[LAB8] 313551150

lab0/lab0.js

@@ -0,0 +1 @@
+console.log("Hello world!");

lab1/main_test.js

@@ -20,4 +20,4 @@ test("Test Student's setName", () => {
 test("Test Student's getName", () => {
     // TODO
     throw new Error("Test not implemented");
-});
+});

lab5/antiasan.c

@@ -1,6 +1,10 @@
 #include <string.h>
 
-void antiasan(unsigned long addr)
-{
 
+extern char gS[]; 
+extern char gBadBuf[]; 
+extern void __asan_unpoison_memory_region(void const volatile *addr, size_t size);
+void antiasan(unsigned long addr) {
+    __asan_unpoison_memory_region(gS, 0xa7);
+    __asan_unpoison_memory_region(gBadBuf, 0xa7);
 }

lab6/llvm-pass.so.cc

@@ -1,34 +1,62 @@
 #include "llvm/Passes/PassPlugin.h"
 #include "llvm/Passes/PassBuilder.h"
 #include "llvm/IR/IRBuilder.h"
+#include "llvm/IR/Constants.h"
+#include "llvm/IR/GlobalVariable.h"
 
 using namespace llvm;
 
-struct LLVMPass : public PassInfoMixin<LLVMPass> {
-  PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM);
-};
+struct LLVMPass : PassInfoMixin<LLVMPass> {
+  PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM) {
+    LLVMContext &Ctx = M.getContext();
+
+    // 1) Declare debug prototype: void debug(i32)
+    FunctionCallee debugFunc = M.getOrInsertFunction(
+      "debug",
+      FunctionType::get(Type::getVoidTy(Ctx), {Type::getInt32Ty(Ctx)}, false)
+    );
+    ConstantInt *const48763 = ConstantInt::get(Type::getInt32Ty(Ctx), 48763);
+
+    // 2) Locate main
+    if (Function *F = M.getFunction("main")) {
+      BasicBlock &entryBB = F->getEntryBlock();
+      // Insert right after any allocas/PHIs in entry
+      IRBuilder<> builder(&*entryBB.getFirstInsertionPt());
+
+      // --- (40%) Call debug(48763) ---
+      builder.CreateCall(debugFunc, {const48763});
 
-PreservedAnalyses LLVMPass::run(Module &M, ModuleAnalysisManager &MAM) {
-  LLVMContext &Ctx = M.getContext();
-  IntegerType *Int32Ty = IntegerType::getInt32Ty(Ctx);
-  FunctionCallee debug_func = M.getOrInsertFunction("debug", Int32Ty);
-  ConstantInt *debug_arg = ConstantInt::get(Int32Ty, 48763);
+      // --- (30%) Overwrite argc → 48763 ---
+      // main signature is: i32 @main(i32 %argc, i8** %argv)
+      Argument *argcArg = &*F->arg_begin();
+      argcArg->replaceAllUsesWith(const48763);
 
-  for (auto &F : M) {
-    errs() << "func: " << F.getName() << "\n";
+      // --- (30%) Overwrite argv[1] → "hayaku... motohayaku!" ---
+      Argument *argvArg = &*(std::next(F->arg_begin()));
+      // Create a global constant string
+      Value *strPtr = builder.CreateGlobalStringPtr("hayaku... motohayaku!");
+      // Compute pointer to argv[1]: getelementptr i8*, i8** %argv, i64 1
+      Value *idx1 = ConstantInt::get(Type::getInt64Ty(Ctx), 1);
+      Value *ptrToArg1 = builder.CreateInBoundsGEP(
+        argvArg->getType()->getPointerElementType(), // element type = i8*
+        argvArg,                                     // base pointer i8**
+        idx1
+      );
+      // Store the new string into argv[1]
+      builder.CreateStore(strPtr, ptrToArg1);
+    }
 
+    return PreservedAnalyses::none();
   }
-  return PreservedAnalyses::none();
-}
+};
 
 extern "C" ::llvm::PassPluginLibraryInfo LLVM_ATTRIBUTE_WEAK
 llvmGetPassPluginInfo() {
   return {LLVM_PLUGIN_API_VERSION, "LLVMPass", "1.0",
     [](PassBuilder &PB) {
       PB.registerOptimizerLastEPCallback(
-        [](ModulePassManager &MPM, OptimizationLevel OL) {
+        [](ModulePassManager &MPM, OptimizationLevel) {
           MPM.addPass(LLVMPass());
         });
     }};
 }
-

lab8/solve.py

@@ -1,11 +1,34 @@
 #!/usr/bin/env python3
-
-import angr,sys
+import angr
+import claripy
+import sys
 
 def main():
-    secret_key = b""
-    sys.stdout.buffer.write(secret_key)
+   proj = angr.Project('./chal', auto_load_libs=False)
+
+    #建立8-bit輸入
+    sym_chars = [claripy.BVS(f'byte_{i}', 8) for i in range(8)]
+    sym_input = claripy.Concat(*sym_chars)
+
+    #初始化執行狀態並模擬stdin輸入
+    state = proj.factory.full_init_state(
+        stdin = angr.SimFileStream(name='stdin', content=sym_input, has_end=True)
+    )
+
+    #建立模擬器並開始搜尋個別狀態
+    simgr = proj.factory.simgr(state)
+    simgr.explore(
+        find = lambda s:b"Correct!" in s.posix.dumps(1)
+    )
 
+    #找到則輸出結果，否則輸出 "No solution found!"
+    if simgr.found:
+        found = simgr.found[0]
+        secret_key = found.solver.eval(sym_input, cast_to=bytes)
+        sys.stdout.buffer.write(secret_key)
+    else:
+        print("No solution found!")
+        sys.exit(1)
 
 if __name__ == '__main__':
     main()