39 lines
1.3 KiB
Python
Executable File
39 lines
1.3 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
|
|
import angr,claripy
|
|
|
|
p = angr.Project("./challenge")
|
|
|
|
# idk what this is, it's not important
|
|
p.hook(0x00400550, angr.SIM_PROCEDURES["stubs"]["Nop"]())
|
|
# shim other functions
|
|
p.hook(0x004091d0, angr.SIM_PROCEDURES["libc"]["puts"]())
|
|
p.hook(0x00408490, angr.SIM_PROCEDURES["libc"]["printf"]())
|
|
|
|
# shim the rand() looking function to return the same stuff as a real concrete execution
|
|
class RandShim(angr.SimProcedure):
|
|
def run(self, vals=None):
|
|
i = self.state.globals.get('fakerand_idx', 0)
|
|
val = vals[i]
|
|
self.state.globals['fakerand_idx'] = i + 1
|
|
return val
|
|
|
|
p.hook(0x00407bf0, RandShim(vals=[ 0x67, 0xc6, 0x69, 0x73, 0x51, 0xff, 0x4a, 0xec, 0x29, 0xcd, 0xba, 0xab, 0xf2, 0xfb, 0xe3, ]))
|
|
# shim read
|
|
p.hook(0x0041d520, angr.SIM_PROCEDURES["linux_kernel"]["read"]())
|
|
|
|
# call main
|
|
st = p.factory.call_state(0x004005e0)
|
|
# stack guard, silence angr complaint
|
|
st.memory.store(0x0048f990, b"\xAB\xCD\xEF\x01")
|
|
# regs, more silencing
|
|
st.regs.ra = 0x13371337
|
|
st.regs.s8 = 0x13381338
|
|
sm = p.factory.simulation_manager(st)
|
|
sm.use_technique(angr.exploration_techniques.MemoryWatcher())
|
|
|
|
# find where it prints OK, avoid where it prints No
|
|
sm.explore(find=0x004007e4, avoid=0x00400820)
|
|
# this is the answer
|
|
print(sm.found[0].posix.dumps(0)[512:])
|