2022-04-28 16:01:33 +00:00
< details >
2024-02-08 04:42:06 +00:00
< summary > < strong > 从零开始学习AWS黑客技术< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE( HackTricks AWS红队专家) < / strong > < / a > < strong > ! < / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-02-08 04:42:06 +00:00
其他支持HackTricks的方式:
2022-04-28 16:01:33 +00:00
2024-02-08 04:42:06 +00:00
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群** ](https://discord.gg/hRep4RUj7f ) 或 [**电报群** ](https://t.me/peass ) 或 **关注**我的**Twitter** 🐦 [**@carlospolopm** ](https://twitter.com/carlospolopm )**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
2022-04-28 16:01:33 +00:00
< / details >
2022-05-01 16:32:23 +00:00
2024-02-08 04:42:06 +00:00
非常基本地, 这个工具将帮助我们找到需要满足一些条件的变量的值, 手动计算将会很烦人。因此, 您可以告诉Z3变量需要满足的条件, 它将找到一些值( 如果可能的话) 。
2021-09-08 23:47:00 +00:00
2023-08-03 19:12:22 +00:00
# 基本操作
2021-09-08 23:47:00 +00:00
2024-02-08 04:42:06 +00:00
## 布尔值/And/Or/Not
2021-09-08 23:47:00 +00:00
```python
#pip3 install z3-solver
from z3 import *
s = Solver() #The solver will be given the conditions
x = Bool("x") #Declare the symbos x, y and z
y = Bool("y")
z = Bool("z")
# (x or y or !z) and y
s.add(And(Or(x,y,Not(z)),y))
s.check() #If response is "sat" then the model is satifable, if "unsat" something is wrong
print(s.model()) #Print valid values to satisfy the model
```
2023-08-03 19:12:22 +00:00
## 整数/简化/实数
2021-09-08 23:47:00 +00:00
```python
from z3 import *
x = Int('x')
y = Int('y')
#Simplify a "complex" ecuation
print(simplify(And(x + 1 >= 3, x**2 + x**2 + y**2 + 2 >= 5)))
#And(x >= 2, 2*x**2 + y**2 >= 3)
#Note that Z3 is capable to treat irrational numbers (An irrational algebraic number is a root of a polynomial with integer coefficients. Internally, Z3 represents all these numbers precisely.)
#so you can get the decimals you need from the solution
r1 = Real('r1')
r2 = Real('r2')
#Solve the ecuation
print(solve(r1**2 + r2**2 == 3, r1**3 == 2))
#Solve the ecuation with 30 decimals
set_option(precision=30)
print(solve(r1**2 + r2**2 == 3, r1**3 == 2))
```
2023-08-03 19:12:22 +00:00
## 打印模型
2021-09-08 23:47:00 +00:00
```python
from z3 import *
x, y, z = Reals('x y z')
s = Solver()
s.add(x > 1, y > 1, x + y > 3, z - x < 10 )
s.check()
m = s.model()
print ("x = %s" % m[x])
for d in m.decls():
2023-08-03 19:12:22 +00:00
print("%s = %s" % (d.name(), m[d]))
2021-09-08 23:47:00 +00:00
```
2023-08-03 19:12:22 +00:00
# 机器算术
2021-09-08 23:47:00 +00:00
2024-02-08 04:42:06 +00:00
现代 CPU 和主流编程语言使用固定大小比特向量进行算术运算。在 Z3Py 中,可以使用**比特向量**来进行机器算术。
2021-09-08 23:47:00 +00:00
```python
from z3 import *
x = BitVec('x', 16) #Bit vector variable "x" of length 16 bit
y = BitVec('y', 16)
e = BitVecVal(10, 16) #Bit vector with value 10 of length 16bits
a = BitVecVal(-1, 16)
b = BitVecVal(65535, 16)
print(simplify(a == b)) #This is True!
a = BitVecVal(-1, 32)
b = BitVecVal(65535, 32)
print(simplify(a == b)) #This is False
```
2024-01-09 15:47:59 +00:00
## 有符号/无符号数字
2021-09-08 23:47:00 +00:00
2024-02-08 04:42:06 +00:00
Z3提供了特殊的有符号版本的算术操作, 在这些操作中, **位向量被视为有符号或无符号**会产生不同的结果。在Z3Py中, 运算符**< , < =, >, >=, /, % 和 >>**对应于**有符号**版本。相应的**无符号**运算符是**ULT, ULE, UGT, UGE, UDiv, URem 和 LShR**。
2021-09-08 23:47:00 +00:00
```python
from z3 import *
# Create to bit-vectors of size 32
x, y = BitVecs('x y', 32)
solve(x + y == 2, x > 0, y > 0)
# Bit-wise operators
# & bit-wise and
# | bit-wise or
# ~ bit-wise not
solve(x & y == ~y)
solve(x < 0 )
2023-08-03 19:12:22 +00:00
# using unsigned version of <
2021-09-08 23:47:00 +00:00
solve(ULT(x, 0))
```
2023-08-03 19:12:22 +00:00
## 函数
2021-09-08 23:47:00 +00:00
2024-02-08 04:42:06 +00:00
**解释函数**,如算术,其中**函数 +**具有**固定的标准解释**(它将两个数字相加)。**未解释函数**和常量具有**最大的灵活性**;它们允许**与函数或常量上的约束一致的任何解释**。
2021-09-08 23:47:00 +00:00
2024-02-08 04:42:06 +00:00
示例: f两次应用于x会再次得到x, 但f应用一次于x与x不同。
2021-09-08 23:47:00 +00:00
```python
from z3 import *
x = Int('x')
y = Int('y')
f = Function('f', IntSort(), IntSort())
s = Solver()
s.add(f(f(x)) == x, f(x) == y, x != y)
s.check()
m = s.model()
print("f(f(x)) =", m.evaluate(f(f(x))))
print("f(x) =", m.evaluate(f(x)))
2021-09-09 12:54:19 +00:00
print(m.evaluate(f(2)))
s.add(f(x) == 4) #Find the value that generates 4 as response
s.check()
print(m.model())
2021-09-08 23:47:00 +00:00
```
2024-02-08 04:42:06 +00:00
# 例子
2023-08-03 19:12:22 +00:00
## 数独求解器
2021-09-09 12:56:08 +00:00
```python
# 9x9 matrix of integer variables
X = [ [ Int("x_%s_%s" % (i+1, j+1)) for j in range(9) ]
2023-08-03 19:12:22 +00:00
for i in range(9) ]
2021-09-09 12:56:08 +00:00
# each cell contains a value in {1, ..., 9}
cells_c = [ And(1 < = X[i][j], X[i][j] < = 9)
2023-08-03 19:12:22 +00:00
for i in range(9) for j in range(9) ]
2021-09-09 12:56:08 +00:00
# each row contains a digit at most once
rows_c = [ Distinct(X[i]) for i in range(9) ]
# each column contains a digit at most once
cols_c = [ Distinct([ X[i][j] for i in range(9) ])
2023-08-03 19:12:22 +00:00
for j in range(9) ]
2021-09-09 12:56:08 +00:00
# each 3x3 square contains a digit at most once
sq_c = [ Distinct([ X[3*i0 + i][3*j0 + j]
2023-08-03 19:12:22 +00:00
for i in range(3) for j in range(3) ])
for i0 in range(3) for j0 in range(3) ]
2021-09-09 12:56:08 +00:00
sudoku_c = cells_c + rows_c + cols_c + sq_c
# sudoku instance, we use '0' for empty cells
instance = ((0,0,0,0,9,4,0,3,0),
2023-08-03 19:12:22 +00:00
(0,0,0,5,1,0,0,0,7),
(0,8,9,0,0,0,0,4,0),
(0,0,0,0,0,0,2,0,8),
(0,6,0,2,0,1,0,5,0),
(1,0,2,0,0,0,0,0,0),
(0,7,0,0,0,0,5,2,0),
(9,0,0,0,6,5,0,0,0),
(0,4,0,9,7,0,0,0,0))
2021-09-09 12:56:08 +00:00
instance_c = [ If(instance[i][j] == 0,
2023-08-03 19:12:22 +00:00
True,
X[i][j] == instance[i][j])
for i in range(9) for j in range(9) ]
2021-09-09 12:56:08 +00:00
s = Solver()
s.add(sudoku_c + instance_c)
if s.check() == sat:
2023-08-03 19:12:22 +00:00
m = s.model()
r = [ [ m.evaluate(X[i][j]) for j in range(9) ]
for i in range(9) ]
print_matrix(r)
2021-09-09 12:56:08 +00:00
else:
2023-08-03 19:12:22 +00:00
print "failed to solve"
2021-09-09 12:56:08 +00:00
```
2024-02-08 04:42:06 +00:00
## 参考资料
2021-09-09 12:56:08 +00:00
* [https://ericpony.github.io/z3py-tutorial/guide-examples.htm ](https://ericpony.github.io/z3py-tutorial/guide-examples.htm )
2022-04-28 16:01:33 +00:00
2022-05-01 16:32:23 +00:00
2022-04-28 16:01:33 +00:00
< details >
2024-02-08 04:42:06 +00:00
< summary > < strong > 从零开始学习AWS黑客技术, 成为专家< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE( HackTricks AWS Red Team Expert) < / strong > < / a > < strong > ! < / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-02-08 04:42:06 +00:00
支持HackTricks的其他方式:
2022-04-28 16:01:33 +00:00
2024-02-08 04:42:06 +00:00
* 如果您想在HackTricks中看到您的**公司广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群** ](https://discord.gg/hRep4RUj7f ) 或 [**电报群** ](https://t.me/peass ) 或 **关注**我的**Twitter** 🐦 [**@carlospolopm** ](https://twitter.com/carlospolopm )**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
2022-04-28 16:01:33 +00:00
< / details >