This repository has been archived by the owner on Apr 28, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 379
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #193 from Kyle-Kyle/example
update examples
- Loading branch information
Showing
5 changed files
with
65 additions
and
81 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
63 changes: 31 additions & 32 deletions
63
examples/hackcon2016_angry-reverser/solve.py
100755 → 100644
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,48 +1,47 @@ | ||
import angr | ||
import sys | ||
import logging | ||
import claripy | ||
|
||
# HackCon 2016 - angry-reverser | ||
# @author: P1kachu | ||
# @contact: p1kachu@lse.epita.fr | ||
# Execution time: ~31 minutes - Intel Core i7-3770 CPU @ 3.40GHz (8 CPUs) | ||
|
||
# @author: P1kachu, Kyle ZENG | ||
# @contact: p1kachu@lse.epita.fr, jkjh1jkjh1@gmail.com | ||
# Execution time: ~1 minute | ||
|
||
def main(): | ||
p = angr.Project('yolomolo') | ||
|
||
main = 0x405a6f # Fail message to be printed | ||
find = 0x405aee # Win message printed | ||
avoid = (0x405af0, 0x405ab4) # First two ways to fail from main | ||
crazy = 0x400646 # Entry point of Crazy function | ||
flag = claripy.BVS('flag', 20*8, explicit_name=True)# symbolized flag, we know the length by looking at the assembly code | ||
buf = 0x606000# buffer to store flag | ||
crazy = 0x400646# entry point of crazy function | ||
find = 0x405a6e# end of crazy function | ||
|
||
# Offset (from IDA) of 'FAIL' blocks in Crazy | ||
fails = [0x2619, 0x288C, 0x2AF9, 0x2D68, 0x2FD5, 0x3245, 0x34B2, | ||
0x3724, 0x3996, 0x3C04, 0x3E73, 0x40E7, 0x4355, 0x45C9, | ||
0x4836, 0x4AA4, 0x4D15, 0x4F86, 0x51D1, 0x5408] | ||
# Offset of 'FAIL' blocks in Crazy(from pwntools--e.search(asm('mov ecx, 0'))) | ||
avoids = [0x402c3c, 0x402eaf, 0x40311c, 0x40338b, 0x4035f8, 0x403868, | ||
0x403ad5, 0x403d47, 0x403fb9, 0x404227, 0x404496, 0x40470a, | ||
0x404978, 0x404bec, 0x404e59, 0x4050c7, 0x405338, 0x4055a9, | ||
0x4057f4, 0x405a2b] | ||
|
||
# Create blank state with $pc at &main | ||
init = p.factory.blank_state(addr=main, add_options={angr.options.LAZY_SOLVES}) | ||
|
||
# Avoid blocks | ||
avoid = list(avoid) | ||
avoid += [(crazy + offst) for offst in fails] # Let's save RAM | ||
proj = angr.Project('./yolomolo') | ||
# Create blank state starting from crazy function | ||
# LAZY_SOLVES is very important here because we are actually collecting constraints for an equation Ax=b, where A is 20 by 20, x and b are 20 by 1 | ||
state = proj.factory.blank_state(addr=crazy, add_options={angr.options.LAZY_SOLVES}) | ||
# insert flag into memory by hand | ||
state.memory.store(buf, flag, endness='Iend_BE') | ||
state.regs.rdi = buf | ||
|
||
print("Launching exploration") | ||
sm = p.factory.simulation_manager(init) | ||
angr.manager.l.setLevel(logging.DEBUG) | ||
ex = sm.explore(find=find, avoid=avoid) | ||
# each character of flag should be between 0x30 and 0x7f | ||
for i in range(19): | ||
state.solver.add(flag.get_byte(i) >= 0x30) | ||
state.solver.add(flag.get_byte(i) <= 0x7f) | ||
|
||
# Get stdout | ||
final = ex.found[0] | ||
flag = final.posix.dumps(1) | ||
print("Flag: {0}".format(final.posix.dumps(1))) | ||
simgr = proj.factory.simgr(state) | ||
|
||
return flag[7:27] | ||
simgr.explore(find=find, avoid=avoids) | ||
found = simgr.found[0] | ||
return found.solver.eval(flag, cast_to=str) | ||
|
||
def test(): | ||
flag = main() | ||
assert flag == "HACKCON{VVhYS04ngrY}" | ||
assert main() == "HACKCON{VVhYS04ngrY}" | ||
|
||
if __name__ in '__main__': | ||
import logging | ||
logging.getLogger('angr.sim_manager').setLevel(logging.DEBUG) | ||
print main() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters