Created
May 29, 2019 13:07
-
-
Save popunbom/c2866ab4d480e514bc2d331b23a4c1b0 to your computer and use it in GitHub Desktop.
[CTF] Reversing using angr (flag via stdin)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # -*- coding: utf-8 -*- | |
| import pdb | |
| import sys | |
| import angr | |
| import claripy | |
| argc, argv = len(sys.argv), sys.argv | |
| if argc != 3: | |
| print(f"usage: {argv[0]} [exec-file] [flag-length]") | |
| sys.exit(-1) | |
| EXEC_FILE_PATH = sys.argv[1] | |
| FLAG_LENGTH = int(sys.argv[2]) | |
| p = angr.Project(EXEC_FILE_PATH, load_options={'auto_load_libs': False}) | |
| flag_chars = [claripy.BVS('flag_%d' % i, 8) for i in range(FLAG_LENGTH)] | |
| flag = claripy.Concat(*flag_chars) | |
| state = p.factory.full_init_state( | |
| args=[EXEC_FILE_PATH, flag], | |
| add_options=angr.options.unicorn | |
| ) | |
| for c in flag_chars: | |
| state.solver.add(c >= 0x20) | |
| state.solver.add(c <= 0x7e) | |
| simgr = p.factory.simulation_manager(state) | |
| simgr.explore(find=lambda s: b"correct" in s.posix.dumps(1)) | |
| print(simgr.found[0].solver.eval(flag, cast_to=bytes)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment