Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
52 additions
and
0 deletions.
There are no files selected for viewing
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
## Full writeup found on http://www.ctfhacker.com | ||
## Binary found here: http://csapp.cs.cmu.edu/3e/bomb.tar | ||
|
||
import angr, logging | ||
from subprocess import Popen, PIPE | ||
from itertools import product | ||
import struct | ||
|
||
def main(): | ||
proj = angr.Project('bomb', load_options={'auto_load_libs':False}) | ||
|
||
logging.basicConfig() | ||
logging.getLogger('angr.surveyors.explorer').setLevel(logging.DEBUG) | ||
|
||
bomb_explode = 0x40143a | ||
|
||
# Start analysis at the phase_2 function after the sscanf | ||
state = proj.factory.blank_state(addr=0x400f0a) | ||
|
||
# Sscanf is looking for '%d %d %d %d %d %d' which ends up dropping 6 ints onto the stack | ||
# We will create 6 symbolic values onto the stack to mimic this | ||
for i in xrange(6): | ||
state.stack_push(state.se.BVS('int{}'.format(i), 4*8)) | ||
|
||
# Attempt to find a path to the end of the phase_2 function while avoiding the bomb_explode | ||
path = proj.factory.path(state=state) | ||
ex = proj.surveyors.Explorer(start=path, find=(0x400f3c,), | ||
avoid=(bomb_explode,), | ||
enable_veritesting=True) | ||
ex.run() | ||
if ex.found: | ||
found = ex.found[0].state | ||
|
||
answer = [] | ||
|
||
for x in xrange(3): | ||
curr_int = found.se.any_int(found.stack_pop()) | ||
|
||
# We are popping off 8 bytes at a time | ||
# 0x0000000200000001 | ||
|
||
# This is just one way to extract the individual numbers from this popped value | ||
answer.append(str(curr_int & 0xffffffff)) | ||
answer.append(str(curr_int>>32 & 0xffffffff)) | ||
|
||
return ' '.join(answer) | ||
|
||
def test(): | ||
assert main() == '1 2 4 8 16 32' | ||
|
||
if __name__ == '__main__': | ||
print(main()) |