cedriczirtacic · September 3, 2020 21:27
diff --git a/decrypt_main.py b/decrypt_main.py
 import sys

 path = sys.argv[1]

 main_addr = 0x1faf
 main_size = 1749
 main_real = ''
 main	  = ''
 key       = "a15abe90c112d09369d9f9da9a8c046e"
 key_len   = len(key)

 print(path)
 with open(path, 'rb') as fd:
 	main = fd.read()

 def decrypt_main():
 	global main_real
 	main_real = list(main)

 	with open(sys.argv[1] + ".patched", 'wb') as fd:
 		i = 0
 		j = i
 		while True:
 			if i >= main_size:
 				break
 			if j == key_len:
 				j = 0
 			pos = main_addr + i
 			main_real[pos] = chr(ord(main[pos]) ^ ord(key[j]))
 			i+=1; j+=1
 		fd.write(''.join(main_real))

 decrypt_main()
diff --git a/solve.py b/solve.py
 import angr
 import sys

 branch_addr = 0x2660
 #pushes_addr = 0x22a0
 flags_addr  = 0x220d
 path        = sys.argv[1]


 proj    = angr.Project(path, load_options={'main_opts': {'base_addr': 0x0}})
 state   = proj.factory.blank_state(addr=flags_addr)
 state.regs.rbp = 0x1000

 simgr   = proj.factory.simgr(state)

 #simgr.run(until=lambda sm: sm.active[0].addr >= pushes_addr)
 #data_pushed = []
 #for i in range(21):
 #    data_pushed.append(simgr.active[0].mem[(0x1000+i)-0xc0].uint8_t.concrete)

 flag = ''
 try:
    while True:
        simgr.run(until=lambda sm: sm.active[0].addr >= branch_addr)
        if len(simgr.active) == 3:
            s = simgr.active[2]
            flag += chr(s.mem[(0x1000)-0x19].uint8_t.concrete)
 except IndexError as e:
    pass
 print(flag)
	import sys

	path = sys.argv[1]

	main_addr = 0x1faf
	main_size = 1749
	main_real = ''
	main = ''
	key = "a15abe90c112d09369d9f9da9a8c046e"
	key_len = len(key)

	print(path)
	with open(path, 'rb') as fd:
	main = fd.read()

	def decrypt_main():
	global main_real
	main_real = list(main)

	with open(sys.argv[1] + ".patched", 'wb') as fd:
	i = 0
	j = i
	while True:
	if i >= main_size:
	break
	if j == key_len:
	j = 0
	pos = main_addr + i
	main_real[pos] = chr(ord(main[pos]) ^ ord(key[j]))
	i+=1; j+=1
	fd.write(''.join(main_real))

	decrypt_main()
	import angr
	import sys

	branch_addr = 0x2660
	#pushes_addr = 0x22a0
	flags_addr = 0x220d
	path = sys.argv[1]


	proj = angr.Project(path, load_options={'main_opts': {'base_addr': 0x0}})
	state = proj.factory.blank_state(addr=flags_addr)
	state.regs.rbp = 0x1000

	simgr = proj.factory.simgr(state)

	#simgr.run(until=lambda sm: sm.active[0].addr >= pushes_addr)
	#data_pushed = []
	#for i in range(21):
	# data_pushed.append(simgr.active[0].mem[(0x1000+i)-0xc0].uint8_t.concrete)

	flag = ''
	try:
	while True:
	simgr.run(until=lambda sm: sm.active[0].addr >= branch_addr)
	if len(simgr.active) == 3:
	s = simgr.active[2]
	flag += chr(s.mem[(0x1000)-0x19].uint8_t.concrete)
	except IndexError as e:
	pass
	print(flag)