11## Full writeup found on http://www.ctfhacker.com
22## Binary found here: http://csapp.cs.cmu.edu/3e/bomb.tar
33
4- import angr , logging
5- from subprocess import Popen , PIPE
6- from itertools import product
7- import struct
4+ import angr
5+ import logging
6+ import claripy
87
98def main ():
10- proj = angr .Project ('bomb' , load_options = { ' auto_load_libs' : False } )
9+ proj = angr .Project ('bomb' , auto_load_libs = False )
1110
1211 logging .basicConfig ()
1312 logging .getLogger ('angr.surveyors.explorer' ).setLevel (logging .DEBUG )
@@ -19,22 +18,20 @@ def main():
1918
2019 # Sscanf is looking for '%d %d %d %d %d %d' which ends up dropping 6 ints onto the stack
2120 # We will create 6 symbolic values onto the stack to mimic this
22- for i in xrange (6 ):
23- state .stack_push (state .se . BVS ('int{}' . format ( i ), 4 * 8 ))
21+ for i in range (6 ):
22+ state .memory . store (state .regs . rsp + i * 4 , state . solver . BVS (f 'int{ i } ' , 32 ))
2423
2524 # Attempt to find a path to the end of the phase_2 function while avoiding the bomb_explode
26- path = proj .factory .path (state = state )
27- ex = proj .surveyors .Explorer (start = path , find = (0x400f3c ,),
28- avoid = (bomb_explode ,),
29- enable_veritesting = True )
30- ex .run ()
31- if ex .found :
32- found = ex .found [0 ].state
25+ ex = proj .factory .simulation_manager (state )
26+ ex .explore (find = 0x400f3c , avoid = bomb_explode )
3327
28+ if ex .found :
29+ found = ex .found [0 ]
30+
3431 answer = []
3532
36- for x in xrange (3 ):
37- curr_int = found .se . any_int (found .stack_pop ())
33+ for _ in range (3 ):
34+ curr_int = found .solver . eval (found .stack_pop ())
3835
3936 # We are popping off 8 bytes at a time
4037 # 0x0000000200000001
0 commit comments