-
Notifications
You must be signed in to change notification settings - Fork 8
/
manticore_solve.py
60 lines (43 loc) · 1.1 KB
/
manticore_solve.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
#!/usr/bin/env python
#
# Example manticore script to solve a crackme.
#
from manticore import Manticore
m = Manticore('static.out')
chars_read = 0
chars_written = 0
flag = []
# call fgetc
@m.hook(0x4012c5)
def input_hook(state):
global chars_read, flag
print("Reading character #{}".format(chars_read))
cpu = state.cpu
char = state.new_symbolic_value(8)
if chars_read < 26:
state.add(char > ord(' '))
state.add(char < 0x7f)
else:
state.add(char == ord(' '))
cpu.RAX = 0
cpu.AL = char
flag.append(char)
chars_read += 1
cpu.EIP = 0x4012ca
# call fputc
@m.hook(0x401348)
def output_hook(state):
global chars_written
print("Writing character #{}".format(chars_written))
expected_output = 'tu1|\h+&g\OP7@% :BH7M6m3g='
state.add(state.cpu.RDI == ord(expected_output[chars_written]))
chars_written += 1
# call exit
@m.hook(0x40116e)
def exit_hook(state):
global flag
print("Solving...")
flag = ''.join(chr(state.solve_one(c)) for c in flag)
print("Flag: {}".format(flag))
m.terminate()
m.run()