search

illera88 / Ponce

IDA 2016 plugin contest winner! Symbolic Execution just one-click away!
https://docs.idaponce.com
Other
1.48k stars 72 forks source link

Maybe Ponce has some problem... #72

Closed zhouat closed 4 years ago

zhouat commented 7 years ago

Can Ponce solve this kind of problems, now? I always get no solution. -_- !

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int check_password(char *passwd)
{
    int i, sum = 0;
    for (i = 0; ; i++)
    {
        if (!passwd[i])
        {
            break;
        }
        sum += passwd[i];
    }
    if (i == 3)
    {
        if (sum == 0x14f && passwd[2] > 's' && passwd[2] < 'u' && passwd[0] == 'z')
        {
            return 1;
        }
    }
    else
    {
        puts("len error");
    }
    return 0;
}

int main(int argc, char **argv)
{
    if (argc != 2)
    {
        puts("error");
        return 1;
    }
    if (check_password(argv[1]))
    {
        puts("Congratulation!");
    }
    else
    {
        puts("error");
    }
    return 0;
}
0ca commented 7 years ago

It should work if you start with a string 3 characters long. Then you should stop in this condition:

if (sum == 0x14f && passwd[2] > 's' && passwd[2] < 'u' && passwd[0] == 'z')

And invert it. Could you post here some screenshots about where are you trying to solve the condition?

Thanks!

zhouat commented 7 years ago

hi 0ca ~ the log below is my operations:

env: os: win10 bin: 32bit

1. i set the arg to 'aaa' 2. first try:

(1)the debugger come to the ins here:

cmp     [ebp+var_10], 14Fh
jnz     short loc_4016B1

(2)it will go to nz branch so i press Negate & inject, get the log below:

[+] Solving formula...
[+] Solution found! Values:
 - SymVar_0 (argc):0x000002
 - SymVar_1 (argv[1][0]):0x6f (o)
 - SymVar_2 (argv[1][1]):0x70 (p)
 - SymVar_3 (argv[1][2]):0x70 (p)
 - SymVar_4 (argv[1][3]):00 ( )

(3)then debugger come to new instructions:

mov     eax, [ebp+arg_0]
add     eax, 2
movzx   eax, byte ptr [eax]
cmp     al, 73h
jle     short loc_4016B1

(4) this time , i cannot press ctrl+Shift+N (Negate & inject) any more. the button become gray

3. second try

restore the snapshot

cmp     [ebp+var_10], 14Fh
jnz     short loc_4016B1

(1) debugger go to 'jz-branch' go on ...

mov     eax, [ebp+arg_0]
add     eax, 2
movzx   eax, byte ptr [eax]
cmp     al, 73h
jle     short loc_4016B1

debugger will go to 'jle-branch' (2)so i press Negate & inject, get the log below:

[+] Solution found! Values:
 - SymVar_0 (argc):0x000002
 - SymVar_1 (argv[1][0]):0x2 ()
 - SymVar_2 (argv[1][1]):0x5 ()
 - SymVar_3 (argv[1][2]):0x7b ({)
 - SymVar_4 (argv[1][3]):00 ( )

obviously, wrong answer!

(3) then ,i cannot press ctrl+Shift+N (Negate & inject) any more. the button become gray

Looking forward to your reply,thks.

illera88 commented 4 years ago

I know this issue has been opened quite a while but you may give it a try now with the new Ponce version v0.3.

If the problem persist let me know and I'll reopen the issue. Thanks for reporting.