diff --git a/lab0/lab0.js b/lab0/lab0.js index e69de29b..fa2ad5c2 100644 --- a/lab0/lab0.js +++ b/lab0/lab0.js @@ -0,0 +1 @@ +console.log("Hello world!"); diff --git a/lab1/main_test.js b/lab1/main_test.js index 74a716b4..47844d4e 100644 --- a/lab1/main_test.js +++ b/lab1/main_test.js @@ -20,4 +20,4 @@ test("Test Student's setName", () => { test("Test Student's getName", () => { // TODO throw new Error("Test not implemented"); -}); \ No newline at end of file +}); diff --git a/lab5/antiasan.c b/lab5/antiasan.c index 8a8936de..c197bd6c 100644 --- a/lab5/antiasan.c +++ b/lab5/antiasan.c @@ -1,6 +1,10 @@ #include -void antiasan(unsigned long addr) -{ +extern char gS[]; +extern char gBadBuf[]; +extern void __asan_unpoison_memory_region(void const volatile *addr, size_t size); +void antiasan(unsigned long addr) { + __asan_unpoison_memory_region(gS, 0xa7); + __asan_unpoison_memory_region(gBadBuf, 0xa7); } diff --git a/lab6/llvm-pass.so.cc b/lab6/llvm-pass.so.cc index 6c6e17e4..11943a05 100644 --- a/lab6/llvm-pass.so.cc +++ b/lab6/llvm-pass.so.cc @@ -1,34 +1,62 @@ #include "llvm/Passes/PassPlugin.h" #include "llvm/Passes/PassBuilder.h" #include "llvm/IR/IRBuilder.h" +#include "llvm/IR/Constants.h" +#include "llvm/IR/GlobalVariable.h" using namespace llvm; -struct LLVMPass : public PassInfoMixin { - PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM); -}; +struct LLVMPass : PassInfoMixin { + PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM) { + LLVMContext &Ctx = M.getContext(); + + // 1) Declare debug prototype: void debug(i32) + FunctionCallee debugFunc = M.getOrInsertFunction( + "debug", + FunctionType::get(Type::getVoidTy(Ctx), {Type::getInt32Ty(Ctx)}, false) + ); + ConstantInt *const48763 = ConstantInt::get(Type::getInt32Ty(Ctx), 48763); + + // 2) Locate main + if (Function *F = M.getFunction("main")) { + BasicBlock &entryBB = F->getEntryBlock(); + // Insert right after any allocas/PHIs in entry + IRBuilder<> builder(&*entryBB.getFirstInsertionPt()); + + // --- (40%) Call debug(48763) --- + builder.CreateCall(debugFunc, {const48763}); -PreservedAnalyses LLVMPass::run(Module &M, ModuleAnalysisManager &MAM) { - LLVMContext &Ctx = M.getContext(); - IntegerType *Int32Ty = IntegerType::getInt32Ty(Ctx); - FunctionCallee debug_func = M.getOrInsertFunction("debug", Int32Ty); - ConstantInt *debug_arg = ConstantInt::get(Int32Ty, 48763); + // --- (30%) Overwrite argc → 48763 --- + // main signature is: i32 @main(i32 %argc, i8** %argv) + Argument *argcArg = &*F->arg_begin(); + argcArg->replaceAllUsesWith(const48763); - for (auto &F : M) { - errs() << "func: " << F.getName() << "\n"; + // --- (30%) Overwrite argv[1] → "hayaku... motohayaku!" --- + Argument *argvArg = &*(std::next(F->arg_begin())); + // Create a global constant string + Value *strPtr = builder.CreateGlobalStringPtr("hayaku... motohayaku!"); + // Compute pointer to argv[1]: getelementptr i8*, i8** %argv, i64 1 + Value *idx1 = ConstantInt::get(Type::getInt64Ty(Ctx), 1); + Value *ptrToArg1 = builder.CreateInBoundsGEP( + argvArg->getType()->getPointerElementType(), // element type = i8* + argvArg, // base pointer i8** + idx1 + ); + // Store the new string into argv[1] + builder.CreateStore(strPtr, ptrToArg1); + } + return PreservedAnalyses::none(); } - return PreservedAnalyses::none(); -} +}; extern "C" ::llvm::PassPluginLibraryInfo LLVM_ATTRIBUTE_WEAK llvmGetPassPluginInfo() { return {LLVM_PLUGIN_API_VERSION, "LLVMPass", "1.0", [](PassBuilder &PB) { PB.registerOptimizerLastEPCallback( - [](ModulePassManager &MPM, OptimizationLevel OL) { + [](ModulePassManager &MPM, OptimizationLevel) { MPM.addPass(LLVMPass()); }); }}; } - diff --git a/lab8/solve.py b/lab8/solve.py index 9ab3ee2f..d15b0d0d 100755 --- a/lab8/solve.py +++ b/lab8/solve.py @@ -1,11 +1,34 @@ #!/usr/bin/env python3 - -import angr,sys +import angr +import claripy +import sys def main(): - secret_key = b"" - sys.stdout.buffer.write(secret_key) + proj = angr.Project('./chal', auto_load_libs=False) + + #建立8-bit輸入 + sym_chars = [claripy.BVS(f'byte_{i}', 8) for i in range(8)] + sym_input = claripy.Concat(*sym_chars) + + #初始化執行狀態並模擬stdin輸入 + state = proj.factory.full_init_state( + stdin = angr.SimFileStream(name='stdin', content=sym_input, has_end=True) + ) + + #建立模擬器並開始搜尋個別狀態 + simgr = proj.factory.simgr(state) + simgr.explore( + find = lambda s:b"Correct!" in s.posix.dumps(1) + ) + #找到則輸出結果,否則輸出 "No solution found!" + if simgr.found: + found = simgr.found[0] + secret_key = found.solver.eval(sym_input, cast_to=bytes) + sys.stdout.buffer.write(secret_key) + else: + print("No solution found!") + sys.exit(1) if __name__ == '__main__': main()