From 817699a0f9d0b178b51bb3b08491433fb3c51a3e Mon Sep 17 00:00:00 2001 From: vgracia Date: Sun, 6 Jul 2025 13:23:46 +0200 Subject: [PATCH] added script file --- AnalisisDeSoftware/Practica3/bomb_script.py | 101 ++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 AnalisisDeSoftware/Practica3/bomb_script.py diff --git a/AnalisisDeSoftware/Practica3/bomb_script.py b/AnalisisDeSoftware/Practica3/bomb_script.py new file mode 100644 index 0000000..c9480bc --- /dev/null +++ b/AnalisisDeSoftware/Practica3/bomb_script.py @@ -0,0 +1,101 @@ +# -*- coding: utf-8 -*- + +import angr +import claripy + +# Cargar el proyecto +proj = angr.Project("./bomb", load_options={'auto_load_libs': False}) + +input_length = 4 * 8 # 4 enteros de 4 bytes cada uno +input_int1 = claripy.BVS('int1', 32) +input_int2 = claripy.BVS('int2', 32) +input_int3 = claripy.BVS('int3', 32) +input_int4 = claripy.BVS('int4', 32) + +# Fase 1 - check_phase1 +st_phase1 = proj.factory.blank_state(addr=0x004009d8) # Inicio de check_phase1 + +# Configurar los argumentos para check_phase1 +st_phase1.regs.edi = input_int1 +st_phase1.regs.esi = input_int2 +st_phase1.regs.edx = input_int3 +st_phase1.regs.ecx = input_int4 + +# Explorador para la primera fase +ex_phase1 = proj.surveyors.Explorer( + start=st_phase1, + find=(0x00400a3c,), # Dirección de retorno exitoso de check_phase1 + avoid=(0x00400a23,) # Dirección de sym.explode_bomb dentro de check_phase1 +) +ex_phase1.run() + +if ex_phase1.found: + found_state_phase1 = ex_phase1.found[0] + solution_phase1 = ( + str(found_state_phase1.se.eval(input_int1)) + " " + + str(found_state_phase1.se.eval(input_int2)) + " " + + str(found_state_phase1.se.eval(input_int3)) + " " + + str(found_state_phase1.se.eval(input_int4)) + ) + print("Phase 1 solution:", solution_phase1) + + # Fase 2 - check_phase2 + st_phase2 = proj.factory.blank_state(addr=0x00400a95) # Inicio de check_phase2 + + # Configurar los argumentos para check_phase2 + st_phase2.regs.edi = input_int1 + st_phase2.regs.esi = input_int2 + st_phase2.regs.edx = input_int3 + st_phase2.regs.ecx = input_int4 + + # Explorador para la segunda fase + ex_phase2 = proj.surveyors.Explorer( + start=st_phase2, + find=(0x00400b13,), # Dirección de retorno exitoso de check_phase2 + avoid=(0x00400b0a,) # Dirección de sym.explode_bomb dentro de check_phase2 + ) + ex_phase2.run() + + if ex_phase2.found: + found_state_phase2 = ex_phase2.found[0] + solution_phase2 = ( + str(found_state_phase2.se.eval(input_int1)) + " " + + str(found_state_phase2.se.eval(input_int2)) + " " + + str(found_state_phase2.se.eval(input_int3)) + " " + + str(found_state_phase2.se.eval(input_int4)) + ) + print("Phase 2 solution:", solution_phase2) + + # Fase 3 - check_phase3 + st_phase3 = proj.factory.blank_state(addr=0x00400bc6) # Inicio de check_phase3 + + # Configurar los argumentos para check_phase3 + st_phase3.regs.edi = input_int1 + st_phase3.regs.esi = input_int2 + st_phase3.regs.edx = input_int3 + st_phase3.regs.ecx = input_int4 + + # Explorador para la tercera fase + ex_phase3 = proj.surveyors.Explorer( + start=st_phase3, + find=(0x00400c7a,), # Dirección de retorno exitoso de check_phase3 + avoid=(0x00400c07,) # Dirección de sym.explode_bomb dentro de check_phase3 + ) + ex_phase3.run() + + if ex_phase3.found: + found_state_phase3 = ex_phase3.found[0] + solution_phase3 = ( + str(found_state_phase3.se.eval(input_int1)) + " " + + str(found_state_phase3.se.eval(input_int2)) + " " + + str(found_state_phase3.se.eval(input_int3)) + " " + + str(found_state_phase3.se.eval(input_int4)) + ) + print("Phase 2 solution:", solution_phase3) + print("¡Bomb has been defused!") + else: + print("No valid input for Phase 3.") + else: + print("No valid input for Phase 2.") +else: + print("No valid input for Phase 1.")