salls/amadhj_solve.py

## amadhj_solve.py
import simuvex, angr
proj = angr.Project("./amadhj")
s = proj.factory.blank_state(addr=0x4026D1)
ans = s.se.BVS("ans",32*8)
s.memory.store(0x1000,ans)
s.regs.rdi = 0x1000
for i in range(32):
    b = ans.get_byte(i)
    in_range = s.se.And(b > "@", b < "z")
    const = s.se.Or(b == " ", in_range)
    s.add_constraints(const)
    s.add_constraints(b != "]")
    s.add_constraints(b != "\\")
    s.add_constraints(b != "^")
    s.add_constraints(b != "`")
    s.add_constraints(b != "[")

pg = proj.factory.path_group(s)
pg.step(num_inst=10)
ss = pg.active[0].state.copy()
ss.ip = 0x4027F8
pg = proj.factory.path_group(ss)
angr.path_group.l.setLevel("DEBUG")
pg.explore(find=0x40287F)
pg.found[0].state.se.any_str(ans)
	import simuvex, angr
	proj = angr.Project("./amadhj")
	s = proj.factory.blank_state(addr=0x4026D1)
	ans = s.se.BVS("ans",32*8)
	s.memory.store(0x1000,ans)
	s.regs.rdi = 0x1000
	for i in range(32):
	b = ans.get_byte(i)
	in_range = s.se.And(b > "@", b < "z")
	const = s.se.Or(b == " ", in_range)
	s.add_constraints(const)
	s.add_constraints(b != "]")
	s.add_constraints(b != "\\")
	s.add_constraints(b != "^")
	s.add_constraints(b != "`")
	s.add_constraints(b != "[")

	pg = proj.factory.path_group(s)
	pg.step(num_inst=10)
	ss = pg.active[0].state.copy()
	ss.ip = 0x4027F8
	pg = proj.factory.path_group(ss)
	angr.path_group.l.setLevel("DEBUG")
	pg.explore(find=0x40287F)
	pg.found[0].state.se.any_str(ans)