Skip to content

Instantly share code, notes, and snippets.

@govlog

govlog/solve.py

Created October 18, 2018 13:43
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save govlog/6667a2ef082d650d72d5daefe8148202 to your computer and use it in GitHub Desktop.
Save govlog/6667a2ef082d650d72d5daefe8148202 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
solve.py
#!/usr/bin/env python
# coding: utf-8
import angr
import claripy
import time
def main():
p = angr.Project('./chall')
flag_chars = [claripy.BVS('flag{%d}' % i, 8) for i in range(46)]
flag = claripy.Concat(*flag_chars + [claripy.BVV(b'\n')] )
st = p.factory.full_init_state(
args=['./chall'],
stdin=flag,
)
for k in flag_chars:
st.solver.add(k != 0)
st.solver.add(k != 10)
st.solver.add(k >= 32)
st.solver.add(k <= 128)
sm = p.factory.simulation_manager(st)
sm.run()
for pp in sm.deadended:
stdin = pp.posix.dumps(0)
stdout = pp.posix.dumps(1)
if 'Yay!' in stdout:
print stdin
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment