Skip to content

Instantly share code, notes, and snippets.

@Spirotot

Spirotot/solve.py

Last active November 7, 2016 01:01
Show Gist options
  • Save Spirotot/f9bda8bb13395ff1fc9b2574b05ff201 to your computer and use it in GitHub Desktop.
Save Spirotot/f9bda8bb13395ff1fc9b2574b05ff201 to your computer and use it in GitHub Desktop.
Download ZIP
Flare-on 2016 Challenge 1 Angr solve.
Raw
solve.py
# coding: utf-8
# In[2]:
import angr
import simuvex
angr.path_group.l.setLevel('DEBUG')
user_input = None
# In[3]:
def get_std_hook(state):
print 'get_std_hook'
state.regs.eax = 1
def writefile_hook(state):
print 'writefile hook'
get_std_hook(state)
def readfile_hook(state):
print 'readfile hook'
#print hex(state.se.any_int(state.memory.load(state.se.any_int(state.regs.esp) + 0x4, 4)))
#print hex(state.se.any_int(state.regs.esp))
#print hex(state.se.any_int(state.memory.load(state.se.any_int(state.regs.ebp) + 0x94, 4)))
#state.memory.store(state.se.any_int(state.regs.esp) + 4, user_input)
#state.memory.store(state.se.any_int(state.regs.ebp) + 4, 0x80)
#state.memory.store(state.se.any_int(state.regs.esp) + 0x4, user_input)
#state.memory.store(state.se.any_int(state.regs.ebp) + 4, 0x80)
#print hex(state.se.any_int(state.regs.eax))
state.memory.store(state.regs.eax, user_input)
#print state.memory.load(state.regs.eax)
def ebp_hook(state):
print 'ebp_hook'
state.memory.store(state.se.any_int(state.regs.ebp) + 4, 0x80)
def malloc_hook(state):
print 'malloc_hook'
#print state.se.any_int(state.regs.eax)
state.regs.eax = 0xC0000000
def strcmpy_hook(state):
print 'strcmpy hook'
#print hex(state.se.any_int(state.regs.esp) + 0x4)
#print hex(state.se.any_int(state.regs.esp))
#print state.memory.load(state.se.any_int(state.regs.esp) + 0x4, 4)
def interesting_hook(state):
print 'interesting hook'
#print state.regs.esp
#print state.regs.eax
#state.memory.store(state.se.any_int(state.regs.esp) + 0x4, 53)
#print state.memory.load(state.regs.eax)
#print state.memory.load(state.regs.esp)
#print hex(state.se.any_int(state.regs.esp))
#state.memory.store(state.regs.esp, user_input)
p = angr.Project('challenge1.exe', load_options={'auto_load_libs':False})
#p.hook(0x40142B, get_std_hook, length=6)
#p.hook(0x401436, get_std_hook, length=6)
p.hook(0x401457, writefile_hook, length=6)
p.hook(0x401473, readfile_hook, length=6)
p.hook(0x401283, malloc_hook, length=5)
#p.hook(0x40149A, strcmpy_hook, length=0)
p.hook(0x401487, interesting_hook, length=0)
#p.hook(0x401446, ebp_hook, length=0)
# In[ ]:
#initial_state = p.factory.blank_state(addr=0x401420)
#initial_state = p.factory.blank_state(addr=0x40143C, remove_options={simuvex.s_options.LAZY_SOLVES})
initial_state = p.factory.blank_state(addr=0x40143C, remove_options={simuvex.s_options.LAZY_SOLVES})
initial_state.regs.esp = 0xF0000000
initial_state.regs.ebp = 0xE0000000
user_input = initial_state.se.BVS("user_input", 8 * 0x80)
initial_path = p.factory.path(initial_state)
path_group = p.factory.path_group(initial_state)
path_group.explore(find=(0x4014AE,),avoid=(0x4014C7,))
# In[98]:
found = path_group.found[0]
print "FLAG: "
#print user_input
print found.state.se.any_str(user_input)
#print found.state.memory.load(found.state.se.any_int(found.state.regs.ebp) + 0x94, 4)
#print found.state.se.any_int(found.state.memory.load(0xC0000000, 4))
# In[ ]:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment