Skip to content

Instantly share code, notes, and snippets.

@ywkw1717

ywkw1717/linear_operation.py

Created May 26, 2019 11:49
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save ywkw1717/3cecf6da3e1f63ecfaadc530964340d9 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save ywkw1717/3cecf6da3e1f63ecfaadc530964340d9 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
linear_operation.py
#!/usr/bin/env python
import angr
from claripy import BVS
proj = angr.Project("./linear_operation")
length = 63
flag = BVS("flag", length * 8)
addr_is_correct = 0x400607
initial_state = proj.factory.blank_state(addr=addr_is_correct)
initial_state.regs.rsp = 0xffffff
initial_state.memory.store(0x100000, flag)
initial_state.regs.rdi = 0x100000
for i, c in enumerate(flag.chop(8)):
if i == 0:
initial_state.add_constraints(c == 'c')
elif i == 1:
initial_state.add_constraints(c == 't')
elif i == 2:
initial_state.add_constraints(c == 'f')
elif i == 3:
initial_state.add_constraints(c == '4')
elif i == 4:
initial_state.add_constraints(c == 'b')
elif i == 5:
initial_state.add_constraints(c == '{')
elif i == (length - 1):
initial_state.add_constraints(c == "}")
else:
initial_state.add_constraints('0' <= c)
initial_state.add_constraints(c <= '~')
path_group = proj.factory.path_group(initial_state)
path_group.explore(find=(0x40ced9,))
for found in path_group.found:
for s in found.state.se.any_n_str(flag, 8):
print s
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment