{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-angr-tutorial-en","result":{"data":{"markdownRemark":{"id":"501c6a9d-49d6-50d6-a0cc-04358e8ed50b","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-angr-tutorial\">original page</a>.</p>\n</blockquote>\n<p>I had been using angr with template scripts without much thought, but recently I ran into a problem “where angr should work but doesn’t,” so I took it as a good opportunity to learn a bit more about it.</p>\n<p>When I actually used it properly, it turned out to be a far more powerful tool than I imagined, so I’m writing it up as an article along with some sample code — even if it only covers a fraction of what it can do.</p>\n<p>I plan to use this as a cheat sheet, so I’ll keep adding to it going forward.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li>\n<p><a href=\"#what-is-angr\">What is angr?</a></p>\n<ul>\n<li><a href=\"#symbolic-execution\">Symbolic Execution</a></li>\n<li><a href=\"#the-factory-class\">The Factory Class</a></li>\n<li><a href=\"#simulationmanager\">SimulationManager</a></li>\n</ul>\n</li>\n<li>\n<p><a href=\"#analysis-techniques-with-simulationmanager\">Analysis Techniques with SimulationManager</a></p>\n<ul>\n<li><a href=\"#pre-defining-the-flag-string-length\">Pre-defining the Flag String Length</a></li>\n<li><a href=\"#adding-constraints-on-the-flag-string\">Adding Constraints on the Flag String</a></li>\n<li><a href=\"#applying-the-flag-symbolic-variable-at-the-right-location\">Applying the Flag Symbolic Variable at the Right Location</a></li>\n<li><a href=\"#improving-performance\">Improving Performance</a></li>\n<li><a href=\"#changing-the-exploration-strategy\">Changing the Exploration Strategy</a></li>\n<li><a href=\"#retrieving-register-and-stack-information-during-exploration\">Retrieving Register and Stack Information During Exploration</a></li>\n</ul>\n</li>\n<li>\n<p><a href=\"#solving-ctf-problems-with-angr\">Solving CTF Problems with angr</a></p>\n<ul>\n<li><a href=\"#hackcon-2016---angry-reverser\">HackCon 2016 - angry-reverser</a></li>\n<li><a href=\"#securityfest-2016---fairlight\">SecurityFest 2016 - fairlight</a></li>\n</ul>\n</li>\n<li>\n<p><a href=\"#solving-constraints-with-z3py\">Solving Constraints with z3py</a></p>\n<ul>\n<li><a href=\"#constraint-match-a-popcount-bit-sum-function\">Constraint: Match a Popcount (Bit Sum) Function</a></li>\n<li><a href=\"#constraint-match-the-number-of-decimal-digits\">Constraint: Match the Number of Decimal Digits</a></li>\n<li><a href=\"#constraint-match-the-sum-of-decimal-digits\">Constraint: Match the Sum of Decimal Digits</a></li>\n<li><a href=\"#shift-and-rotate-shift-operations-in-z3py\">Shift and Rotate-Shift Operations in z3py</a></li>\n</ul>\n</li>\n<li>\n<p><a href=\"#solving-ctf-problems-with-z3py\">Solving CTF Problems with z3py</a></p>\n<ul>\n<li><a href=\"#n00bz-ctf-2023---zzz\">n00bz CTF 2023 - zzz</a></li>\n<li><a href=\"#sekai-ctf---guardians-of-the-kernel\">SEKAI CTF - Guardians of the Kernel</a></li>\n</ul>\n</li>\n<li><a href=\"#summary\">Summary</a></li>\n<li><a href=\"#past-problems-solved-with-angr\">Past Problems Solved with angr</a></li>\n<li><a href=\"#past-problems-solved-with-z3\">Past Problems Solved with z3</a></li>\n</ul>\n<h2 id=\"what-is-angr\" style=\"position:relative;\"><a href=\"#what-is-angr\" aria-label=\"what is angr permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>What is angr?</h2>\n<p>angr is an analysis tool capable of performing various kinds of static analysis on binaries, including dynamic symbolic execution.</p>\n<p>angr can be used as a Python module.</p>\n<p>angr first loads a binary into a project and then instantiates several built-in classes.</p>\n<p>Reference: <a href=\"https://docs.angr.io/en/latest/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">angr documentation</a></p>\n<p>When using angr in CTF, you typically use symbolic execution with symbolic variables to track how the program state changes, and leverage the internal SMT solver (z3, etc.) to reverse-compute the input value needed to produce a given output.</p>\n<h3 id=\"symbolic-execution\" style=\"position:relative;\"><a href=\"#symbolic-execution\" aria-label=\"symbolic execution permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Symbolic Execution</h3>\n<p>angr performs analysis through symbolic execution using symbolic variables — not an emulator.</p>\n<p>The SimulationManager holds state (SimState) in units called stashes, and can step through and filter those states.</p>\n<p>During symbolic execution, angr fetches program instructions and applies them to produce a sequence of updated SimState objects.</p>\n<p>The initial stash is <code class=\"language-text\">active</code>. A SimState from which no further states can be derived after stepping is placed into the <code class=\"language-text\">deadended</code> stash.</p>\n<p>Using the <code class=\"language-text\">explore()</code> method of SimulationManager, you can search only for SimStates that reach a specific address and discard all others.</p>\n<p>You can also add constraints to symbolic variables (defined as Bitvectors) to reverse-compute the input that produces a given output.</p>\n<p>To solve for a Flag in a straightforward case, you can use a script like the following:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> angr\n\nproj <span class=\"token operator\">=</span> angr<span class=\"token punctuation\">.</span>Project<span class=\"token punctuation\">(</span><span class=\"token string\">\"chall\"</span><span class=\"token punctuation\">,</span> auto_load_libs<span class=\"token operator\">=</span><span class=\"token boolean\">False</span><span class=\"token punctuation\">)</span>\nobj <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>loader<span class=\"token punctuation\">.</span>main_object\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Entry\"</span><span class=\"token punctuation\">,</span> <span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>obj<span class=\"token punctuation\">.</span>entry<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\nfind <span class=\"token operator\">=</span> <span class=\"token number\">0x401654</span>\navoids <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token number\">0x4016ca</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x4011a9</span><span class=\"token punctuation\">]</span>\n\ninit_state <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>entry_state<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\nsimgr <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>simgr<span class=\"token punctuation\">(</span>init_state<span class=\"token punctuation\">)</span>\nsimgr<span class=\"token punctuation\">.</span>explore<span class=\"token punctuation\">(</span>find<span class=\"token operator\">=</span>find<span class=\"token punctuation\">,</span> avoid<span class=\"token operator\">=</span>avoids<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Output</span>\nsimgr<span class=\"token punctuation\">.</span>found<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>posix<span class=\"token punctuation\">.</span>dumps<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>Below I summarize the classes and objects commonly used in CTF when performing symbolic execution with angr.</p>\n<h3 id=\"the-factory-class\" style=\"position:relative;\"><a href=\"#the-factory-class\" aria-label=\"the factory class permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>The Factory Class</h3>\n<p>Factory is one of the most frequently used classes in angr and is used to obtain code blocks and SimState objects for simulation.</p>\n<p>For example, you can retrieve a code block and read or modify registers and memory as follows:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> angr\nproj <span class=\"token operator\">=</span> angr<span class=\"token punctuation\">.</span>Project<span class=\"token punctuation\">(</span><span class=\"token string\">\"chall\"</span><span class=\"token punctuation\">,</span> auto_load_libs<span class=\"token operator\">=</span><span class=\"token boolean\">False</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Extract a basic code block</span>\nblock <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>block<span class=\"token punctuation\">(</span>proj<span class=\"token punctuation\">.</span>entry<span class=\"token punctuation\">)</span>\nblock<span class=\"token punctuation\">.</span>pp<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Create a SimState object including the program's memory, registers, and filesystem</span>\nstate <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>entry_state<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Get the register value at the current state</span>\nstate<span class=\"token punctuation\">.</span>regs\nstate<span class=\"token punctuation\">.</span>regs<span class=\"token punctuation\">.</span>rax \n\n<span class=\"token comment\"># Get the memory at the entry point</span>\nstate<span class=\"token punctuation\">.</span>mem<span class=\"token punctuation\">[</span>proj<span class=\"token punctuation\">.</span>entry<span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">int</span><span class=\"token punctuation\">.</span>resolved\n\n<span class=\"token comment\"># Overwrite a register value with an arbitrary value</span>\nstate<span class=\"token punctuation\">.</span>regs<span class=\"token punctuation\">.</span>rax <span class=\"token operator\">=</span> state<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span>BVV<span class=\"token punctuation\">(</span><span class=\"token number\">3</span><span class=\"token punctuation\">,</span> <span class=\"token number\">64</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Overwrite a memory location with an arbitrary value</span>\nstate<span class=\"token punctuation\">.</span>mem<span class=\"token punctuation\">[</span><span class=\"token number\">0x1000</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">long</span> <span class=\"token operator\">=</span> <span class=\"token number\">4</span></code></pre></div>\n<p>Note: in angr, numbers are handled as bitvector objects.</p>\n<p>You can specify either 32-bit or 64-bit to match the CPU.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># Convert an int to a 32-bit BVV</span>\nbv <span class=\"token operator\">=</span> state<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span>BVV<span class=\"token punctuation\">(</span><span class=\"token number\">0x1234</span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Convert a BVV to an int</span>\nstate<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span><span class=\"token builtin\">eval</span><span class=\"token punctuation\">(</span>bv<span class=\"token punctuation\">)</span> </code></pre></div>\n<h3 id=\"simulationmanager\" style=\"position:relative;\"><a href=\"#simulationmanager\" aria-label=\"simulationmanager permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>SimulationManager</h3>\n<p>This is the object you use most often when solving CTF problems.</p>\n<p>SimulationManager lets you simulate program execution.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># Create a simulation manager</span>\nsimgr <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>simulation_manager<span class=\"token punctuation\">(</span>state<span class=\"token punctuation\">)</span></code></pre></div>\n<p>SimulationManager holds states in units called stashes.</p>\n<p>The initial stash given at initialization is <code class=\"language-text\">active</code>.</p>\n<p>When you perform symbolic execution with <code class=\"language-text\">simgr.step()</code>, you can see states being added to the <code class=\"language-text\">active</code> stash one by one.</p>\n<p>Therefore, after advancing execution for a while, inspecting elements in <code class=\"language-text\">active</code> shows that states have been updated.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/2c74dd044405be3b245e08ce3797c8d5/b7936/image-20230623223705879.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 26.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAyklEQVQY05WPSQ+CMBSEe3QJ3lzQaNzxBKXgBuKaiNG44BI1+v//xmifBLwZD5N+M22nr+woVri7B1wHW8wqvUijggk3z+FkdWIpJ2e8M+PNPMw4ZcSqiXHJArv0NlT28AL4rRGm5S7m1T4dkJejQjUudGWhGj8iV68o4KkC7GyvacLbcIdV28OiNoClaLAyGoTSDrlDnvjbh5n95dm5u8ZzckJgLmlk+V2eakJP1GEkGx8lGjH/8OzAl7g7ewTCj77L003alMX/6gUiV5bCKi9rTwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/2c74dd044405be3b245e08ce3797c8d5/8ac56/image-20230623223705879.webp 240w,\n/static/2c74dd044405be3b245e08ce3797c8d5/d3be9/image-20230623223705879.webp 480w,\n/static/2c74dd044405be3b245e08ce3797c8d5/e46b2/image-20230623223705879.webp 960w,\n/static/2c74dd044405be3b245e08ce3797c8d5/e89d6/image-20230623223705879.webp 1155w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/2c74dd044405be3b245e08ce3797c8d5/8ff5a/image-20230623223705879.png 240w,\n/static/2c74dd044405be3b245e08ce3797c8d5/e85cb/image-20230623223705879.png 480w,\n/static/2c74dd044405be3b245e08ce3797c8d5/d9199/image-20230623223705879.png 960w,\n/static/2c74dd044405be3b245e08ce3797c8d5/b7936/image-20230623223705879.png 1155w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/2c74dd044405be3b245e08ce3797c8d5/d9199/image-20230623223705879.png\"\n            alt=\"image-20230623223705879\"\n            title=\"image-20230623223705879\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"analysis-techniques-with-simulationmanager\" style=\"position:relative;\"><a href=\"#analysis-techniques-with-simulationmanager\" aria-label=\"analysis techniques with simulationmanager permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Analysis Techniques with SimulationManager</h2>\n<h3 id=\"pre-defining-the-flag-string-length\" style=\"position:relative;\"><a href=\"#pre-defining-the-flag-string-length\" aria-label=\"pre defining the flag string length permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Pre-defining the Flag String Length</h3>\n<p>You can create a symbolic variable for the Flag with constraints as follows:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> angr\n<span class=\"token keyword\">import</span> claripy\n\n<span class=\"token comment\"># Create a symbolic variable 'flag' for 20 characters (8-bit bitvector)</span>\nflag <span class=\"token operator\">=</span> claripy<span class=\"token punctuation\">.</span>BVS<span class=\"token punctuation\">(</span><span class=\"token string\">'flag'</span><span class=\"token punctuation\">,</span> <span class=\"token number\">20</span><span class=\"token operator\">*</span><span class=\"token number\">8</span><span class=\"token punctuation\">,</span> explicit_name<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Create a SimState object including the program's memory, registers, and filesystem</span>\n<span class=\"token comment\"># state = proj.factory.blank_state(addr=funcaddr, add_options={angr.options.LAZY_SOLVES})</span>\nstate <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>entry_state<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Add constraints to the 20-character symbolic variable</span>\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">19</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    state<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">.</span>get_byte<span class=\"token punctuation\">(</span>i<span class=\"token punctuation\">)</span> <span class=\"token operator\">>=</span> <span class=\"token number\">0x21</span><span class=\"token punctuation\">)</span>\n    state<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">.</span>get_byte<span class=\"token punctuation\">(</span>i<span class=\"token punctuation\">)</span> <span class=\"token operator\">&lt;=</span> <span class=\"token number\">0x7f</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h3 id=\"adding-constraints-on-the-flag-string\" style=\"position:relative;\"><a href=\"#adding-constraints-on-the-flag-string\" aria-label=\"adding constraints on the flag string permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Adding Constraints on the Flag String</h3>\n<p>If certain characters have already been identified, you can add constraints on those positions for more efficient exploration:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># If a character at a specific position is already known, add it as a constraint</span>\nstate<span class=\"token punctuation\">.</span>add_constraints<span class=\"token punctuation\">(</span>argv1<span class=\"token punctuation\">.</span>chop<span class=\"token punctuation\">(</span><span class=\"token number\">8</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string\">'C'</span><span class=\"token punctuation\">)</span>\nstate<span class=\"token punctuation\">.</span>add_constraints<span class=\"token punctuation\">(</span>argv1<span class=\"token punctuation\">.</span>chop<span class=\"token punctuation\">(</span><span class=\"token number\">8</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string\">'T'</span><span class=\"token punctuation\">)</span>\nstate<span class=\"token punctuation\">.</span>add_constraints<span class=\"token punctuation\">(</span>argv1<span class=\"token punctuation\">.</span>chop<span class=\"token punctuation\">(</span><span class=\"token number\">8</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string\">'F'</span><span class=\"token punctuation\">)</span>\nstate<span class=\"token punctuation\">.</span>add_constraints<span class=\"token punctuation\">(</span>argv1<span class=\"token punctuation\">.</span>chop<span class=\"token punctuation\">(</span><span class=\"token number\">8</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">3</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string\">'{'</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h3 id=\"applying-the-flag-symbolic-variable-at-the-right-location\" style=\"position:relative;\"><a href=\"#applying-the-flag-symbolic-variable-at-the-right-location\" aria-label=\"applying the flag symbolic variable at the right location permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Applying the Flag Symbolic Variable at the Right Location</h3>\n<p>The Flag symbolic variable you create must be applied at the appropriate location in accordance with the binary’s implementation.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># When the Flag needs to be supplied as a command-line argument</span>\nargv1 <span class=\"token operator\">=</span> claripy<span class=\"token punctuation\">.</span>BVS<span class=\"token punctuation\">(</span><span class=\"token string\">\"argv1\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xE</span> <span class=\"token operator\">*</span> <span class=\"token number\">8</span><span class=\"token punctuation\">)</span>\nstate <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>entry_state<span class=\"token punctuation\">(</span>args<span class=\"token operator\">=</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"./fairlight\"</span><span class=\"token punctuation\">,</span> argv1<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># When calling a function with the Flag as its argument</span>\nflag <span class=\"token operator\">=</span> claripy<span class=\"token punctuation\">.</span>BVS<span class=\"token punctuation\">(</span><span class=\"token string\">'flag'</span><span class=\"token punctuation\">,</span> <span class=\"token number\">20</span><span class=\"token operator\">*</span><span class=\"token number\">8</span><span class=\"token punctuation\">,</span> explicit_name<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\nbuf <span class=\"token operator\">=</span> <span class=\"token number\">0x606000</span> <span class=\"token comment\"># buffer to store flag(.data)</span>\nfuncaddr <span class=\"token operator\">=</span> <span class=\"token number\">0x400646</span> <span class=\"token comment\"># entry point of crazy function</span>\n\nstate <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>blank_state<span class=\"token punctuation\">(</span>addr<span class=\"token operator\">=</span>funcaddr<span class=\"token punctuation\">,</span> add_options<span class=\"token operator\">=</span><span class=\"token punctuation\">{</span>angr<span class=\"token punctuation\">.</span>options<span class=\"token punctuation\">.</span>LAZY_SOLVES<span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># insert flag into memory by hand</span>\n<span class=\"token comment\"># state.memory.store(buf, flag, endness='Iend_LE')</span>\nstate<span class=\"token punctuation\">.</span>memory<span class=\"token punctuation\">.</span>store<span class=\"token punctuation\">(</span>buf<span class=\"token punctuation\">,</span> flag<span class=\"token punctuation\">,</span> endness<span class=\"token operator\">=</span><span class=\"token string\">'Iend_BE'</span><span class=\"token punctuation\">)</span>\nstate<span class=\"token punctuation\">.</span>regs<span class=\"token punctuation\">.</span>rdi <span class=\"token operator\">=</span> buf</code></pre></div>\n<h3 id=\"improving-performance\" style=\"position:relative;\"><a href=\"#improving-performance\" aria-label=\"improving performance permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Improving Performance</h3>\n<p>You can sometimes improve performance by automatically discarding stashes like <code class=\"language-text\">deadended</code>:</p>\n<p>Also, angr’s default maximum number of symbolic bytes that can be read from memory is 60 bytes; for longer Flags, analysis may not work correctly.</p>\n<p>In such cases you can specify the appropriate byte size by changing <code class=\"language-text\">state.libc.buf_symbolic_bytes</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># Disable automatic loading of external libraries to improve performance</span>\nproj <span class=\"token operator\">=</span> angr<span class=\"token punctuation\">.</span>Project<span class=\"token punctuation\">(</span><span class=\"token string\">'./chall'</span><span class=\"token punctuation\">,</span> auto_load_libs<span class=\"token operator\">=</span><span class=\"token boolean\">False</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Specifying LAZY_SOLVES defers symbol resolution, which can improve performance (may reduce accuracy)</span>\nstate <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>entry_state<span class=\"token punctuation\">(</span>args<span class=\"token operator\">=</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"./chall\"</span><span class=\"token punctuation\">,</span> argv1<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> add_options<span class=\"token operator\">=</span><span class=\"token punctuation\">{</span>angr<span class=\"token punctuation\">.</span>options<span class=\"token punctuation\">.</span>LAZY_SOLVES<span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Change the maximum number of symbolic bytes read from memory</span>\nstate<span class=\"token punctuation\">.</span>libc<span class=\"token punctuation\">.</span>buf_symbolic_bytes <span class=\"token operator\">=</span> input_size <span class=\"token operator\">+</span> <span class=\"token number\">1</span>\n\n<span class=\"token comment\"># Automatically discard the avoid and deadended stashes</span>\nsimgr<span class=\"token punctuation\">.</span>explore<span class=\"token punctuation\">(</span>find<span class=\"token operator\">=</span>find<span class=\"token punctuation\">,</span> avoid<span class=\"token operator\">=</span>avoids<span class=\"token punctuation\">,</span> step_func<span class=\"token operator\">=</span><span class=\"token keyword\">lambda</span> lsm<span class=\"token punctuation\">:</span> lsm<span class=\"token punctuation\">.</span>drop<span class=\"token punctuation\">(</span>stash<span class=\"token operator\">=</span><span class=\"token string\">'avoid'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>drop<span class=\"token punctuation\">(</span>stash<span class=\"token operator\">=</span><span class=\"token string\">'deadended'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h3 id=\"changing-the-exploration-strategy\" style=\"position:relative;\"><a href=\"#changing-the-exploration-strategy\" aria-label=\"changing the exploration strategy permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Changing the Exploration Strategy</h3>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">simgr <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>simulation_manager<span class=\"token punctuation\">(</span>state<span class=\"token punctuation\">)</span>\nexplorer <span class=\"token operator\">=</span> angr<span class=\"token punctuation\">.</span>exploration_techniques<span class=\"token punctuation\">.</span>Explorer<span class=\"token punctuation\">(</span>find<span class=\"token operator\">=</span><span class=\"token keyword\">lambda</span> s<span class=\"token punctuation\">:</span> s<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span><span class=\"token builtin\">eval</span><span class=\"token punctuation\">(</span>s<span class=\"token punctuation\">.</span>regs<span class=\"token punctuation\">.</span>dl<span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token number\">0x43</span> <span class=\"token keyword\">and</span> s<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span><span class=\"token builtin\">eval</span><span class=\"token punctuation\">(</span>s<span class=\"token punctuation\">.</span>regs<span class=\"token punctuation\">.</span>rip<span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token number\">0x401641</span><span class=\"token punctuation\">)</span>\nsimgr<span class=\"token punctuation\">.</span>use_technique<span class=\"token punctuation\">(</span>explorer<span class=\"token punctuation\">)</span>\nsimgr<span class=\"token punctuation\">.</span>run<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h3 id=\"retrieving-register-and-stack-information-during-exploration\" style=\"position:relative;\"><a href=\"#retrieving-register-and-stack-information-during-exploration\" aria-label=\"retrieving register and stack information during exploration permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Retrieving Register and Stack Information During Exploration</h3>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># With a stash advanced to an arbitrary state via simgr.step() etc.</span>\ncurrent_state <span class=\"token operator\">=</span> simgr<span class=\"token punctuation\">.</span>active<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span>\n\n<span class=\"token comment\"># Read the value of the RAX register</span>\ncurrent_state<span class=\"token punctuation\">.</span>regs<span class=\"token punctuation\">.</span>rax\n\n<span class=\"token comment\"># Get RSP information</span>\ncurrent_state<span class=\"token punctuation\">.</span>regs<span class=\"token punctuation\">.</span>rsp\n\np_BV64 <span class=\"token operator\">=</span> current_state<span class=\"token punctuation\">.</span>mem<span class=\"token punctuation\">[</span><span class=\"token number\">0x7fffffffffeffa8</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>uint64_t<span class=\"token punctuation\">.</span>resolved\ncurrent_state<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span><span class=\"token builtin\">eval</span><span class=\"token punctuation\">(</span>p_BV64<span class=\"token punctuation\">)</span>\ncurrent_state<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span>eval_upto<span class=\"token punctuation\">(</span>p_BV64<span class=\"token punctuation\">,</span><span class=\"token number\">10</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h2 id=\"solving-ctf-problems-with-angr\" style=\"position:relative;\"><a href=\"#solving-ctf-problems-with-angr\" aria-label=\"solving ctf problems with angr permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Solving CTF Problems with angr</h2>\n<p>Here I solve CTF problems introduced in the official angr documentation using angr.</p>\n<p>Reference: <a href=\"https://docs.angr.io/en/latest/appendix/more-examples.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">CTF Challenge Examples - angr documentation</a></p>\n<h3 id=\"hackcon-2016---angry-reverser\" style=\"position:relative;\"><a href=\"#hackcon-2016---angry-reverser\" aria-label=\"hackcon 2016   angry reverser permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>HackCon 2016 - angry-reverser</h3>\n<p>Analyzing the binary in Ghidra reveals that it validates the input to determine whether the Flag is correct.</p>\n<p>However, the validation function performs extremely complex repeated computations as shown below, making it very difficult to identify the Flag through static analysis alone.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 793px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/1e92883683e33b159ad603e6ee013946/73fd0/image-20230626182324436.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 121.25000000000001%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAYCAYAAAD6S912AAAACXBIWXMAAAsTAAALEwEAmpwYAAADVElEQVQ4y4WViVrbMBCEef+npJDEl2xZ92V5OnISmkDTGvzZC9JmV//M5s25CSGA944QK3LasMWCfd/Rrvb8331f1643ZQp8lHwteLraguP39rxvxC3Jjh8J2/1mbULUnhUGpJIRckCt9Tk39sfgx/WY9C2GDHtyUEJhDgvEMsN2FtY6jH6CXjXcxcM4y3iEkQauc9DBYLITMot4arnkDH/2WCaJiefZqQ7qQ2MZJC66Q7/2kJ8Sy7iiWzsMaoQ8ce0g+D7grC6IJT1UGAP0OKM/K/SKizyTcKGeWVlwiDXCFovUjsZE+BIQt8gjinDJwUSDvJXHhBvk6iGM4KKEpHdkT9qkvpE+96LyWTf88/pqOSeC4KbttqOy+lquzz3f3nnv2/+T3SizfEnCLkNlBe89ouTfcjzi6CLjAE/6kvIKJh7/9ylABfXU7lFhihnmw0JOKyZSbYd+j3s7YFonmF8G66wwMB7lCPWpoLSCcAKzW770elTYWvbngFFMWL3C2Z5hBnOQnQxh2R6TFFAXQlsHrKxKeEGtfhP6veUmaCsXjCN1phcMgQkMqzKGcogoPMhGOld+cPF/Ej245FvLG1YVMFOkke1TIaAyUOKV8J3yXp4h/M3LR4WptcxNZduOs2AR2Ei4SaaR3vI13ssLwt9bbpQbtWY1kwwshVpKQaVOMtutW+XNCdRiZq+Zcako1FI6Pgk/Ket3DUlrXewF00QAjFdSvNjusKT6IFWj0TFu9HWzppHozQDl9XOFjbL9xUEwjZTAfPjXflpMF0HzC27qsfRMetIY1pFSmTHOI9pRtSobuG/TJsCJFSOl0rzcuQsGTb3pEYHi3e8/rXWOtbaJb6+tF0IhZVakBZwPyKSeUiGM/ct2h/XqwzzcX5Pm+NpAHkfp7YOTJlWSPuTjbhJiXPNrHz8l9NRM4fdIo1mojb1eW6toZBlv+0G8vRf6dmfl24369jCCvlr2PnFiW05sHrobIISAYSzXq5dnMcN80opqpZdHLGKBPhks6krZcHIfVd69XBrld4thJEFSPevzkXA+0YZmRGc6iGHGyoHQSdqSA6EXAxILaboMPKr62HLixHaTppf5HWEWau9MCU2H3ky0cPk6la210NRca7cJ/hXl32ACTysbGpVhAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/1e92883683e33b159ad603e6ee013946/8ac56/image-20230626182324436.webp 240w,\n/static/1e92883683e33b159ad603e6ee013946/d3be9/image-20230626182324436.webp 480w,\n/static/1e92883683e33b159ad603e6ee013946/51ddc/image-20230626182324436.webp 793w\"\n              sizes=\"(max-width: 793px) 100vw, 793px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/1e92883683e33b159ad603e6ee013946/8ff5a/image-20230626182324436.png 240w,\n/static/1e92883683e33b159ad603e6ee013946/e85cb/image-20230626182324436.png 480w,\n/static/1e92883683e33b159ad603e6ee013946/73fd0/image-20230626182324436.png 793w\"\n            sizes=\"(max-width: 793px) 100vw, 793px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/1e92883683e33b159ad603e6ee013946/73fd0/image-20230626182324436.png\"\n            alt=\"image-20230626182324436\"\n            title=\"image-20230626182324436\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>When trying to find the correct input with angr, a simple SimulationManager script as shown in <a href=\"#symbolic-execution\">Symbolic Execution</a> never finishes.</p>\n<p>So let’s read <a href=\"https://github.com/angr/angr-doc/blob/master/examples/hackcon2016_angry-reverser/solve.py\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">the example solve script</a>:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> angr\n<span class=\"token keyword\">import</span> claripy\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    flag    <span class=\"token operator\">=</span> claripy<span class=\"token punctuation\">.</span>BVS<span class=\"token punctuation\">(</span><span class=\"token string\">'flag'</span><span class=\"token punctuation\">,</span> <span class=\"token number\">20</span><span class=\"token operator\">*</span><span class=\"token number\">8</span><span class=\"token punctuation\">,</span> explicit_name<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span> <span class=\"token comment\"># symbolized flag, we know the length by looking at the assembly code</span>\n    buf     <span class=\"token operator\">=</span> <span class=\"token number\">0x606000</span> <span class=\"token comment\"># buffer to store flag</span>\n    crazy   <span class=\"token operator\">=</span> <span class=\"token number\">0x400646</span> <span class=\"token comment\"># entry point of crazy function</span>\n    find    <span class=\"token operator\">=</span> <span class=\"token number\">0x405a6e</span> <span class=\"token comment\"># end of crazy function</span>\n\n    <span class=\"token comment\"># Offset of 'FAIL' blocks in Crazy(from pwntools--e.search(asm('mov ecx, 0')))</span>\n    avoids <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token number\">0x402c3c</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x402eaf</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x40311c</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x40338b</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x4035f8</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x403868</span><span class=\"token punctuation\">,</span>\n              <span class=\"token number\">0x403ad5</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x403d47</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x403fb9</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x404227</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x404496</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x40470a</span><span class=\"token punctuation\">,</span>\n              <span class=\"token number\">0x404978</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x404bec</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x404e59</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x4050c7</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x405338</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x4055a9</span><span class=\"token punctuation\">,</span>\n              <span class=\"token number\">0x4057f4</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x405a2b</span><span class=\"token punctuation\">]</span>\n\n    proj <span class=\"token operator\">=</span> angr<span class=\"token punctuation\">.</span>Project<span class=\"token punctuation\">(</span><span class=\"token string\">'./yolomolo'</span><span class=\"token punctuation\">,</span> auto_load_libs<span class=\"token operator\">=</span><span class=\"token boolean\">False</span><span class=\"token punctuation\">)</span>\n    <span class=\"token comment\"># Create blank state starting from crazy function</span>\n    <span class=\"token comment\"># LAZY_SOLVES is very important here because we are actually collecting constraints for an equation Ax=b, where A is 20 by 20, x and b are 20 by 1</span>\n    state <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>blank_state<span class=\"token punctuation\">(</span>addr<span class=\"token operator\">=</span>crazy<span class=\"token punctuation\">,</span> add_options<span class=\"token operator\">=</span><span class=\"token punctuation\">{</span>angr<span class=\"token punctuation\">.</span>options<span class=\"token punctuation\">.</span>LAZY_SOLVES<span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span>\n    <span class=\"token comment\"># insert flag into memory by hand</span>\n    <span class=\"token comment\"># state.memory.store(buf, flag, endness='Iend_LE')</span>\n    state<span class=\"token punctuation\">.</span>memory<span class=\"token punctuation\">.</span>store<span class=\"token punctuation\">(</span>buf<span class=\"token punctuation\">,</span> flag<span class=\"token punctuation\">,</span> endness<span class=\"token operator\">=</span><span class=\"token string\">'Iend_BE'</span><span class=\"token punctuation\">)</span>\n    state<span class=\"token punctuation\">.</span>regs<span class=\"token punctuation\">.</span>rdi <span class=\"token operator\">=</span> buf\n\n    <span class=\"token comment\"># each character of flag should be between 0x30 and 0x7f</span>\n    <span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">19</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        state<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">.</span>get_byte<span class=\"token punctuation\">(</span>i<span class=\"token punctuation\">)</span> <span class=\"token operator\">>=</span> <span class=\"token number\">0x21</span><span class=\"token punctuation\">)</span>\n        state<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">.</span>get_byte<span class=\"token punctuation\">(</span>i<span class=\"token punctuation\">)</span> <span class=\"token operator\">&lt;=</span> <span class=\"token number\">0x7f</span><span class=\"token punctuation\">)</span>\n\n    simgr <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>simulation_manager<span class=\"token punctuation\">(</span>state<span class=\"token punctuation\">)</span>\n\n    simgr<span class=\"token punctuation\">.</span>explore<span class=\"token punctuation\">(</span>find<span class=\"token operator\">=</span>find<span class=\"token punctuation\">,</span> avoid<span class=\"token operator\">=</span>avoids<span class=\"token punctuation\">)</span>\n    found <span class=\"token operator\">=</span> simgr<span class=\"token punctuation\">.</span>found<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span>\n    <span class=\"token keyword\">return</span> found<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span><span class=\"token builtin\">eval</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">,</span> cast_to<span class=\"token operator\">=</span><span class=\"token builtin\">bytes</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">test</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">assert</span> main<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token string\">b\"HACKCON{VVhYS04ngrY}\"</span>\n\n<span class=\"token keyword\">if</span> __name__ <span class=\"token keyword\">in</span> <span class=\"token string\">'__main__'</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">import</span> logging\n    logging<span class=\"token punctuation\">.