File tree Expand file tree Collapse file tree 1 file changed +34
-4
lines changed Expand file tree Collapse file tree 1 file changed +34
-4
lines changed Original file line number Diff line number Diff line change 11#!/usr/bin/env python3
2-
3- import angr ,sys
2+ import angr
3+ import claripy
4+ import sys
45
56def main ():
6- secret_key = b""
7- sys .stdout .buffer .write (secret_key )
7+ # 載入二進位,不載入動態函式庫加快速度
8+ proj = angr .Project ('./chal' , auto_load_libs = False )
9+
10+ # 建立 8 個符號字元
11+ flag_chars = [claripy .BVS (f'c{ i } , 8 ) for i in range (8 )]
12+ flag = claripy .Concat (* flag_chars )
13+
14+ # 製作帶有符號輸入的初始狀態
15+ # has_end=True 表示讀到 flag 後即結束輸入
16+ stdin = angr .SimFileStream (name = 'stdin' , content = flag , has_end = True )
17+ state = proj .factory .full_init_state (stdin = stdin )
18+
19+ # 限制每個字元為可列印 ASCII(32~126)
20+ for c in flag_chars :
21+ state .solver .add (c >= 0x20 )
22+ state .solver .add (c <= 0x7e )
23+
24+ simgr = proj .factory .simulation_manager (state )
25+
26+ # 尋找印出「Correct! The flag is」的路徑
27+ target = b"Correct! The flag is"
28+ simgr .explore (find = lambda s : target in s .posix .dumps (1 ))
829
30+ if simgr .found :
31+ found = simgr .found [0 ]
32+ # 求解出具體 key
33+ solution = found .solver .eval (flag , cast_to = bytes )
34+ # 輸出到 stdout,供 validate.sh 傳給 chal
35+ sys .stdout .buffer .write (solution )
36+ else :
37+ print ("No solution found." , file = sys .stderr )
38+ sys .exit (1 )
939
1040if __name__ == '__main__' :
1141 main ()
You can’t perform that action at this time.
0 commit comments