102 lines
3.6 KiB
Python
102 lines
3.6 KiB
Python
# -*- coding: utf-8 -*-
|
|
|
|
import angr
|
|
import claripy
|
|
|
|
# Load binary
|
|
proj = angr.Project("./bomb", load_options={'auto_load_libs': False})
|
|
|
|
input_length = 4 * 8 # 4 enteros de 4 bytes cada uno
|
|
input_int1 = claripy.BVS('int1', 32)
|
|
input_int2 = claripy.BVS('int2', 32)
|
|
input_int3 = claripy.BVS('int3', 32)
|
|
input_int4 = claripy.BVS('int4', 32)
|
|
|
|
# Fase 1 - check_phase1
|
|
st_phase1 = proj.factory.blank_state(addr=0x004009d8) # Inicio de check_phase1
|
|
|
|
# Configurar los argumentos para check_phase1
|
|
st_phase1.regs.edi = input_int1
|
|
st_phase1.regs.esi = input_int2
|
|
st_phase1.regs.edx = input_int3
|
|
st_phase1.regs.ecx = input_int4
|
|
|
|
# Explorador para la primera fase
|
|
ex_phase1 = proj.surveyors.Explorer(
|
|
start=st_phase1,
|
|
find=(0x00400a3c,), # Dirección de retorno exitoso de check_phase1
|
|
avoid=(0x00400a23, 0x00400a2f) # Dirección de sym.explode_bomb dentro de check_phase1
|
|
)
|
|
ex_phase1.run()
|
|
|
|
if ex_phase1.found:
|
|
found_state_phase1 = ex_phase1.found[0]
|
|
solution_phase1 = (
|
|
str(found_state_phase1.se.eval(input_int1)) + " " +
|
|
str(found_state_phase1.se.eval(input_int2)) + " " +
|
|
str(found_state_phase1.se.eval(input_int3)) + " " +
|
|
str(found_state_phase1.se.eval(input_int4))
|
|
)
|
|
print("Phase 1 solution:", solution_phase1)
|
|
|
|
# Fase 2 - check_phase2
|
|
st_phase2 = proj.factory.blank_state(addr=0x00400a95) # Inicio de check_phase2
|
|
|
|
# Configurar los argumentos para check_phase2
|
|
st_phase2.regs.edi = input_int1
|
|
st_phase2.regs.esi = input_int2
|
|
st_phase2.regs.edx = input_int3
|
|
st_phase2.regs.ecx = input_int4
|
|
|
|
# Explorador para la segunda fase
|
|
ex_phase2 = proj.surveyors.Explorer(
|
|
start=st_phase2,
|
|
find=(0x00400b12,), # Dirección de retorno exitoso de check_phase2
|
|
avoid=(0x00400ad4,0x00400af9,0x00400b05) # Dirección de sym.explode_bomb dentro de check_phase2
|
|
)
|
|
ex_phase2.run()
|
|
|
|
if ex_phase2.found:
|
|
found_state_phase2 = ex_phase2.found[0]
|
|
solution_phase2 = (
|
|
str(found_state_phase2.se.eval(input_int1)) + " " +
|
|
str(found_state_phase2.se.eval(input_int2)) + " " +
|
|
str(found_state_phase2.se.eval(input_int3)) + " " +
|
|
str(found_state_phase2.se.eval(input_int4))
|
|
)
|
|
print("Phase 2 solution:", solution_phase2)
|
|
|
|
# Fase 3 - check_phase3
|
|
st_phase3 = proj.factory.blank_state(addr=0x00400bc6) # Inicio de check_phase3
|
|
|
|
# Configurar los argumentos para check_phase3
|
|
st_phase3.regs.edi = input_int1
|
|
st_phase3.regs.esi = input_int2
|
|
st_phase3.regs.edx = input_int3
|
|
st_phase3.regs.ecx = input_int4
|
|
|
|
# Explorador para la tercera fase
|
|
ex_phase3 = proj.surveyors.Explorer(
|
|
start=st_phase3,
|
|
find=(0x00400c76,), # Dirección de retorno exitoso de check_phase3
|
|
avoid=(0x00400c54,0x00400c60,0x00400c6c) # Dirección de sym.explode_bomb dentro de check_phase3
|
|
)
|
|
ex_phase3.run()
|
|
|
|
if ex_phase3.found:
|
|
found_state_phase3 = ex_phase3.found[0]
|
|
solution_phase3 = (
|
|
str(found_state_phase3.se.eval(input_int1)) + " " +
|
|
str(found_state_phase3.se.eval(input_int2)) + " " +
|
|
str(found_state_phase3.se.eval(input_int3)) + " " +
|
|
str(found_state_phase3.se.eval(input_int4))
|
|
)
|
|
print("Phase 2 solution:", solution_phase3)
|
|
print("¡Bomb has been defused!")
|
|
else:
|
|
print("No valid input for Phase 3.")
|
|
else:
|
|
print("No valid input for Phase 2.")
|
|
else:
|
|
print("No valid input for Phase 1.")
|