icchy · March 5, 2017 16:08
diff --git a/solve.py b/solve.py
 from unicorn import *
 from unicorn.x86_const import *
 from capstone import *
 from capstone.x86_const import *


 flag = ""
 rax_flag = False
 def hook(uc, address, size, userdata):
    cs = Cs(CS_ARCH_X86, CS_MODE_64)
    code = uc.mem_read(address, size)
    asm = cs.disasm(str(code), address)

    for a in asm:
        global flag
        global rax_flag
        print('0x%x: \t%s\t%s\n' % (a.address, a.mnemonic, a.op_str))
        if rax_flag:
            rax = uc.reg_read(UC_X86_REG_RAX)
            flag += chr(rax)
            rax_flag = False
        if 'xor' in a.mnemonic:
            rax_flag = True


 addr = 0x400000
 stack = 0x600000
 stack_size = 0x100000
 emu = Uc(UC_ARCH_X86, UC_MODE_64)

 emu.mem_map(stack-stack_size, stack_size)
 emu.reg_write(UC_X86_REG_RSP, stack)
 emu.reg_write(UC_X86_REG_RBP, stack)

 emu.mem_map(addr, 0x10000)
 emu.mem_write(addr, open('./validation').read())

 emu.hook_add(UC_HOOK_CODE, hook)

 emu.emu_start(addr+0x65a, addr+0x694)

 print flag
	from unicorn import *
	from unicorn.x86_const import *
	from capstone import *
	from capstone.x86_const import *


	flag = ""
	rax_flag = False
	def hook(uc, address, size, userdata):
	cs = Cs(CS_ARCH_X86, CS_MODE_64)
	code = uc.mem_read(address, size)
	asm = cs.disasm(str(code), address)

	for a in asm:
	global flag
	global rax_flag
	print('0x%x: \t%s\t%s\n' % (a.address, a.mnemonic, a.op_str))
	if rax_flag:
	rax = uc.reg_read(UC_X86_REG_RAX)
	flag += chr(rax)
	rax_flag = False
	if 'xor' in a.mnemonic:
	rax_flag = True


	addr = 0x400000
	stack = 0x600000
	stack_size = 0x100000
	emu = Uc(UC_ARCH_X86, UC_MODE_64)

	emu.mem_map(stack-stack_size, stack_size)
	emu.reg_write(UC_X86_REG_RSP, stack)
	emu.reg_write(UC_X86_REG_RBP, stack)

	emu.mem_map(addr, 0x10000)
	emu.mem_write(addr, open('./validation').read())

	emu.hook_add(UC_HOOK_CODE, hook)

	emu.emu_start(addr+0x65a, addr+0x694)

	print flag