From f9061d0f692c05b4d904d61abb43e726b8771469 Mon Sep 17 00:00:00 2001 From: n19971019 <137515554+n19971019@users.noreply.github.com> Date: Mon, 27 May 2024 13:29:53 +0800 Subject: [PATCH 1/3] Update sol.py --- lab7/sol.py | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/lab7/sol.py b/lab7/sol.py index e69de29b..bdbb2a1a 100644 --- a/lab7/sol.py +++ b/lab7/sol.py @@ -0,0 +1,36 @@ +import angr +import claripy + +# 定義成功和失敗訊息的條件 +def is_successful(state): + stdout_output = state.posix.dumps(1) + return b"Login successful" in stdout_output + +def is_failed(state): + stdout_output = state.posix.dumps(1) + return b"Login failed" in stdout_output + +# 加載要分析的程式 +project = angr.Project("./login", auto_load_libs=False) + +# 設定初始狀態 +initial_state = project.factory.entry_state() + +# 設定符號化的標準輸入,長度為16 +password = claripy.BVS("password", 8 * 16) +initial_state.posix.stdin.write(password) +initial_state.posix.stdin.seek(0) + +# 創建模擬管理器 +simulation_manager = project.factory.simulation_manager(initial_state) + +# 探索,找到成功的輸出並避開失敗的輸出 +simulation_manager.explore(find=is_successful, avoid=is_failed) + +# 確認是否找到解決方案 +if simulation_manager.found: + solution_state = simulation_manager.found[0] + solution = solution_state.solver.eval(password, cast_to=bytes).decode('utf-8') + print(f"找到的密碼是: {solution}") +else: + print("沒有找到有效的密碼") From dfc221a5bb9d32f5b99015205312ff50158fa885 Mon Sep 17 00:00:00 2001 From: n19971019 <137515554+n19971019@users.noreply.github.com> Date: Mon, 27 May 2024 13:38:04 +0800 Subject: [PATCH 2/3] Update sol.py --- lab7/sol.py | 55 ++++++++++++++++++----------------------------------- 1 file changed, 19 insertions(+), 36 deletions(-) diff --git a/lab7/sol.py b/lab7/sol.py index bdbb2a1a..afa74094 100644 --- a/lab7/sol.py +++ b/lab7/sol.py @@ -1,36 +1,19 @@ -import angr -import claripy - -# 定義成功和失敗訊息的條件 -def is_successful(state): - stdout_output = state.posix.dumps(1) - return b"Login successful" in stdout_output - -def is_failed(state): - stdout_output = state.posix.dumps(1) - return b"Login failed" in stdout_output - -# 加載要分析的程式 -project = angr.Project("./login", auto_load_libs=False) - -# 設定初始狀態 -initial_state = project.factory.entry_state() - -# 設定符號化的標準輸入,長度為16 -password = claripy.BVS("password", 8 * 16) -initial_state.posix.stdin.write(password) -initial_state.posix.stdin.seek(0) - -# 創建模擬管理器 -simulation_manager = project.factory.simulation_manager(initial_state) - -# 探索,找到成功的輸出並避開失敗的輸出 -simulation_manager.explore(find=is_successful, avoid=is_failed) - -# 確認是否找到解決方案 -if simulation_manager.found: - solution_state = simulation_manager.found[0] - solution = solution_state.solver.eval(password, cast_to=bytes).decode('utf-8') - print(f"找到的密碼是: {solution}") -else: - print("沒有找到有效的密碼") +import angr, sys + +def success_condition(state): + return b"Login successful" in state.posix.dumps(sys.stdout.fileno()) + +def fail_condition(state): + return b"Login failed" in state.posix.dumps(sys.stdout.fileno()) + +proj = angr.Project('./login') + +init_state = proj.factory.entry_state() + +simulation = proj.factory.simgr(init_state) + +simulation.explore(find = success_condition, avoid = fail_condition) + +solution = simulation.found[0] + +print(solution.posix.dumps(sys.stdin.fileno())) From cf0110e02bb6014cb0945f52c10ac9c3693974d6 Mon Sep 17 00:00:00 2001 From: n19971019 <137515554+n19971019@users.noreply.github.com> Date: Mon, 27 May 2024 13:46:03 +0800 Subject: [PATCH 3/3] Update sol.py --- lab7/sol.py | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/lab7/sol.py b/lab7/sol.py index afa74094..70490284 100644 --- a/lab7/sol.py +++ b/lab7/sol.py @@ -1,19 +1,14 @@ import angr, sys -def success_condition(state): - return b"Login successful" in state.posix.dumps(sys.stdout.fileno()) - -def fail_condition(state): - return b"Login failed" in state.posix.dumps(sys.stdout.fileno()) - proj = angr.Project('./login') - init_state = proj.factory.entry_state() - simulation = proj.factory.simgr(init_state) -simulation.explore(find = success_condition, avoid = fail_condition) +def success_condition(state): + return b'Login successful' in state.posix.dumps(sys.stdout.fileno()) +def fail_condition(state): + return b'Login failed' in state.posix.dumps(sys.stdout.fileno()) +simulation.explore(find=success_condition, avoid=fail_condition) solution = simulation.found[0] - print(solution.posix.dumps(sys.stdin.fileno()))