37 lines
879 B
Python
37 lines
879 B
Python
import angr
|
|
import claripy
|
|
import logging
|
|
from pwn import *
|
|
|
|
logging.getLogger('angr').setLevel('DEBUG')
|
|
|
|
base = 0x00100000
|
|
|
|
input_len = 32
|
|
|
|
success = 0x001014a8
|
|
fail = 0x0010150b
|
|
|
|
proj = angr.Project("/home/simon/CTF/Blockharbor/rev/Reversing #1/chal", main_opts = {"base_addr": base})
|
|
|
|
flag_chars = [ claripy.BVS(f"flag_char{i}", 8) for i in range(input_len)]
|
|
flag = claripy.Concat( *flag_chars )
|
|
|
|
state = proj.factory.entry_state(args=["./chal"], remove_options={angr.options.LAZY_SOLVES}, stdin=flag)
|
|
|
|
for k in flag_chars:
|
|
state.solver.add(k >= 0x00)
|
|
state.solver.add(k <= 0xff)
|
|
|
|
simgr = proj.factory.simulation_manager(state)
|
|
simgr.explore(find=success)
|
|
|
|
if len(simgr.found) > 0:
|
|
for found in simgr.found:
|
|
print(found.posix.dumps(0))
|
|
io = process("./chal")
|
|
io.send(found.posix.dumps(0))
|
|
print(io.recvall())
|
|
|
|
else:
|
|
print(simgr) |