- download binary and do:
base64.b64decode(gzip.decompress(binary)) - find randomly generated constraint function and other informations. (I know that there are many ways to handle this.) 2.1. I did it with binaryninja.
- solve constraints by emulation, symbolic execution, dynamic binary instrumentation, or anything you want. 3.1. I did it with unicorn engine.
- finally, you can reach fsb and bof.
- done!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!python3 | |
| from angr import Project | |
| from angr.sim_state import SimState | |
| from angr.sim_manager import SimulationManager | |
| from angr.exploration_techniques.director import Director, ExecuteAddressGoal | |
| from angr.exploration_techniques.veritesting import Veritesting | |
| hits = {} |
d0now
/ angr_find_paths.py
Last active
December 27, 2022 07:01
angr cfgfast, cfgemulated path finder
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!python3 | |
| import angr | |
| import networkx | |
| from pathlib import Path | |
| def main(args): | |
| p = angr.Project(args.binary, load_options={ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| import json | |
| import requests | |
| import shutil | |
| from pathlib import Path | |
| from zipfile import ZipFile | |
| API = 'https://samate.nist.gov/SARD/api/test-cases/search?flaw%5B%5D={cwe}&language%5B%5D=c&page={page}&limit={limit}' | |
| DOWNLOADS=(Path(__file__).parent / 'downloads') |
d0now
/ 2022-the-hacking-championship-junior-spermaeg.md
Last active
November 10, 2022 09:57
d0now
/ 2022-snyk-ctf-smart-fridge.md
Created
November 9, 2022 18:08
2022 snyk.io fetch the flag - smart fridge solve
- you can get server binary using:
curl --path-as-is http://[SERVER]/docs/../../../../../../../proc/self/exe - and you need to reverse-engineering the function
Service::checkFlag - I used binary ninja for automation and it was quite easy for me.
d0now
/ 2022-CCE-Fortuen_Teller.md
Created
September 24, 2022 13:38
2022 CCE - Fortune Teller Exploit Code
- SQLite3 extension reversing
- ROP with bit flipping attack
- Cryptographic logic was identified by bindiff
d0now
/ 2022-SSTF-CTF-LuQwest.md
Last active
August 23, 2022 06:11
2022 SSTF CTF - LuQwest Exploit Code
- Lua arbitrary heap pointer write (?)
- My first time lua exploit
- Also First Blood :) (Team: STLCTF)
d0now
/ 2022-HTB-BUSINESS-CTF-Midenios.md
Last active
August 23, 2022 06:18
2022 HackTheBox Business CTF Midenios
- My first time firefox js exploit
- Not a intended way, but I was fast (first blood)
d0now
/ 2022-Google-CTF-madcore.md
Last active
August 23, 2022 06:19
Google CTF 2022 - "madcore" solver code
- yo
d0now
/ 2022-LINE-CTF-trustcode.md
Last active
August 23, 2022 06:20
LINE CTF 2022 - "trust code" solver code
- yoyo