-
Notifications
You must be signed in to change notification settings - Fork 549
/
Copy pathsolve.py
357 lines (275 loc) · 10.9 KB
/
solve.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
#!/usr/bin/env python3
## -*- coding: utf-8 -*-
##
## Jonathan Salwan - 2022-06-05
##
## Solution for the Hack.lu 2021, OLLVM challenge.
##
## Output:
##
## $ time python solve.py
## [+] Loading 0x400040 - 0x400238
## [+] Loading 0x400238 - 0x400254
## [+] Loading 0x400000 - 0x4799b0
## [+] Loading 0x679de0 - 0x67b274
## [+] Loading 0x679df0 - 0x679ff0
## [+] Loading 0x400254 - 0x400274
## [+] Loading 0x470184 - 0x4711d0
## [+] Loading 0x000000 - 0x000000
## [+] Loading 0x679de0 - 0x67a000
## [+] Init PLT for: __errno_location
## [+] Init PLT for: printf
## [+] Init PLT for: strtoul
## [+] Init PLT for: memset
## [+] Init PLT for: __libc_start_main
## [+] Execution 0, getting hash: 0x6d6972726f725f6d
## [+] Execution 1, getting hash: 0x6972726f725f6f6e
## [+] Execution 2, getting hash: 0x5f7468655f77616c
## [+] Execution 3, getting hash: 0x6c5f77686f735f74
## [+] Execution 4, getting hash: 0x68655f75676c6965
## [+] Execution 5, getting hash: 0x73745f68616e646c
## [+] Execution 6, getting hash: 0x65725f6f665f7468
## [+] Execution 7, getting hash: 0x656d5f616c6c3f21
## [+] Flag: b'mirror_mirror_on_the_wall_whos_the_ugliest_handler_of_them_all?!'
## python solve.py 7.46s user 0.08s system 99% cpu 7.562 total
##
from __future__ import print_function
from triton import *
import codecs
import string
import sys
import lief
import os
TARGET = os.path.join(os.path.dirname(__file__), 'ollvm')
DEBUG = False
# The debug function
def debug(s):
if DEBUG: print(s)
# Global settings
SYMBOLIC = True
CONCRETE = not SYMBOLIC
# Memory mapping
BASE_PLT = 0x10000000
BASE_ARGV = 0x20000000
BASE_STACK = 0x9ffffff0
ERRNO = 0xa0000000
def getMemoryString(ctx, addr):
s = str()
index = 0
while ctx.getConcreteMemoryValue(addr+index):
c = chr(ctx.getConcreteMemoryValue(addr+index))
if c not in string.printable: c = ""
s += c
index += 1
return s
def getStringPosition(text):
formatters = ['%s','%d','%#02x', '%#x', '%02x', '%x', '%*s', \
'%02X', '%lX', '%ld', '%08x', '%lu', '%u', '%c']
text = text.replace("%s", " %s ").replace("%d", " %d ").replace("%#02x", " %#02x ") \
.replace("%#x", " %#x ").replace("%x", " %x ").replace("%02X", " %02X ") \
.replace("%c", " %c ").replace("%02x", " %02x ").replace("%ld", " %ld ") \
.replace("%*s", " %*s ").replace("%lX", " %lX").replace("%08x", " %08x ") \
.replace("%u", " %u ").replace("%lu", " %lu ") \
matches = [y for x in text.split() for y in formatters if y in x]
indexes = [index for index, value in enumerate(matches) if value == '%s']
return indexes
def getFormatString(ctx, addr):
return getMemoryString(ctx, addr) \
.replace("%s", "{}").replace("%d", "{:d}").replace("%#02x", "{:#02x}") \
.replace("%#x", "{:#x}").replace("%x", "{:x}").replace("%02X", "{:02x}") \
.replace("%c", "{:c}").replace("%02x", "{:02x}").replace("%ld", "{:d}") \
.replace("%*s", "").replace("%lX", "{:x}").replace("%08x", "{:08x}") \
.replace("%u", "{:d}").replace("%lu", "{:d}").replace("%lx", "{:x}") \
def libc_start_main(ctx):
debug('[+] __libc_start_main hooked')
# Get arguments
main = ctx.getConcreteRegisterValue(ctx.registers.rdi)
# Push the return value to jump into the main() function
ctx.setConcreteRegisterValue(ctx.registers.rsp, ctx.getConcreteRegisterValue(ctx.registers.rsp)-CPUSIZE.QWORD)
ret2main = MemoryAccess(ctx.getConcreteRegisterValue(ctx.registers.rsp), CPUSIZE.QWORD)
ctx.setConcreteMemoryValue(ret2main, main)
# Setup argc / argv
ctx.concretizeRegister(ctx.registers.rdi)
ctx.concretizeRegister(ctx.registers.rsi)
argvs = [
bytes(TARGET.encode('utf-8')), # argv[0]
b'dead'
]
# Define argc / argv
base = BASE_ARGV
addrs = list()
index = 0
for argv in argvs:
addrs.append(base)
ctx.setConcreteMemoryAreaValue(base, argv+b'\x00')
base += len(argv)+1
debug('[+] argv[%d] = %s' %(index, argv))
index += 1
argc = len(argvs)
argv = base
for addr in addrs:
ctx.setConcreteMemoryValue(MemoryAccess(base, CPUSIZE.QWORD), addr)
base += CPUSIZE.QWORD
ctx.setConcreteRegisterValue(ctx.registers.rdi, argc)
ctx.setConcreteRegisterValue(ctx.registers.rsi, argv)
return (CONCRETE, 0)
def printf(ctx):
debug('[+] printf hooked')
string_pos = getStringPosition(getMemoryString(ctx, ctx.getConcreteRegisterValue(ctx.registers.rdi)))
# Get arguments
arg1 = getFormatString(ctx, ctx.getConcreteRegisterValue(ctx.registers.rdi))
arg2 = ctx.getConcreteRegisterValue(ctx.registers.rsi)
arg3 = ctx.getConcreteRegisterValue(ctx.registers.rdx)
arg4 = ctx.getConcreteRegisterValue(ctx.registers.rcx)
arg5 = ctx.getConcreteRegisterValue(ctx.registers.r8)
arg6 = ctx.getConcreteRegisterValue(ctx.registers.r9)
nbArgs = arg1.count("{")
args = [arg2, arg3, arg4, arg5, arg6][:nbArgs]
rsp = ctx.getConcreteRegisterValue(ctx.registers.rsp)
if nbArgs > 5:
for i in range(nbArgs - 5):
args.append(ctx.getConcreteMemoryValue(MemoryAccess(rsp + CPUSIZE.QWORD * (i + 1), CPUSIZE.QWORD)))
for i in string_pos:
args[i] = getMemoryString(ctx, args[i])
s = arg1.format(*args)
sys.stdout.write(s)
# Return value
return (CONCRETE, len(s))
def memset(ctx):
debug('[+] memset hooked')
#Get arguments
arg1 = ctx.getConcreteRegisterValue(ctx.registers.rdi)
arg2 = ctx.getConcreteRegisterValue(ctx.registers.rsi)
arg3 = ctx.getConcreteRegisterValue(ctx.registers.rdx)
for index in range(arg3):
ctx.setConcreteMemoryValue(MemoryAccess(arg1 + index, CPUSIZE.BYTE), arg2)
return (CONCRETE, arg1)
def errno_location(ctx):
debug('[+] __errno_location hooked')
return (CONCRETE, ERRNO)
def strtoul(ctx):
debug('[+] strtoul hooked')
# Get arguments
nptr = getMemoryString(ctx, ctx.getConcreteRegisterValue(ctx.registers.rdi))
endptr = ctx.getConcreteRegisterValue(ctx.registers.rsi)
base = ctx.getConcreteRegisterValue(ctx.registers.rdx)
# Return value
return (SYMBOLIC, int(nptr, base))
# Functions to emulate
customRelocation = [
['__errno_location', errno_location, None],
['__libc_start_main', libc_start_main, None],
['memset', memset, None],
['printf', printf, None],
['strtoul', strtoul, None],
]
def hookingHandler(ctx):
pc = ctx.getConcreteRegisterValue(ctx.registers.rip)
for rel in customRelocation:
if rel[2] == pc:
# Emulate the routine and the return value
state, ret_value = rel[1](ctx)
if ret_value is not None:
ctx.setConcreteRegisterValue(ctx.registers.rax, ret_value)
if state is SYMBOLIC:
debug(f'[+] Symbolizing the return value')
ctx.symbolizeRegister(ctx.registers.rax)
# Get the return address
ret_addr = ctx.getConcreteMemoryValue(MemoryAccess(ctx.getConcreteRegisterValue(ctx.registers.rsp), CPUSIZE.QWORD))
# Hijack RIP to skip the call
ctx.setConcreteRegisterValue(ctx.registers.rip, ret_addr)
# Restore RSP (simulate the ret)
ctx.setConcreteRegisterValue(ctx.registers.rsp, ctx.getConcreteRegisterValue(ctx.registers.rsp)+CPUSIZE.QWORD)
return
# Emulate the binary.
def emulate(ctx, pc, h):
count = 0
while pc:
# Fetch opcodes
opcodes = ctx.getConcreteMemoryAreaValue(pc, 16)
# Create the instruction
instruction = Instruction(pc, opcodes)
ret = ctx.processing(instruction)
#print(instruction)
if instruction.getType() == OPCODE.X86.HLT:
break
# End point hash output
if pc == 0x4008E1:
rsi_s = ctx.getRegisterAst(ctx.registers.rsi)
m = ctx.getModel(rsi_s == h)
for k, v in m.items():
return v.getValue()
# Simulate routines
hookingHandler(ctx)
# Next
pc = ctx.getConcreteRegisterValue(ctx.registers.rip)
count += 1
debug('[+] Instruction executed: %d' %(count))
return
def loadBinary(ctx, binary):
# Map the binary into the memory
phdrs = binary.segments
for phdr in phdrs:
size = phdr.physical_size
vaddr = phdr.virtual_address
print('[+] Loading 0x%06x - 0x%06x' %(vaddr, vaddr+size))
ctx.setConcreteMemoryAreaValue(vaddr, list(phdr.content))
return
def makeRelocation(ctx, binary):
# Setup plt
for pltIndex in range(len(customRelocation)):
customRelocation[pltIndex][2] = BASE_PLT + pltIndex
relocations = [x for x in binary.pltgot_relocations]
relocations.extend([x for x in binary.dynamic_relocations])
# Perform our own relocations
for rel in relocations:
symbolName = rel.symbol.name
symbolRelo = rel.address
for crel in customRelocation:
if symbolName == crel[0]:
print('[+] Init PLT for: %s' %(symbolName))
ctx.setConcreteMemoryValue(MemoryAccess(symbolRelo, CPUSIZE.QWORD), crel[2])
break
return
def run(ctx, binary, h):
# Define a fake stack
ctx.setConcreteRegisterValue(ctx.registers.rbp, BASE_STACK)
ctx.setConcreteRegisterValue(ctx.registers.rsp, BASE_STACK)
# Let's emulate the binary from the entry point
debug('[+] Starting emulation.')
result = emulate(ctx, binary.entrypoint, h)
debug('[+] Emulation done.')
return result
def main():
# Get a Triton context
ctx = TritonContext(ARCH.X86_64)
# Set optimization
ctx.setMode(MODE.ALIGNED_MEMORY, True)
ctx.setMode(MODE.CONSTANT_FOLDING, True)
# Parse the binary
binary = lief.parse(TARGET)
# Load the binary
loadBinary(ctx, binary)
# Perform our own relocations
makeRelocation(ctx, binary)
# From the README of the challenge: Get your flag by inverting the following values
# in order, and hex decoding the result.
hashes = [
0x875cd4f2e18f8fc4, 0xbb093e17e5d3fa42, 0xada5dd034aae16b4, 0x97322728fea51225,
0x4124799d72188d0d, 0x2b3e3fbbb4d44981, 0xdfcac668321e4daa, 0xeac2137a35c8923a
]
# Init and emulate
result = []
for c, h in enumerate(hashes):
r = run(ctx, binary, h)
print(f'[+] Execution {c}, getting hash: {r:#x}')
result.append(r)
flag = bytes()
for r in result:
flag += codecs.decode(hex(r)[2:], "hex")
print(f'[+] Flag: {flag}')
# Used for unittest
return not flag == b'mirror_mirror_on_the_wall_whos_the_ugliest_handler_of_them_all?!'
if __name__ == '__main__':
retValue = main()
sys.exit(retValue)