In [2]:
import angr
import claripy
import logging
logging.getLogger('angr').setLevel('ERROR')

base = 0x400000

# find addr before call the magic function
# this hex load input to registers
# load them to rsi, rdi
# then call the magic function

def get_addr(file):
    bin_ = open(file, 'rb').read()
    return bin_.find(bytes.fromhex('488b45f04883c008488B10488B45F048')) + 24

In [3]:
def succ(state):
    return b'Correct' in state.posix.dumps(1)

def fail(state):
    return b'Wrong' in state.posix.dumps(1)

def solve(file):
    start = base + get_addr(file)

    p = angr.Project(file)

    init = p.factory.blank_state(addr = start)

    code1 = claripy.BVS('code1', 64)
    code2 = claripy.BVS('code2', 64)

    init.regs.rsi = code1
    init.regs.rdi = code2

    sim = p.factory.simgr(init)
    sim.explore(find=succ, avoid=fail)

    if len(sim.found) > 0:
        res = sim.found[0]
        a = res.solver.eval(code1)
        b = res.solver.eval(code2)
        result = bytes.fromhex(hex(a)[2:] + hex(b)[2:])[::-1]
        return result
    return 'Error!'

In [4]:
results = []
for i in range(1,16):
    key = solve(f'level1/{i}.bin')
    print(key)
    results.append(key)

results




b'9jM4ScT6QJB5a6gB'




b'NybuoPZYF4hshd3W'




b'Tc2xxTr5RBDMeJKW'




b'K4ndcjWaz4p7zvKM'




b'tKisqhBoqkUuS8uf'




b'iMib9Ua3C6g43xg7'




b'JwhyvToNpkx7QhsF'




b'ehcvxtqfs29fMcB6'




b'VGwjDzI9dXdHnRV0'




b'WwRViemMpvt6Y1Ld'




b'2CJsRXSQD9CQZ6az'




b'WBlhG5wks381Pyiq'




b'qiusTd1hOyS53bPO'




b'BzHmXBcJkSNl8WGe'
b'OuBMgcSDCEvJJzVF'


[b'9jM4ScT6QJB5a6gB',
 b'NybuoPZYF4hshd3W',
 b'Tc2xxTr5RBDMeJKW',
 b'K4ndcjWaz4p7zvKM',
 b'tKisqhBoqkUuS8uf',
 b'iMib9Ua3C6g43xg7',
 b'JwhyvToNpkx7QhsF',
 b'ehcvxtqfs29fMcB6',
 b'VGwjDzI9dXdHnRV0',
 b'WwRViemMpvt6Y1Ld',
 b'2CJsRXSQD9CQZ6az',
 b'WBlhG5wks381Pyiq',
 b'qiusTd1hOyS53bPO',
 b'BzHmXBcJkSNl8WGe',
 b'OuBMgcSDCEvJJzVF']