def evalvalue(_state = TriggerBug.State):
global flag
for i in range(11):
_state.add(_state.mem_r(_state.ecx + i*4, 4)== _state.mem_r(_state.edi + i*4, 4), True)
print("check")
if _state.solver.check()==z3.sat:
m = _state.solver.model()
print(m)
flagv = m.eval(z3.Concat(*flag)).as_long()
print(flagv.to_bytes(28, byteorder='big'))
return TriggerBug.Death
def evalvalue(_state=TriggerBug.State):
global flag
for i in range(7):
_state.add(
_state.mem_r(_state.rdx + i * 4,
4) == _state.mem_r(_state.rcx + i * 4, 4), True)
print("check")
if _state.solver.check() == z3.sat:
m = _state.solver.model()
print(m)
flagv = int(str(m.eval(z3.Concat(*(flag[:-3])))))
print(flagv.to_bytes(28, byteorder='big'))
else:
print("unsat")
return TriggerBug.Death
def evalvalue(_state=TriggerBug.State):
global flag
# for i in range(7):
# _state.add(_state.mem_r(_state.rdx + i*4, 4)== _state.mem_r(_state.rcx + i*4, 4), True)
print("check")
if _state.solver.check() == z3.sat:
m = _state.solver.model()
data = 0
for i in flag:
flagv = None
try:
flagv = int(str(m.eval(z3.Concat(*(flag[:-3])))))
except Exception as e:
break
data = (data << 2) | flagv
print(data.to_bytes(28, byteorder='little'))
else:
print("unsat")
return TriggerBug.Death
def dword_4051E0(_state, maddr):
s = item(_state.ctx, maddr, 0x4051E0)
return z3.Concat((s), xtime3(s), xtime(s), (s))
def dword_4062E0(_state, maddr):
print("dword_4062E0")
s = item(_state.ctx, maddr, 0x4062E0)
return z3.Concat((s), (s), xtime3(s), xtime(s))