File tree 1 file changed +45
-0
lines changed
1 file changed +45
-0
lines changed Original file line number Diff line number Diff line change 1+ import angr
2+ import claripy
3+
4+ def main ():
5+ # 加載 login 可執行文件
6+ project = angr .Project ('login' , auto_load_libs = False )
7+
8+ # 設定輸入長度和創建符號變量
9+ input_size = 16 # 密碼長度
10+ flag_chars = [claripy .BVS (f'flag_{ i } , 8 ) for i in range (input_size )]
11+ flag = claripy .Concat (* flag_chars + [claripy .BVV (b'\n ' )]) # 添加換行符
12+
13+ # 創建初始狀態
14+ initial_state = project .factory .full_init_state (
15+ args = ['./login' ],
16+ stdin = flag
17+ )
18+
19+ # 添加約束條件:所有字符都是可打印的
20+ for k in flag_chars :
21+ initial_state .solver .add (k >= 0x20 )
22+ initial_state .solver .add (k <= 0x7e )
23+
24+ # 創建仿真管理器
25+ simulation = project .factory .simgr (initial_state )
26+
27+ # 定義目標地址
28+ def is_successful (state ):
29+ return b'Login successful' in state .posix .dumps (1 )
30+
31+ def should_abort (state ):
32+ return b'Login failed' in state .posix .dumps (1 )
33+
34+ # 開始仿真
35+ simulation .explore (find = is_successful , avoid = should_abort )
36+
37+ if simulation .found :
38+ solution_state = simulation .found [0 ]
39+ solution = solution_state .solver .eval (flag , cast_to = bytes ).strip (b'\n ' )
40+ print (f'Found solution: { solution } )
41+ else :
42+ print ('No solution found' )
43+
44+ if __name__ == '__main__' :
45+ main ()
You can’t perform that action at this time.
0 commit comments