</span>getLogger<span class=\"token punctuation\">(</span><span class=\"token string\">'angr.sim_manager'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>setLevel<span class=\"token punctuation\">(</span>logging<span class=\"token punctuation\">.</span>DEBUG<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>main<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>This code creates a symbolic variable <code class=\"language-text\">flag</code> with a constraint that it consists of printable ASCII characters.</p>\n<p>It then stores the variable in big-endian format into a free area of the data section using <code class=\"language-text\">state.memory.store(buf, flag, endness='Iend_BE')</code>, sets that address in rdi, and creates a SimState with the Flag-validation function GoHomeOrGoCrazy as its entry point.</p>\n<p>This is a key technique worth remembering.</p>\n<h3 id=\"securityfest-2016---fairlight\" style=\"position:relative;\"><a href=\"#securityfest-2016---fairlight\" aria-label=\"securityfest 2016   fairlight permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>SecurityFest 2016 - fairlight</h3>\n<p>Next is a pattern where the Flag must be supplied as a command-line argument.</p>\n<p>Here, the Flag is identified by passing a symbolic variable as the <code class=\"language-text\">args</code> of <code class=\"language-text\">entry_state</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> angr\n<span class=\"token keyword\">import</span> claripy\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    proj <span class=\"token operator\">=</span> angr<span class=\"token punctuation\">.</span>Project<span class=\"token punctuation\">(</span><span class=\"token string\">'./fairlight'</span><span class=\"token punctuation\">,</span> load_options<span class=\"token operator\">=</span><span class=\"token punctuation\">{</span><span class=\"token string\">\"auto_load_libs\"</span><span class=\"token punctuation\">:</span> <span class=\"token boolean\">False</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span>\n    argv1 <span class=\"token operator\">=</span> claripy<span class=\"token punctuation\">.</span>BVS<span class=\"token punctuation\">(</span><span class=\"token string\">\"argv1\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xE</span> <span class=\"token operator\">*</span> <span class=\"token number\">8</span><span class=\"token punctuation\">)</span>\n    state <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>entry_state<span class=\"token punctuation\">(</span>args<span class=\"token operator\">=</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"./fairlight\"</span><span class=\"token punctuation\">,</span> argv1<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span> \n\n    simgr <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>simulation_manager<span class=\"token punctuation\">(</span>state<span class=\"token punctuation\">)</span>\n    simgr<span class=\"token punctuation\">.</span>explore<span class=\"token punctuation\">(</span>find<span class=\"token operator\">=</span><span class=\"token number\">0x4018f7</span><span class=\"token punctuation\">,</span> avoid<span class=\"token operator\">=</span><span class=\"token number\">0x4018f9</span><span class=\"token punctuation\">)</span>\n    found <span class=\"token operator\">=</span> simgr<span class=\"token punctuation\">.</span>found<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span>\n    <span class=\"token keyword\">return</span> found<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span><span class=\"token builtin\">eval</span><span class=\"token punctuation\">(</span>argv1<span class=\"token punctuation\">,</span> cast_to<span class=\"token operator\">=</span><span class=\"token builtin\">bytes</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">test</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    res <span class=\"token operator\">=</span> main<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">repr</span><span class=\"token punctuation\">(</span>res<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">assert</span> res <span class=\"token operator\">==</span> <span class=\"token string\">b'4ngrman4gem3nt'</span>\n\n\n<span class=\"token keyword\">if</span> __name__ <span class=\"token operator\">==</span> <span class=\"token string\">'__main__'</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">import</span> logging\n    logging<span class=\"token punctuation\">.</span>getLogger<span class=\"token punctuation\">(</span><span class=\"token string\">'angr.sim_manager'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>setLevel<span class=\"token punctuation\">(</span>logging<span class=\"token punctuation\">.</span>DEBUG<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>main<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h2 id=\"solving-constraints-with-z3py\" style=\"position:relative;\"><a href=\"#solving-constraints-with-z3py\" aria-label=\"solving constraints with z3py permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Solving Constraints with z3py</h2>\n<p>angr uses z3 internally as its SMT solver for constraint solving.</p>\n<p>Therefore, knowing how to write constraint-solving code in z3py is useful when using angr.</p>\n<p>You can also specify detailed constraints derived from decompilation results to identify the Flag.</p>\n<h3 id=\"constraint-match-a-popcount-bit-sum-function\" style=\"position:relative;\"><a href=\"#constraint-match-a-popcount-bit-sum-function\" aria-label=\"constraint match a popcount bit sum function permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Constraint: Match a Popcount (Bit Sum) Function</h3>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> z3 <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n<span class=\"token keyword\">from</span> math <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\ns <span class=\"token operator\">=</span> Solver<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\ni1 <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string\">'i1'</span><span class=\"token punctuation\">,</span> <span class=\"token number\">64</span><span class=\"token punctuation\">)</span>\ni2 <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string\">'i2'</span><span class=\"token punctuation\">,</span> <span class=\"token number\">64</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Define a function to compute the sum of bits (popcount)</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">HW</span><span class=\"token punctuation\">(</span>bvec<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n  <span class=\"token keyword\">return</span> Sum<span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span>ZeroExt<span class=\"token punctuation\">(</span><span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>ceil<span class=\"token punctuation\">(</span>log2<span class=\"token punctuation\">(</span>bvec<span class=\"token punctuation\">.</span>size<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> Extract<span class=\"token punctuation\">(</span>i<span class=\"token punctuation\">,</span>i<span class=\"token punctuation\">,</span>bvec<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span>bvec<span class=\"token punctuation\">.</span>size<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Define a function that returns 0 or 1 based on the popcount</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">volcano</span><span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n  w <span class=\"token operator\">=</span> HW<span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">)</span>\n  <span class=\"token keyword\">return</span> If<span class=\"token punctuation\">(</span>And<span class=\"token punctuation\">(</span>w <span class=\"token operator\">></span> <span class=\"token number\">16</span><span class=\"token punctuation\">,</span> w <span class=\"token operator\">&lt;</span> <span class=\"token number\">27</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">digitValue</span><span class=\"token punctuation\">(</span>c<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    dv <span class=\"token operator\">=</span> StrToInt<span class=\"token punctuation\">(</span>c<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">return</span> If<span class=\"token punctuation\">(</span>dv <span class=\"token operator\">==</span> <span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> dv<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">if</span> s<span class=\"token punctuation\">.</span>check<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> sat<span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>s<span class=\"token punctuation\">.</span>model<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"unsat\"</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h3 id=\"constraint-match-the-number-of-decimal-digits\" style=\"position:relative;\"><a href=\"#constraint-match-the-number-of-decimal-digits\" aria-label=\"constraint match the number of decimal digits permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Constraint: Match the Number of Decimal Digits</h3>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> z3 <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\ns <span class=\"token operator\">=</span> Solver<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\ni1 <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string\">'i1'</span><span class=\"token punctuation\">,</span> <span class=\"token number\">64</span><span class=\"token punctuation\">)</span>\ni2 <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string\">'i2'</span><span class=\"token punctuation\">,</span> <span class=\"token number\">64</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Count decimal digits by converting to string</span>\n<span class=\"token comment\"># https://stackoverflow.com/questions/tagged/z3py</span>\ni1 <span class=\"token operator\">=</span> BV2Int<span class=\"token punctuation\">(</span>i1<span class=\"token punctuation\">)</span>\ni2 <span class=\"token operator\">=</span> BV2Int<span class=\"token punctuation\">(</span>i2<span class=\"token punctuation\">)</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>Length<span class=\"token punctuation\">(</span>IntToStr<span class=\"token punctuation\">(</span>i1<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> Length<span class=\"token punctuation\">(</span>IntToStr<span class=\"token punctuation\">(</span>i2<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">if</span> s<span class=\"token punctuation\">.