This repository has been archived by the owner on Apr 28, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 378
/
solve.py
52 lines (40 loc) · 1.55 KB
/
solve.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
import angr
def main():
# Uncomment the following two lines if you want to have logging output from
# SimulationManager
# import logging
# logging.getLogger('angr.manager').setLevel(logging.DEBUG)
p = angr.Project("zwiebel",
support_selfmodifying_code=True, # this is important! this binary unpacks its code
load_options={'auto_load_libs': False}
)
# unicorn support makes execution, especially code unpacking, way faster
state = p.factory.entry_state(add_options=angr.options.unicorn)
sm = p.factory.simulation_manager(state)
while sm.active:
# in order to save memory, we only keep the recent 20 deadended or
# errored states
sm.run(n=20)
print sm.active[0]
if 'deadended' in sm.stashes and sm.deadended:
sm.stashes['deadended'] = sm.deadended[-20:]
if 'errored' in sm.stashes and sm.errored:
sm.stashes['errored'] = sm.errored[-20:]
assert sm.deadended
flag = sm.deadended[-1].posix.dumps(0).split("\n")[0]
return flag
# import ipdb; ipdb.set_trace()
def test():
assert main == 'hxp{1_h0p3_y0u_d1dnt_p33l_th3_0ni0n_by_h4nd}'
if __name__ == "__main__":
print main()
"""
Here is the output (after 2 hours and 31 minutes on my machine running Pypy):
ipdb> print sm
<PathGroup with 20 errored, 21 deadended>
ipdb> print sm.deadended[-1]
<Path with 160170 runs (at 0x20001e0)>
ipdb> print sm.deadended[-1].state.posix.dumps(0)
hxp{1_h0p3_y0u_d1dnt_p33l_th3_0ni0n_by_h4nd}
:)
"""