added script file

AnalisisDeSoftware/Practica3/bomb_script.py

@@ -0,0 +1,101 @@
+# -*- coding: utf-8 -*-
+
+import angr
+import claripy
+
+# Cargar el proyecto
+proj = angr.Project("./bomb", load_options={'auto_load_libs': False})
+
+input_length = 4 * 8  # 4 enteros de 4 bytes cada uno
+input_int1 = claripy.BVS('int1', 32)
+input_int2 = claripy.BVS('int2', 32)
+input_int3 = claripy.BVS('int3', 32)
+input_int4 = claripy.BVS('int4', 32)
+
+# Fase 1 - check_phase1
+st_phase1 = proj.factory.blank_state(addr=0x004009d8)  # Inicio de check_phase1
+
+# Configurar los argumentos para check_phase1
+st_phase1.regs.edi = input_int1
+st_phase1.regs.esi = input_int2
+st_phase1.regs.edx = input_int3
+st_phase1.regs.ecx = input_int4
+
+# Explorador para la primera fase
+ex_phase1 = proj.surveyors.Explorer(
+    start=st_phase1,
+    find=(0x00400a3c,),  # Dirección de retorno exitoso de check_phase1
+    avoid=(0x00400a23,)  # Dirección de sym.explode_bomb dentro de check_phase1
+)
+ex_phase1.run()
+
+if ex_phase1.found:
+    found_state_phase1 = ex_phase1.found[0]
+    solution_phase1 = (
+        str(found_state_phase1.se.eval(input_int1)) + " " +
+        str(found_state_phase1.se.eval(input_int2)) + " " +
+        str(found_state_phase1.se.eval(input_int3)) + " " +
+        str(found_state_phase1.se.eval(input_int4))
+    )
+    print("Phase 1 solution:", solution_phase1)
+
+    # Fase 2 - check_phase2
+    st_phase2 = proj.factory.blank_state(addr=0x00400a95)  # Inicio de check_phase2
+
+    # Configurar los argumentos para check_phase2
+    st_phase2.regs.edi = input_int1
+    st_phase2.regs.esi = input_int2
+    st_phase2.regs.edx = input_int3
+    st_phase2.regs.ecx = input_int4
+
+    # Explorador para la segunda fase
+    ex_phase2 = proj.surveyors.Explorer(
+        start=st_phase2,
+        find=(0x00400b13,),  # Dirección de retorno exitoso de check_phase2
+        avoid=(0x00400b0a,)  # Dirección de sym.explode_bomb dentro de check_phase2
+    )
+    ex_phase2.run()
+
+    if ex_phase2.found:
+        found_state_phase2 = ex_phase2.found[0]
+        solution_phase2 = (
+            str(found_state_phase2.se.eval(input_int1)) + " " +
+            str(found_state_phase2.se.eval(input_int2)) + " " +
+            str(found_state_phase2.se.eval(input_int3)) + " " +
+            str(found_state_phase2.se.eval(input_int4))
+        )
+        print("Phase 2 solution:", solution_phase2)
+
+        # Fase 3 - check_phase3
+        st_phase3 = proj.factory.blank_state(addr=0x00400bc6)  # Inicio de check_phase3
+
+        # Configurar los argumentos para check_phase3
+        st_phase3.regs.edi = input_int1
+        st_phase3.regs.esi = input_int2
+        st_phase3.regs.edx = input_int3
+        st_phase3.regs.ecx = input_int4
+
+        # Explorador para la tercera fase
+        ex_phase3 = proj.surveyors.Explorer(
+            start=st_phase3,
+            find=(0x00400c7a,),  # Dirección de retorno exitoso de check_phase3
+            avoid=(0x00400c07,)  # Dirección de sym.explode_bomb dentro de check_phase3
+        )
+        ex_phase3.run()
+
+        if ex_phase3.found:
+            found_state_phase3 = ex_phase3.found[0]
+            solution_phase3 = (
+                str(found_state_phase3.se.eval(input_int1)) + " " +
+                str(found_state_phase3.se.eval(input_int2)) + " " +
+                str(found_state_phase3.se.eval(input_int3)) + " " +
+                str(found_state_phase3.se.eval(input_int4))
+            )
+            print("Phase 2 solution:", solution_phase3)
+            print("¡Bomb has been defused!")
+        else:
+            print("No valid input for Phase 3.")
+    else:
+        print("No valid input for Phase 2.")
+else:
+    print("No valid input for Phase 1.")