Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ

๊ธฐ๋ณธ์ ์œผ๋กœ ์ด ๋„๊ตฌ๋Š” ํŠน์ • ์กฐ๊ฑด์„ ๋งŒ์กฑํ•ด์•ผ ํ•˜๋Š” ๋ณ€์ˆ˜์˜ ๊ฐ’์„ ์ฐพ๋Š” ๋ฐ ๋„์›€์„ ์ค„ ๊ฒƒ์ด๋ฉฐ, ์ˆ˜์ž‘์—…์œผ๋กœ ๊ณ„์‚ฐํ•˜๋Š” ๊ฒƒ์€ ๋งค์šฐ ๋ฒˆ๊ฑฐ๋กœ์šธ ๊ฒƒ์ž…๋‹ˆ๋‹ค. ๋”ฐ๋ผ์„œ Z3์— ๋ณ€์ˆ˜๊ฐ€ ๋งŒ์กฑํ•ด์•ผ ํ•˜๋Š” ์กฐ๊ฑด์„ ์ง€์ •ํ•˜๋ฉด ๊ฐ€๋Šฅํ•œ ๊ฒฝ์šฐ ์ผ๋ถ€ ๊ฐ’์„ ์ฐพ์•„๋ƒ…๋‹ˆ๋‹ค.

์ผ๋ถ€ ํ…์ŠคํŠธ์™€ ์˜ˆ์‹œ๋Š” https://ericpony.github.io/z3py-tutorial/guide-examples.htm์—์„œ ์ถ”์ถœ๋˜์—ˆ์Šต๋‹ˆ๋‹ค.

๊ธฐ๋ณธ ์ž‘์—…

๋ถˆ๋ฆฌ์–ธ/๊ทธ๋ฆฌ๊ณ /๋˜๋Š”/์•„๋‹ˆ์˜ค

#pip3 install z3-solver
from z3 import *
s = Solver() #The solver will be given the conditions

x = Bool("x") #Declare the symbos x, y and z
y = Bool("y")
z = Bool("z")

# (x or y or !z) and y
s.add(And(Or(x,y,Not(z)),y))
s.check() #If response is "sat" then the model is satifable, if "unsat" something is wrong
print(s.model()) #Print valid values to satisfy the model

Ints/Simplify/Reals

from z3 import *

x = Int('x')
y = Int('y')
#Simplify a "complex" ecuation
print(simplify(And(x + 1 >= 3, x**2 + x**2 + y**2 + 2 >= 5)))
#And(x >= 2, 2*x**2 + y**2 >= 3)

#Note that Z3 is capable to treat irrational numbers (An irrational algebraic number is a root of a polynomial with integer coefficients. Internally, Z3 represents all these numbers precisely.)
#so you can get the decimals you need from the solution
r1 = Real('r1')
r2 = Real('r2')
#Solve the ecuation
print(solve(r1**2 + r2**2 == 3, r1**3 == 2))
#Solve the ecuation with 30 decimals
set_option(precision=30)
print(solve(r1**2 + r2**2 == 3, r1**3 == 2))

๋ชจ๋ธ ์ถœ๋ ฅ

from z3 import *

x, y, z = Reals('x y z')
s = Solver()
s.add(x > 1, y > 1, x + y > 3, z - x < 10)
s.check()

m = s.model()
print ("x = %s" % m[x])
for d in m.decls():
print("%s = %s" % (d.name(), m[d]))

๋จธ์‹  ์‚ฐ์ˆ 

ํ˜„๋Œ€ CPU์™€ ์ฃผ๋ฅ˜ ํ”„๋กœ๊ทธ๋ž˜๋ฐ ์–ธ์–ด๋Š” ๊ณ ์ • ํฌ๊ธฐ ๋น„ํŠธ ๋ฒกํ„ฐ์— ๋Œ€ํ•œ ์‚ฐ์ˆ ์„ ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค. ๋จธ์‹  ์‚ฐ์ˆ ์€ Z3Py์—์„œ ๋น„ํŠธ ๋ฒกํ„ฐ๋กœ ์ œ๊ณต๋ฉ๋‹ˆ๋‹ค.

from z3 import *

x = BitVec('x', 16) #Bit vector variable "x" of length 16 bit
y = BitVec('y', 16)

e = BitVecVal(10, 16) #Bit vector with value 10 of length 16bits
a = BitVecVal(-1, 16)
b = BitVecVal(65535, 16)
print(simplify(a == b)) #This is True!
a = BitVecVal(-1, 32)
b = BitVecVal(65535, 32)
print(simplify(a == b)) #This is False

Signed/Unsigned Numbers

Z3๋Š” ๋น„ํŠธ ๋ฒกํ„ฐ๊ฐ€ ๋ถ€ํ˜ธ๊ฐ€ ์žˆ๋Š”์ง€ ์—†๋Š”์ง€์— ๋”ฐ๋ผ ์ฐจ์ด๊ฐ€ ๋‚˜๋Š” ํŠน๋ณ„ํ•œ ๋ถ€ํ˜ธ ์žˆ๋Š” ๋ฒ„์ „์˜ ์‚ฐ์ˆ  ์—ฐ์‚ฐ์„ ์ œ๊ณตํ•ฉ๋‹ˆ๋‹ค. Z3Py์—์„œ ์—ฐ์‚ฐ์ž **<, <=, >, >=, /, % ๋ฐ >>**๋Š” ๋ถ€ํ˜ธ ์žˆ๋Š” ๋ฒ„์ „์— ํ•ด๋‹นํ•ฉ๋‹ˆ๋‹ค. ํ•ด๋‹นํ•˜๋Š” ๋ถ€ํ˜ธ ์—†๋Š” ์—ฐ์‚ฐ์ž๋Š” **ULT, ULE, UGT, UGE, UDiv, URem ๋ฐ LShR.**์ž…๋‹ˆ๋‹ค.

from z3 import *

# Create to bit-vectors of size 32
x, y = BitVecs('x y', 32)
solve(x + y == 2, x > 0, y > 0)

# Bit-wise operators
# & bit-wise and
# | bit-wise or
# ~ bit-wise not
solve(x & y == ~y)
solve(x < 0)

# using unsigned version of <
solve(ULT(x, 0))

Functions

ํ•ด์„๋œ ํ•จ์ˆ˜๋Š” ์‚ฐ์ˆ ๊ณผ ๊ฐ™์€ ๊ฒƒ์œผ๋กœ, **ํ•จ์ˆ˜ +**๋Š” ๊ณ ์ •๋œ ํ‘œ์ค€ ํ•ด์„์„ ๊ฐ€์ง€๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค(๋‘ ์ˆซ์ž๋ฅผ ๋”ํ•ฉ๋‹ˆ๋‹ค). ๋น„ํ•ด์„ ํ•จ์ˆ˜์™€ ์ƒ์ˆ˜๋Š” ์ตœ๋Œ€ ์œ ์—ฐ์„ฑ์„ ๊ฐ€์ง€๋ฉฐ, ์ด๋Š” ํ•จ์ˆ˜๋‚˜ ์ƒ์ˆ˜์— ๋Œ€ํ•œ ์ œ์•ฝ๊ณผ ์ผ๊ด€๋œ ๋ชจ๋“  ํ•ด์„์„ ํ—ˆ์šฉํ•ฉ๋‹ˆ๋‹ค.

์˜ˆ: f๊ฐ€ x์— ๋‘ ๋ฒˆ ์ ์šฉ๋˜๋ฉด ๋‹ค์‹œ x๊ฐ€ ๋˜์ง€๋งŒ, f๊ฐ€ x์— ํ•œ ๋ฒˆ ์ ์šฉ๋˜๋ฉด x์™€ ๋‹ค๋ฆ…๋‹ˆ๋‹ค.

from z3 import *

x = Int('x')
y = Int('y')
f = Function('f', IntSort(), IntSort())
s = Solver()
s.add(f(f(x)) == x, f(x) == y, x != y)
s.check()
m = s.model()
print("f(f(x)) =", m.evaluate(f(f(x))))
print("f(x)    =", m.evaluate(f(x)))

print(m.evaluate(f(2)))
s.add(f(x) == 4) #Find the value that generates 4 as response
s.check()
print(m.model())

์˜ˆ์ œ

์Šค๋„์ฟ  ํ•ด๊ฒฐ๊ธฐ

# 9x9 matrix of integer variables
X = [ [ Int("x_%s_%s" % (i+1, j+1)) for j in range(9) ]
for i in range(9) ]

# each cell contains a value in {1, ..., 9}
cells_c  = [ And(1 <= X[i][j], X[i][j] <= 9)
for i in range(9) for j in range(9) ]

# each row contains a digit at most once
rows_c   = [ Distinct(X[i]) for i in range(9) ]

# each column contains a digit at most once
cols_c   = [ Distinct([ X[i][j] for i in range(9) ])
for j in range(9) ]

# each 3x3 square contains a digit at most once
sq_c     = [ Distinct([ X[3*i0 + i][3*j0 + j]
for i in range(3) for j in range(3) ])
for i0 in range(3) for j0 in range(3) ]

sudoku_c = cells_c + rows_c + cols_c + sq_c

# sudoku instance, we use '0' for empty cells
instance = ((0,0,0,0,9,4,0,3,0),
(0,0,0,5,1,0,0,0,7),
(0,8,9,0,0,0,0,4,0),
(0,0,0,0,0,0,2,0,8),
(0,6,0,2,0,1,0,5,0),
(1,0,2,0,0,0,0,0,0),
(0,7,0,0,0,0,5,2,0),
(9,0,0,0,6,5,0,0,0),
(0,4,0,9,7,0,0,0,0))

instance_c = [ If(instance[i][j] == 0,
True,
X[i][j] == instance[i][j])
for i in range(9) for j in range(9) ]

s = Solver()
s.add(sudoku_c + instance_c)
if s.check() == sat:
m = s.model()
r = [ [ m.evaluate(X[i][j]) for j in range(9) ]
for i in range(9) ]
print_matrix(r)
else:
print "failed to solve"

์ฐธ๊ณ ๋ฌธํ—Œ

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