def cafter(instruction):
# movzx esi,BYTE PTR [rax]
# RAX points on the user password
if instruction.getAddress() == 0x400572:
rsiId = getRegSymbolicID(IDREF.REG.RSI)
convertExprToSymVar(rsiId, 64)
# mov eax,DWORD PTR [rbp-0x4]
# RAX must be equal to 0xad6d to win
if instruction.getAddress() == 0x4005c5:
print '[+] Please wait, computing in progress...'
raxId = getRegSymbolicID(IDREF.REG.RAX)
raxExpr = getFullExpression(getSymExpr(raxId).getAst())
# We want printable characters
expr = smt2lib.compound([
smt2lib.smtAssert(smt2lib.bvugt(smt2lib.variable('SymVar_0'), smt2lib.bv(96, 64))),
smt2lib.smtAssert(smt2lib.bvult(smt2lib.variable('SymVar_0'), smt2lib.bv(123, 64))),
smt2lib.smtAssert(smt2lib.bvugt(smt2lib.variable('SymVar_1'), smt2lib.bv(96, 64))),
smt2lib.smtAssert(smt2lib.bvult(smt2lib.variable('SymVar_1'), smt2lib.bv(123, 64))),
smt2lib.smtAssert(smt2lib.bvugt(smt2lib.variable('SymVar_2'), smt2lib.bv(96, 64))),
smt2lib.smtAssert(smt2lib.bvult(smt2lib.variable('SymVar_2'), smt2lib.bv(123, 64))),
smt2lib.smtAssert(smt2lib.bvugt(smt2lib.variable('SymVar_3'), smt2lib.bv(96, 64))),
smt2lib.smtAssert(smt2lib.bvult(smt2lib.variable('SymVar_3'), smt2lib.bv(123, 64))),
smt2lib.smtAssert(smt2lib.bvugt(smt2lib.variable('SymVar_4'), smt2lib.bv(96, 64))),
smt2lib.smtAssert(smt2lib.bvult(smt2lib.variable('SymVar_4'), smt2lib.bv(123, 64))),
smt2lib.smtAssert(smt2lib.equal(raxExpr, smt2lib.bv(0xad6d, 64))) # collision: (assert (= rax 0xad6d)
])
# Get max 20 different models
models = getModels(expr, 20)
for model in models:
print {k: "0x%x, '%c'" % (v, v) for k, v in model.items()}
def cafter(instruction):
# movzx esi,BYTE PTR [rax]
# RAX points on the user password
if instruction.address == 0x400572:
rsiId = getRegSymbolicID(IDREF.REG.RSI)
convertExprToSymVar(rsiId, 8)
# mov eax,DWORD PTR [rbp-0x4]
# RAX must be equal to 0xad6d to win
if instruction.address == 0x4005c5:
print '[+] Please wait, computing in progress...'
raxId = getRegSymbolicID(IDREF.REG.RAX)
raxExpr = getBacktrackedSymExpr(raxId)
expr = str()
# We want printable characters
# (assert (bvsgt SymVar_0 96)
# (assert (bvslt SymVar_0 123)
expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_0', smt2lib.bv(96,
64)))
expr += smt2lib.smtAssert(
smt2lib.bvult('SymVar_0', smt2lib.bv(123, 64)))
# (assert (bvsgt SymVar_1 96)
# (assert (bvslt SymVar_1 123)
expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_1', smt2lib.bv(96,
64)))
expr += smt2lib.smtAssert(
smt2lib.bvult('SymVar_1', smt2lib.bv(123, 64)))
# (assert (bvsgt SymVar_2 96)
# (assert (bvslt SymVar_2 123)
expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_2', smt2lib.bv(96,
64)))
expr += smt2lib.smtAssert(
smt2lib.bvult('SymVar_2', smt2lib.bv(123, 64)))
# (assert (bvsgt SymVar_3 96)
# (assert (bvslt SymVar_3 123)
expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_3', smt2lib.bv(96,
64)))
expr += smt2lib.smtAssert(
smt2lib.bvult('SymVar_3', smt2lib.bv(123, 64)))
# (assert (bvsgt SymVar_4 96)
# (assert (bvslt SymVar_4 123)
expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_4', smt2lib.bv(96,
64)))
expr += smt2lib.smtAssert(
smt2lib.bvult('SymVar_4', smt2lib.bv(123, 64)))
# We want the collision
# (assert (= rax 0xad6d)
expr += smt2lib.smtAssert(
smt2lib.equal(raxExpr, smt2lib.bv(0xad6d, 64)))
print {k: "0x%x, '%c'" % (v, v) for k, v in getModel(expr).items()}
def cafter(instruction):
# movzx esi,BYTE PTR [rax]
# RAX points on the user password
if instruction.getAddress() == 0x400572:
convertRegToSymVar(IDREF.REG.RSI, IDREF.CPUSIZE.QWORD_BIT)
# mov eax,DWORD PTR [rbp-0x4]
# RAX must be equal to 0xad6d to win
if instruction.getAddress() == 0x4005c5:
print '[+] Please wait, computing in progress...'
