ymgve/sakura-angr-solve.py

## sakura-angr-solve.py
import angr

data = open("sakura-fdb3c896d8a3029f40a38150b2e30a79", "rb").read()
findseq = []
avoid = []
index = 0
count = 0
while True:
    res = data.find("\xC6\x85\xB7\xE1\xFF\xFF\x00", index)
    if res == -1:
        break

    if count % 3 == 2:
        findseq.append(0x400000 + res + 7)

    avoid.append(0x400000 + res)

    count += 1
    index = res + 1

proj = angr.Project('./sakura-fdb3c896d8a3029f40a38150b2e30a79')
state = proj.factory.entry_state()

for find in findseq:
    print hex(find)
    simgr = proj.factory.simgr(state)
    simgr.explore(find=find, avoid=avoid)
    state = simgr.found[0]
    print repr(state.posix.dumps(0))

open("input", "wb").write(state.posix.dumps(0))

# cat input | ./sakura-fdb3c896d8a3029f40a38150b2e30a79
	import angr

	data = open("sakura-fdb3c896d8a3029f40a38150b2e30a79", "rb").read()
	findseq = []
	avoid = []
	index = 0
	count = 0
	while True:
	res = data.find("\xC6\x85\xB7\xE1\xFF\xFF\x00", index)
	if res == -1:
	break

	if count % 3 == 2:
	findseq.append(0x400000 + res + 7)

	avoid.append(0x400000 + res)

	count += 1
	index = res + 1

	proj = angr.Project('./sakura-fdb3c896d8a3029f40a38150b2e30a79')
	state = proj.factory.entry_state()

	for find in findseq:
	print hex(find)
	simgr = proj.factory.simgr(state)
	simgr.explore(find=find, avoid=avoid)
	state = simgr.found[0]
	print repr(state.posix.dumps(0))

	open("input", "wb").write(state.posix.dumps(0))

	# cat input \| ./sakura-fdb3c896d8a3029f40a38150b2e30a79