</span>check<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> sat<span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>s<span class=\"token punctuation\">.</span>model<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"unsat\"</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h3 id=\"constraint-match-the-sum-of-decimal-digits\" style=\"position:relative;\"><a href=\"#constraint-match-the-sum-of-decimal-digits\" aria-label=\"constraint match the sum of decimal digits permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Constraint: Match the Sum of Decimal Digits</h3>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> z3 <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n<span class=\"token keyword\">from</span> math <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\ns <span class=\"token operator\">=</span> Solver<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\ni1 <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string\">'i1'</span><span class=\"token punctuation\">,</span> <span class=\"token number\">64</span><span class=\"token punctuation\">)</span>\ni2 <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string\">'i2'</span><span class=\"token punctuation\">,</span> <span class=\"token number\">64</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Constraint that x and y have the same digit sum in decimal</span>\n<span class=\"token comment\"># https://stackoverflow.com/questions/76654949/z3-iterate-over-string-to-add-up-only-numbers-python-api</span>\nadd_only_numbers <span class=\"token operator\">=</span> RecFunction<span class=\"token punctuation\">(</span><span class=\"token string\">'add_only_numbers'</span><span class=\"token punctuation\">,</span> StringSort<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> IntSort<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\nw <span class=\"token operator\">=</span> FreshConst<span class=\"token punctuation\">(</span>StringSort<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\nRecAddDefinition<span class=\"token punctuation\">(</span> add_only_numbers\n                <span class=\"token punctuation\">,</span> <span class=\"token punctuation\">[</span>w<span class=\"token punctuation\">]</span>\n                <span class=\"token punctuation\">,</span> If <span class=\"token punctuation\">(</span> Length<span class=\"token punctuation\">(</span>w<span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token number\">0</span>\n                     <span class=\"token punctuation\">,</span> <span class=\"token number\">1</span>\n                     <span class=\"token punctuation\">,</span> digitValue<span class=\"token punctuation\">(</span>Extract<span class=\"token punctuation\">(</span>w<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> add_only_numbers<span class=\"token punctuation\">(</span>Extract<span class=\"token punctuation\">(</span>w<span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> Length<span class=\"token punctuation\">(</span>w<span class=\"token punctuation\">)</span> <span class=\"token operator\">-</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n                     <span class=\"token punctuation\">)</span>\n                <span class=\"token punctuation\">)</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>add_only_numbers<span class=\"token punctuation\">(</span>IntToStr<span class=\"token punctuation\">(</span>i1<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> add_only_numbers<span class=\"token punctuation\">(</span>IntToStr<span class=\"token punctuation\">(</span>i2<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">if</span> s<span class=\"token punctuation\">.</span>check<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> sat<span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>s<span class=\"token punctuation\">.</span>model<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"unsat\"</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h3 id=\"shift-and-rotate-shift-operations-in-z3py\" style=\"position:relative;\"><a href=\"#shift-and-rotate-shift-operations-in-z3py\" aria-label=\"shift and rotate shift operations in z3py permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Shift and Rotate-Shift Operations in z3py</h3>\n<p>You can perform shift operations on BitVec in z3py. (Regular Python shift operators also work.)</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># Create a 4-byte BitVec and add constraints on each character byte</span>\nbuf <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string\">\"buf\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">4</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token comment\"># LShR(>>)</span>\n    s<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>LShR<span class=\"token punctuation\">(</span>buf<span class=\"token punctuation\">,</span><span class=\"token number\">8</span><span class=\"token operator\">*</span>i<span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xFF</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">>=</span> <span class=\"token number\">0x21</span><span class=\"token punctuation\">)</span>\n    s<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>LShR<span class=\"token punctuation\">(</span>buf<span class=\"token punctuation\">,</span><span class=\"token number\">8</span><span class=\"token operator\">*</span>i<span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xFF</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&lt;=</span> <span class=\"token number\">0x7e</span><span class=\"token punctuation\">)</span>\n    \n<span class=\"token comment\"># Similarly, to use only 3 bytes, specify constraints as follows</span>\nbuf2 <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string\">\"buf2\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">)</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>buf2 <span class=\"token operator\">>></span> <span class=\"token number\">24</span> <span class=\"token operator\">==</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">3</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token comment\"># LShR(>>)</span>\n    s<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>LShR<span class=\"token punctuation\">(</span>buf2<span class=\"token punctuation\">,</span><span class=\"token number\">8</span><span class=\"token operator\">*</span>i<span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xFF</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">>=</span> <span class=\"token number\">0x30</span><span class=\"token punctuation\">)</span>\n    s<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>LShR<span class=\"token punctuation\">(</span>buf2<span class=\"token punctuation\">,</span><span class=\"token number\">8</span><span class=\"token operator\">*</span>i<span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xFF</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&lt;=</span> <span class=\"token number\">0x39</span><span class=\"token punctuation\">)</span>\n    \n    \n<span class=\"token comment\"># Rotate-shift (equivalent to ror(1*b,15) in the following implementation)</span>\n<span class=\"token comment\"># def ror(a,b): return (LShR(a,b)|(a&lt;&lt;(32-b))) &amp; N</span>\nRotateRight<span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>a <span class=\"token operator\">*</span> b<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Equivalent to rol((a * b), 11) in the following implementation</span>\n<span class=\"token comment\"># def rol(a,b): return ror(a,32-b) # RotateLeft</span>\nRotateLeft<span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>a <span class=\"token operator\">*</span> b<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>Reference: <a href=\"https://z3prover.github.io/api/html/namespacez3py.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Z3: z3py Namespace Reference</a></p>\n<h2 id=\"solving-ctf-problems-with-z3py\" style=\"position:relative;\"><a href=\"#solving-ctf-problems-with-z3py\" aria-label=\"solving ctf problems with z3py permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Solving CTF Problems with z3py</h2>\n<p>Below are examples of solving CTF problem constraints with z3py.</p>\n<h3 id=\"n00bz-ctf-2023---zzz\" style=\"position:relative;\"><a href=\"#n00bz-ctf-2023---zzz\" aria-label=\"n00bz ctf 2023   zzz permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>n00bz CTF 2023 - zzz</h3>\n<p>Decompiling the given ELF binary in Ghidra produced the following result:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 718px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/8081ccf06a42519cf5d1dd0287094130/57dc1/image-20230621232054338.