raxId = getRegSymbolicID(IDREF.REG.RAX)
raxExpr = getFullExpression(getSymExpr(raxId).getAst())
# We want printable characters
expr = smt2lib.compound([
smt2lib.smtAssert(
smt2lib.bvugt(smt2lib.variable('SymVar_0'),
smt2lib.bv(96, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.bvult(smt2lib.variable('SymVar_0'),
smt2lib.bv(123, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.bvugt(smt2lib.variable('SymVar_1'),
smt2lib.bv(96, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.bvult(smt2lib.variable('SymVar_1'),
smt2lib.bv(123, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.bvugt(smt2lib.variable('SymVar_2'),
smt2lib.bv(96, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.bvult(smt2lib.variable('SymVar_2'),
smt2lib.bv(123, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.bvugt(smt2lib.variable('SymVar_3'),
smt2lib.bv(96, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.bvult(smt2lib.variable('SymVar_3'),
smt2lib.bv(123, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.bvugt(smt2lib.variable('SymVar_4'),
smt2lib.bv(96, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.bvult(smt2lib.variable('SymVar_4'),
smt2lib.bv(123, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.equal(raxExpr,
smt2lib.bv(0xad6d, IDREF.CPUSIZE.QWORD_BIT))
) # collision: (assert (= rax 0xad6d)
])
# Get max 20 different models
models = getModels(expr, 20)
for model in models:
print {k: "0x%x, '%c'" % (v, v) for k, v in model.items()}
def cafter(instruction):
# movzx esi,BYTE PTR [rax]
# RAX points on the user password
if instruction.address == 0x400572:
rsiId = getRegSymbolicID(IDREF.REG.RSI)
convertExprToSymVar(rsiId, 8)
# mov eax,DWORD PTR [rbp-0x4]
# RAX must be equal to 0xad6d to win
if instruction.address == 0x4005c5:
print '[+] Please wait, computing in progress...'
raxId = getRegSymbolicID(IDREF.REG.RAX)
raxExpr = getBacktrackedSymExpr(raxId)
expr = str()
# We want printable characters
# (assert (bvsgt SymVar_0 96)
# (assert (bvslt SymVar_0 123)
expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_0', smt2lib.bv(96, 64)))
expr += smt2lib.smtAssert(smt2lib.bvult('SymVar_0', smt2lib.bv(123, 64)))
# (assert (bvsgt SymVar_1 96)
# (assert (bvslt SymVar_1 123)
expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_1', smt2lib.bv(96, 64)))
expr += smt2lib.smtAssert(smt2lib.bvult('SymVar_1', smt2lib.bv(123, 64)))
# (assert (bvsgt SymVar_2 96)
# (assert (bvslt SymVar_2 123)
expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_2', smt2lib.bv(96, 64)))
expr += smt2lib.smtAssert(smt2lib.bvult('SymVar_2', smt2lib.bv(123, 64)))
# (assert (bvsgt SymVar_3 96)
# (assert (bvslt SymVar_3 123)
expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_3', smt2lib.bv(96, 64)))
expr += smt2lib.smtAssert(smt2lib.bvult('SymVar_3', smt2lib.bv(123, 64)))
# (assert (bvsgt SymVar_4 96)
# (assert (bvslt SymVar_4 123)
expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_4', smt2lib.bv(96, 64)))
expr += smt2lib.smtAssert(smt2lib.bvult('SymVar_4', smt2lib.bv(123, 64)))
# We want the collision
# (assert (= rax 0xad6d)
expr += smt2lib.smtAssert(smt2lib.equal(raxExpr, smt2lib.bv(0xad6d, 64)))
print {k: "0x%x, '%c'" % (v, v) for k, v in getModel(expr).items()}
def cafter(instruction):
print '%#x: %s' %(instruction.address, instruction.assembly)
# [R:1] 0x400798: movsx eax, byte ptr [rcx+rax*1] R:0x7fffb63d610a: 41 (0x41)
# [W:8] 0x40079c: mov qword ptr [rbp-0x50], rax W:0x7fffb63d52b0: 41 00 00 00 00 00 00 00 (0x41)
# [R:8] 0x400891: mov rax, qword ptr [rbp-0x50] R:0x7fffb63d52b0: 41 00 00 00 00 00 00 00 (0x41)
if instruction.address == 0x400891:
raxId = getRegSymbolicID(IDREF.REG.RAX)
convertExprToSymVar(raxId, 8)
if instruction.address == 0x400b69:
zfId = getRegSymbolicID(IDREF.FLAG.ZF)
zfExpr = getBacktrackedSymExpr(zfId)
expr = str()
expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_0', smt2lib.bv(96, 64))) # printable char
expr += smt2lib.smtAssert(smt2lib.bvult('SymVar_0', smt2lib.bv(123, 64))) # printable char
expr += smt2lib.smtAssert(smt2lib.equal(zfExpr, smt2lib.bvtrue())) # (assert (= zf true)
print getModel(expr)
return
def cafter(instruction):
print '%#x: %s' % (instruction.address, instruction.assembly)
# [R:1] 0x400798: movsx eax, byte ptr [rcx+rax*1] R:0x7fffb63d610a: 41 (0x41)
# [W:8] 0x40079c: mov qword ptr [rbp-0x50], rax W:0x7fffb63d52b0: 41 00 00 00 00 00 00 00 (0x41)
# [R:8] 0x400891: mov rax, qword ptr [rbp-0x50] R:0x7fffb63d52b0: 41 00 00 00 00 00 00 00 (0x41)
if instruction.address == 0x400891:
raxId = getRegSymbolicID(IDREF.REG.RAX)
convertExprToSymVar(raxId, 8)
if instruction.address == 0x400b69:
zfId = getRegSymbolicID(IDREF.FLAG.ZF)
zfExpr = getBacktrackedSymExpr(zfId)
expr = str()
expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_0', smt2lib.bv(
96, 64))) # printable char
expr += smt2lib.smtAssert(
smt2lib.bvult('SymVar_0', smt2lib.bv(123, 64))) # printable char
expr += smt2lib.smtAssert(smt2lib.equal(
zfExpr, smt2lib.bvtrue())) # (assert (= zf true)
print getModel(expr)
return
