = pp.solver.eval(password_bytes_ast, cast_to=bytes).decode("utf-8", "ignore")
			print(out)
			return
if __name__ == "__main__":
	before = time.time()
	solve()
	after = time.time()
	print("Time elapsed: {}".format(after - before))
	#!/usr/bin/env python3

	import angr
	import claripy
	import time

	def solve():
	proj = angr.Project("./babymix",
	main_opts = {"base_addr": 0},
	auto_load_libs = False)

	password_bytes = [claripy.BVS("byte_%d" % i, 8) for i in range(22)]
	password_bytes_ast = claripy.Concat(*password_bytes + [claripy.BVV(b'\n')])

	st = proj.factory.full_init_state(
	args=['./babmix'],
	add_options=angr.options.unicorn,
	stdin=password_bytes_ast
	)

	for k in password_bytes:
	st.solver.add(k < 0x7f)
	st.solver.add(k > 0x20)

	sm = proj.factory.simulation_manager(st)
	sm.run()

	out = b''
	for pp in sm.deadended:
	out = pp.posix.dumps(1)
	if b'Correct!' in out:
	out = pp.solver.eval(password_bytes_ast, cast_to=bytes).decode("utf-8", "ignore")
	print(out)
	return
	if __name__ == "__main__":
	before = time.time()
	solve()
	after = time.time()
	print("Time elapsed: {}".format(after - before))