Hello! I'm trying to solve phase 6 with angr but I get a lot of warnings like the

Another thing <a class="user-mention notranslate" data-hovercard-type="user" data-hove

Hello! there's a few errors in your : the arguments for SimProc are wrong, a

Bomb CMU - Phase 6 - SimMemoryAddressError about angr-doc HOT 6 CLOSED

angr commented on July 22, 2024

Bomb CMU - Phase 6 - SimMemoryAddressError

from angr-doc.

Comments (6)

rhelmot commented on July 22, 2024 1

Another thing @ocean1 didn't mention is that your arguments to self.state.memory.store were incorrect. You said store(bvs, addr + i * 4), but it should actually be store(addr + i * 4, bvs).

from angr-doc.

ocean1 commented on July 22, 2024

Hello! there's a few errors in your script:
the arguments for SimProc are wrong, as the function read_six_numbers has two args, the first is const char string that is parsed by sscanf, the second one is the the address of the six ints you are reading (stored on the stack).
The return value of the function can definitely be set to 6 (not returning an addr, but the number of items matched and assigned by the sscanf).

Also you are setting up a BVS of 6 ints for each int processed: xrange(6) -> 846.
You'll also have to remove the LAZY_SOLVES option, otherwise some memory accesses will be unconstrained, that's the reason you get that error.

import angr
import claripy
import simuvex
from struct import unpack

stored_ints_addr = 0
bvs = None


class custom_hook(simuvex.SimProcedure):
    def run(self, s1_addr, int_addr):
        print "read_six_numbers hook"
        global stored_ints_addr
        global bvs
        for i in range(6):
            bvs = self.state.se.BVS(
                "int{}".format(i), 8 * 4, explicit_name=True)
            self.state.add_constraints(bvs >= 1, bvs < 6)
            self.state.memory.store(int_addr + i * 4, bvs,
                                    endness=self.state.arch.memory_endness)
            # let's keep this for later
            stored_ints_addr = int_addr

            return self.state.se.BVV(6, self.state.arch.bits)


def solve_flag_6():

    start = 0x4010f4
    read_num = 0x40145c
    find = 0x4011f7
    avoid = (0x4011e9, 0x401140, 0x401123,)

    p = angr.Project("./bomb", load_options={'auto_load_libs': False})
    p.hook(read_num, custom_hook)
    state = p.factory.blank_state(
        addr=start, remove_options={simuvex.o.LAZY_SOLVES})
    pg = p.factory.path_group(state)
    pg.explore(find=find, avoid=avoid)
    found = pg.found[0].state

    return unpack('IIIIII', found.se.any_str(found.memory.load(stored_ints_addr, 24)))


def main():
    print("Flag 6:" + str(solve_flag_6()))

if __name__ == '__main__':
    # logging.getLogger('angr.path_group').setLevel(logging.DEBUG)
    main()

Use the script without threading, seems like you hit a problem with either z3 or claripy, I'll open a new issue for that.

from angr-doc.

ocean1 commented on July 22, 2024

yup! sorry I did forget that! :)

from angr-doc.

peperunas commented on July 22, 2024

Lesson learned: never write in a hurry.

Thank you guys.

from angr-doc.

peperunas commented on July 22, 2024

Hello guys. I've noticed that "removing" the LAZY_SOLVES option still triggers the bug.

e.g:

from this

    state = p.factory.blank_state(
        addr=start, remove_options={simuvex.o.LAZY_SOLVES})

to this

    state = p.factory.blank_state(addr=start)

from angr-doc.

peperunas commented on July 22, 2024

Closing the issue again since It could be related to an unfeasible path. My bad, sorry guys!

from angr-doc.

Bomb CMU - Phase 6 - SimMemoryAddressError about angr-doc HOT 6 CLOSED

Comments (6)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent