# -*- coding: utf-8 -*-

import angr
import claripy

# Load binary
proj = angr.Project("./bomb", load_options={'auto_load_libs': False})

input_length = 4 * 8  # 4 enteros de 4 bytes cada uno
input_int1 = claripy.BVS('int1', 32)
input_int2 = claripy.BVS('int2', 32)
input_int3 = claripy.BVS('int3', 32)
input_int4 = claripy.BVS('int4', 32)

# Fase 1 - check_phase1
st_phase1 = proj.factory.blank_state(addr=0x004009d8)  # Inicio de check_phase1

# Configurar los argumentos para check_phase1
st_phase1.regs.edi = input_int1
st_phase1.regs.esi = input_int2
st_phase1.regs.edx = input_int3
st_phase1.regs.ecx = input_int4

# Explorador para la primera fase
ex_phase1 = proj.surveyors.Explorer(
    start=st_phase1,
    find=(0x00400a3c,),  # Dirección de retorno exitoso de check_phase1
    avoid=(0x00400a23, 0x00400a2f)  # Dirección de sym.explode_bomb dentro de check_phase1
)
ex_phase1.run()

if ex_phase1.found:
    found_state_phase1 = ex_phase1.found[0]
    solution_phase1 = (
        str(found_state_phase1.se.eval(input_int1)) + " " +
        str(found_state_phase1.se.eval(input_int2)) + " " +
        str(found_state_phase1.se.eval(input_int3)) + " " +
        str(found_state_phase1.se.eval(input_int4))
    )
    print("Phase 1 solution:", solution_phase1)

    # Fase 2 - check_phase2
    st_phase2 = proj.factory.blank_state(addr=0x00400a95)  # Inicio de check_phase2

    # Configurar los argumentos para check_phase2
    st_phase2.regs.edi = input_int1
    st_phase2.regs.esi = input_int2
    st_phase2.regs.edx = input_int3
    st_phase2.regs.ecx = input_int4

    # Explorador para la segunda fase
    ex_phase2 = proj.surveyors.Explorer(
        start=st_phase2,
        find=(0x00400b12,),  # Dirección de retorno exitoso de check_phase2
        avoid=(0x00400ad4,0x00400af9,0x00400b05)  # Dirección de sym.explode_bomb dentro de check_phase2
    )
    ex_phase2.run()

    if ex_phase2.found:
        found_state_phase2 = ex_phase2.found[0]
        solution_phase2 = (
            str(found_state_phase2.se.eval(input_int1)) + " " +
            str(found_state_phase2.se.eval(input_int2)) + " " +
            str(found_state_phase2.se.eval(input_int3)) + " " +
            str(found_state_phase2.se.eval(input_int4))
        )
        print("Phase 2 solution:", solution_phase2)

        # Fase 3 - check_phase3
        st_phase3 = proj.factory.blank_state(addr=0x00400bc6)  # Inicio de check_phase3

        # Configurar los argumentos para check_phase3
        st_phase3.regs.edi = input_int1
        st_phase3.regs.esi = input_int2
        st_phase3.regs.edx = input_int3
        st_phase3.regs.ecx = input_int4

        # Explorador para la tercera fase
        ex_phase3 = proj.surveyors.Explorer(
            start=st_phase3,
            find=(0x00400c76,),  # Dirección de retorno exitoso de check_phase3
            avoid=(0x00400c54,0x00400c60,0x00400c6c)  # Dirección de sym.explode_bomb dentro de check_phase3
        )
        ex_phase3.run()

        if ex_phase3.found:
            found_state_phase3 = ex_phase3.found[0]
            solution_phase3 = (
                str(found_state_phase3.se.eval(input_int1)) + " " +
                str(found_state_phase3.se.eval(input_int2)) + " " +
                str(found_state_phase3.se.eval(input_int3)) + " " +
                str(found_state_phase3.se.eval(input_int4))
            )
            print("Phase 2 solution:", solution_phase3)
            print("¡Bomb has been defused!")
        else:
            print("No valid input for Phase 3.")
    else:
        print("No valid input for Phase 2.")
else:
    print("No valid input for Phase 1.")