Last active
March 24, 2022 10:07
-
-
Save inaz2/e609a9e00906fb68f9a916b878d5fc75 to your computer and use it in GitHub Desktop.
solving easy crackme by angr
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| int crackme(char *s, int n) | |
| { | |
| if (strlen(s) != 13) { | |
| return 0; | |
| } | |
| if (strcmp(s, "hacktheplanet") != 0) { | |
| return 0; | |
| } | |
| if (n != 1337) { | |
| return 0; | |
| } | |
| return 1; | |
| } | |
| int main(int argc, char *argv[]) | |
| { | |
| if (crackme(argv[1], atoi(argv[2])) == 1) { | |
| puts("good job!"); | |
| } else { | |
| puts("wrong."); | |
| } | |
| return 0; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # gcc crackme.c -o crackme | |
| # objdump -M intel -d crackme | sed -n '/<crackme>:/,/^$/p' | |
| 00000000004005f6 <crackme>: | |
| 4005f6: 55 push rbp | |
| 4005f7: 48 89 e5 mov rbp,rsp | |
| 4005fa: 48 83 ec 10 sub rsp,0x10 | |
| 4005fe: 48 89 7d f8 mov QWORD PTR [rbp-0x8],rdi | |
| 400602: 89 75 f4 mov DWORD PTR [rbp-0xc],esi | |
| 400605: 48 8b 45 f8 mov rax,QWORD PTR [rbp-0x8] | |
| 400609: 48 89 c7 mov rdi,rax | |
| 40060c: e8 9f fe ff ff call 4004b0 <strlen@plt> | |
| 400611: 48 83 f8 0d cmp rax,0xd | |
| 400615: 74 07 je 40061e <crackme+0x28> | |
| 400617: b8 00 00 00 00 mov eax,0x0 | |
| 40061c: eb 31 jmp 40064f <crackme+0x59> | |
| 40061e: 48 8b 45 f8 mov rax,QWORD PTR [rbp-0x8] | |
| 400622: be 34 07 40 00 mov esi,0x400734 | |
| 400627: 48 89 c7 mov rdi,rax | |
| 40062a: e8 a1 fe ff ff call 4004d0 <strcmp@plt> | |
| 40062f: 85 c0 test eax,eax | |
| 400631: 74 07 je 40063a <crackme+0x44> | |
| 400633: b8 00 00 00 00 mov eax,0x0 | |
| 400638: eb 15 jmp 40064f <crackme+0x59> | |
| 40063a: 81 7d f4 39 05 00 00 cmp DWORD PTR [rbp-0xc],0x539 | |
| 400641: 74 07 je 40064a <crackme+0x54> | |
| 400643: b8 00 00 00 00 mov eax,0x0 | |
| 400648: eb 05 jmp 40064f <crackme+0x59> | |
| 40064a: b8 01 00 00 00 mov eax,0x1 | |
| 40064f: c9 leave | |
| 400650: c3 ret | |
| # python solve.py | |
| arg1 = 'hacktheplanet\x00\x00\x00' | |
| arg2 = 1337 | |
| # ./crackme hacktheplanet 1337 | |
| good job! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import angr | |
| p = angr.Project('./crackme', load_options={'auto_load_libs': False}) | |
| s = p.factory.blank_state(addr=0x4005f6) | |
| initial_path = p.factory.path(s) | |
| pg = p.factory.path_group(initial_path) | |
| e = pg.explore(find=0x40064a, avoid=0x40064f) | |
| if len(e.found) > 0: | |
| s = e.found[0].state | |
| arg1 = s.se.any_int(s.memory.load(s.regs.rbp-0x8, 8, endness='Iend_LE')) | |
| arg2 = s.se.any_int(s.memory.load(s.regs.rbp-0xc, 4, endness='Iend_LE')) | |
| print "arg1 = %r" % s.se.any_str(s.memory.load(arg1, 0x10)) | |
| print "arg2 = %d" % arg2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment