angr solved

2023-09-12 12:38:38 +02:00
parent c0dbb0e7a2
commit 17e4bddf72
8 changed files with 74 additions and 7 deletions
--- a/Blockharbor/rev/Reversing
+++ b/Blockharbor/rev/Reversing
--- a/Blockharbor/rev/Reversing
+++ b/Blockharbor/rev/Reversing
@@ -0,0 +1,38 @@
+import angr
+import claripy
+import logging
+from pwn import *
+
+logging.getLogger('angr').setLevel('DEBUG')
+
+base = 0x00100000
+
+input_len = 32
+
+success = 0x001014a8
+fail = 0x0010150b
+
+proj = angr.Project("/home/simon/CTF/Blockharbor/rev/Reversing #1/chal", main_opts = {"base_addr": base})
+
+flag_chars = [ claripy.BVS(f"flag_char{i}", 8) for i in range(input_len)]
+flag = claripy.Concat( *flag_chars )
+
+state = proj.factory.entry_state(args=["./chal"], remove_options={angr.options.LAZY_SOLVES}, stdin=flag)
+
+for k in flag_chars:
+    state.solver.add(k >= 0x00)
+    state.solver.add(k <= 0xff)
+
+simgr = proj.factory.simulation_manager(state)
+simgr.explore(find=success)
+
+pass
+if len(simgr.found) > 0:
+    for found in simgr.found:
+        print(found.posix.dumps(0))
+        io = process("./chal")
+        io.send(found.posix.dumps(0))
+        print(io.recvall())
+
+else:
+    print(simgr)
--- a/Blockharbor/rev/Reversing
+++ b/Blockharbor/rev/Reversing
--- a/Blockharbor/rev/Reversing
+++ b/Blockharbor/rev/Reversing
@@ -28,7 +28,7 @@ void setup() {
 }

 int check_pass(unsigned int start[]) {
-    printf("checking\n");
+    //printf("checking\n");
    unsigned int temp = 0;
    for (int i = 0; i < 4; ++i) {
      temp = start[i];
@@ -50,24 +50,26 @@ void main(){
  memset(start, 0, 16);
  read(0, user_input, MAX_SIZE);

+  //printf("%X ",user_input);
+  //printf("\n");
  for (int i = 0; i < 4; i++) {
-    
+
    start[i] |= ((unsigned int)user_input[(i * 4)]   << 24);
    start[i] |= ((unsigned int)user_input[(i * 4)+1] << 16);
    start[i] |= ((unsigned int)user_input[(i * 4)+2] << 8);
    start[i] |= ((unsigned int)user_input[(i * 4)+3] << 0);

-    printf("%X ",start[i]);
+    //printf("%X ",start[i]);
  }

-  printf("\n");
+  //printf("\n");

  if (check_pass(start) == 1) {
-    printf("Thats it!\r\nSubmit in the format FLAG{");
+    //printf("Thats it!\r\nSubmit in the format FLAG{");
    for (int i = 0; i < 4; i++) {
-          printf("%X",start[i]);
+          //printf("%X",start[i]);
    }
-    printf("}\n");
+    //printf("}\n");
  }

  // Failed, just spin