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 70%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAABxElEQVQ4y6WTz0vcQBzF8/+DPawVxYMHD4IHDx6EFjwIym5paSmW0q27G11xQddsJpPMZCbz6/Wb0CyxuOtCJ3xJMkw+8968b6K9vUu82+qjt93Hzs4A2+8H6PX62N39hP39zzg4+ILDw684OvqG4+PvODm5xunpD5yd/cSHj79wfj7ExcUNrq5GGAwmiKbTe2gDqIpKAdYG/M+IJpMYmmCVqWCMRiBeXd6HVyuE9RXd3U3x8Gjx9DxHzmPIMiXFptmtXtCOt0AvgIV0ELJAVQk4a8m2bTHwwS/B3Q1WWx7HKIocmUiQcIFnzpAWj3S/ByvmyCSHc66jslUMvManM7xFxjIkaYJ5yiFUglwvkCoG401nadf+GoVxTOcmAE4qhcnBywJsIcEziTwrYaSHLQOsopIUlgsNfKXCWwJWGhSGoxR9M1kDHM01RR3g6zL1O4H8BpbT1KEsF9CaUTAUCoGdV7COQvIamsg+uKX1deFE4/GEIIGCkRDCgLEKbGYgEwVJ1stUgy8UFHeoOCm1b1ge3YwIFMB5aP4Urf3KU98o5eHwN0HowJvWCMs8m4/b6+/zRpZns9mLdmg7vqvo31rXOn8AOtk8CEq8ggYAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/8081ccf06a42519cf5d1dd0287094130/8ac56/image-20230621232054338.webp 240w,\n/static/8081ccf06a42519cf5d1dd0287094130/d3be9/image-20230621232054338.webp 480w,\n/static/8081ccf06a42519cf5d1dd0287094130/7d0c9/image-20230621232054338.webp 718w\"\n              sizes=\"(max-width: 718px) 100vw, 718px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/8081ccf06a42519cf5d1dd0287094130/8ff5a/image-20230621232054338.png 240w,\n/static/8081ccf06a42519cf5d1dd0287094130/e85cb/image-20230621232054338.png 480w,\n/static/8081ccf06a42519cf5d1dd0287094130/57dc1/image-20230621232054338.png 718w\"\n            sizes=\"(max-width: 718px) 100vw, 718px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/8081ccf06a42519cf5d1dd0287094130/57dc1/image-20230621232054338.png\"\n            alt=\"image-20230621232054338\"\n            title=\"image-20230621232054338\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The <code class=\"language-text\">read</code> function reads <code class=\"language-text\">0x1e</code> bytes from fd=0, meaning it reads from stdin and passes the data to the <code class=\"language-text\">check</code> function.</p>\n<p>The <code class=\"language-text\">check</code> function decompiled as follows:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 781px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/a837d1fb43a60f5e77b182d3e2bf89a5/7fee5/image-20230621233149319.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 95.83333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAATCAYAAACQjC21AAAACXBIWXMAAAsTAAALEwEAmpwYAAAClUlEQVQ4y6VUy04UQRSd30cNPljoggUbFizYsGChCxIQQwwhGmOMMUZxXj39mOmu96Orj7eqnWGAKIqV3FRXbvfpc869twbPtk6xsXGMR5snePL0FA8fHGPz8Wtsbb3B8xdn2N5+i52dc+zuXmBv7x3299/j4OADDg8/4uWrTzg6+oyTky84O/uK8/NvGEwmGYQEmGihuYWXDv3qbkXX3R2DLMuhpYflGt63sN5COZ2S91mDPC/Ba0PsmgTojYcxFiGEv2J0i+EszyFqAuEGzjuSTGw1AXbhn5gtFQ2m5CEXnjwk/5iDdQ6tJul01laTfAVrHRj5axtSojTlXCJgnAHXHL5tV6CpKJLFgvQveOvhlIMj4Cg7RCmho+flHtKegnJRyZJdAhyPp+RhZGRgg0VryUft4YO/n+RJBCTf5rmEnEnUskZNbNlUglccC85QzRekQKcOkFaiXZO4jBXD6XQKrQNmGU+ASio0jLzJ6AcNgSoLlimohYIwEqUok883AVcMh8MRmd579L8rMby8HIKxsJKxnJFrD7Qvi/CnuPKQWqTMBUQmyE+KOXk446gZ+SkayksIZmHiABgDRV2gFrGFDNlA32mB8ItQ8lCqFrMf9PGwRtlUBCZRjOeoqgpFXaPI5uCMQ1NbSU69SuDKkK+2jy7cKIqnDhHEsvO9dE+9FRz56ugc2tRCcf+td1iTPBpOqMrdunN3OH8FchMsMRwOx6kozvqUjp2fKh6upiCOdYx0ju+0/aRE1utgieF4NEmznE0Ymu8M+bwgHxnKkUie5k2JsmpQjitU5RyLYoGyZuAzyhexaDXZFNZmeTpBS+SKUsHQ8BuqXDQ/3ZFNfzcaqqwRscI0LfFq69p+ptvYv9dZ/gR8nsB+BXfpCAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/a837d1fb43a60f5e77b182d3e2bf89a5/8ac56/image-20230621233149319.webp 240w,\n/static/a837d1fb43a60f5e77b182d3e2bf89a5/d3be9/image-20230621233149319.webp 480w,\n/static/a837d1fb43a60f5e77b182d3e2bf89a5/42cfc/image-20230621233149319.webp 781w\"\n              sizes=\"(max-width: 781px) 100vw, 781px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/a837d1fb43a60f5e77b182d3e2bf89a5/8ff5a/image-20230621233149319.png 240w,\n/static/a837d1fb43a60f5e77b182d3e2bf89a5/e85cb/image-20230621233149319.png 480w,\n/static/a837d1fb43a60f5e77b182d3e2bf89a5/7fee5/image-20230621233149319.png 781w\"\n            sizes=\"(max-width: 781px) 100vw, 781px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/a837d1fb43a60f5e77b182d3e2bf89a5/7fee5/image-20230621233149319.png\"\n            alt=\"image-20230621233149319\"\n            title=\"image-20230621233149319\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I created a Solver with the following constraints based on the Ghidra decompilation and was able to obtain the Flag:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> z3 <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\nflag <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span>BitVec<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"flag[</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>i<span class=\"token punctuation\">}</span></span><span class=\"token string\">]\"</span></span><span class=\"token punctuation\">,</span> <span class=\"token number\">8</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x1e</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span>\ns <span class=\"token operator\">=</span> Solver<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Add custom constraints</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"0\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"0\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">3</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"b\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">4</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"z\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">5</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"{\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">0x1e</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"}\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x1e</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    s<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>And<span class=\"token punctuation\">(</span>\n        <span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span> <span class=\"token operator\">>=</span> <span class=\"token number\">0x21</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n        <span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span> <span class=\"token operator\">&lt;=</span> <span class=\"token number\">0x7e</span><span class=\"token punctuation\">)</span>\n    <span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Problem constraints</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">>></span> <span class=\"token number\">4</span> <span class=\"token operator\">==</span> <span class=\"token number\">0x6</span><span class=\"token punctuation\">)</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>And<span class=\"token punctuation\">(</span>\n    <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">6</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">|</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">3</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token number\">0x7a</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n    <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">6</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">&amp;</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">3</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token number\">0x42</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">0x1c</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">4</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span> \ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>And<span class=\"token punctuation\">(</span>\n    <span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">0x1d</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">*</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">5</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token number\">0x3c0f</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n    And<span class=\"token punctuation\">(</span>\n        <span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">8</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">+</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">6</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">+</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">7</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token number\">0x12e</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n        <span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">7</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">*</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">6</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">-</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">8</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token number\">0x2a8a</span><span class=\"token punctuation\">)</span>\n    <span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>And<span class=\"token punctuation\">(</span>\n    And<span class=\"token punctuation\">(</span>\n        <span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">9</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">-</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">8</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token number\">5</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n        <span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">10</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">-</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">9</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token number\">0x1b</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n        <span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">10</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">^</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">0xb</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token number\">0x20</span><span class=\"token punctuation\">)</span>\n    <span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n    And<span class=\"token punctuation\">(</span>\n        <span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">0xc</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">0xf</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n        <span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">0xb</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">+</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">0xc</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token number\">0xb4</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n        <span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">0xc</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">+</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">0xd</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token number\">0xb9</span><span class=\"token punctuation\">)</span>\n    <span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>And<span class=\"token punctuation\">(</span>\n    <span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">0xd</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">+</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">0xe</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">-</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">0x10</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">0xd</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n    And<span class=\"token punctuation\">(</span>\n        <span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">0x11</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">+</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">0x10</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token number\">0xd9</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n        <span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">0x11</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">0xd</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n    <span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n    And<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">0xe</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">+</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">0x10</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">0xe</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">*</span> <span class=\"token number\">2</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>And<span class=\"token punctuation\">(</span>\n        And<span class=\"token punctuation\">(</span>\n            <span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">0x12</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span><span class=\"token string\">'Z'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n            <span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">0x12</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">0x13</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n            <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">0x15</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">^</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">0x13</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">^</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">0x14</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token number\">0x7f</span><span class=\"token punctuation\">)</span>\n        <span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n        <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">0x14</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">^</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">0x15</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">^</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">0x16</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">0x15</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n        <span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">0x15</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span><span class=\"token string\">'_'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n        <span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">6</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">+</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">0x18</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token number\">0xb4</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">0x18</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">+</span> <span class=\"token operator\">~</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">0x17</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token operator\">-</span><span class=\"token number\">0x21</span><span class=\"token punctuation\">)</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">0x19</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">9</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>And<span class=\"token punctuation\">(</span>\n    <span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">0x1b</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">+</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">0x1a</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token number\">0xd4</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n    <span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">[</span><span class=\"token number\">0x1b</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> flag<span class=\"token punctuation\">[</span><span class=\"token number\">0x1c</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">while</span> s<span class=\"token punctuation\">.</span>check<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> sat<span class=\"token punctuation\">:</span>\n    m <span class=\"token operator\">=</span> s<span class=\"token punctuation\">.</span>model<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">for</span> c <span class=\"token keyword\">in</span> flag<span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>m<span class=\"token punctuation\">[</span>c<span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>as_long<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>end<span class=\"token operator\">=</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">break</span></code></pre></div>\n<h3 id=\"sekai-ctf---guardians-of-the-kernel\" style=\"position:relative;\"><a href=\"#sekai-ctf---guardians-of-the-kernel\" aria-label=\"sekai ctf   guardians of the kernel permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>SEKAI CTF - Guardians of the Kernel</h3>\n<ul>\n<li>Makes use of rotate-shift operations</li>\n<li>It is not necessary to add every intermediate computation in z3py as a constraint — you can assign values to regular variables and only add the final value as a constraint</li>\n</ul>\n<p>Reference: <a href=\"/ctf-sekaictf-2023-en\">SEKAI CTF 2023 Writeup</a></p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>I had been copy-pasting angr without understanding it, but in practice it turns out to be an extremely powerful tool — one that, including the content I couldn’t cover here, has the potential to be highly effective for solving all kinds of CTF problems.</p>\n<p>I plan to use this article as a cheat sheet and add to it as I go.</p>\n<h2 id=\"past-problems-solved-with-angr\" style=\"position:relative;\"><a href=\"#past-problems-solved-with-angr\" aria-label=\"past problems solved with angr permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Past Problems Solved with angr</h2>\n<ul>\n<li><a href=\"/ctf-angr-hooking-en\">Using angr’s hook feature to go for a flag via unintended solution on X’mas Eve</a>: technique using hooks</li>\n<li><a href=\"/ctf-angstrom-ctf-2024-en\">ångstromCTF 2024 Writeup - Polyomino</a>: angr problem solved with <code class=\"language-text\">state.memory.store</code></li>\n</ul>\n<h2 id=\"past-problems-solved-with-z3\" style=\"position:relative;\"><a href=\"#past-problems-solved-with-z3\" aria-label=\"past problems solved with z3 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Past Problems Solved with z3</h2>\n<ul>\n<li><a href=\"/ctf-cyber-apocaly-ctf-2024-en\">Cyber Apocalypse CTF 2024 - Metagaming</a>: solving a VM problem with Z3</li>\n<li><a href=\"/ctf-gpn-ctf-2024-en\">GPN CTF 2024 Writeup - Archventure time</a>: implemented a solver using various Z3 techniques</li>\n<li><a href=\"/ctf-irisctf-2024-en\">Iris CTF 2024 Writeup - Secure Computing</a>: solving computations inside a seccomp filter with Z3</li>\n<li><a href=\"/ctf-tet-ctf-2024-en\">TetCTF 2024 Writeup - babyasm</a>: wasm problem solved with Z3</li>\n<li><a href=\"/ctf-n00b-2023-en\">n00bzCTF 2023 Writeup - zzz</a>: simple Z3 Flag-identification problem</li>\n<li><a href=\"/ctf-sekaictf-2023-en\">SEKAI CTF 2023 Writeup - Guardians of the Kernel</a>: problem using heavy shift operations in Z3</li>\n<li><a href=\"/ctf-1337up-2023-en\">1337UP CTF 2023 Writeup - FlagChecker</a>: simple Z3 problem</li>\n</ul>","fields":{"slug":"/ctf-angr-tutorial-en","tagSlugs":["/tag/ctf-en/","/tag/reversing-en/","/tag/angr-en/","/tag/z-3-en/","/tag/english/"]},"frontmatter":{"date":"2023-06-26","description":"I had been using angr with template scripts without much thought.","tags":["CTF (en)","Reversing (en)","angr (en)","Z3 (en)","English"],"title":"We Don't Know angr Yet (Z3py Notes Being Added)","socialImage":{"publicURL":"/static/eb679be4e5a7aef73e07814e275b0e99/ctf-angr-tutorial.png"}}}},"pageContext":{"slug":"/ctf-angr-tutorial-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}