quangnh89 · August 7, 2017 17:49
diff --git a/Suspect_File_1_writeup.py b/Suspect_File_1_writeup.py
 #!/usr/bin/env python
 import angr


 def malloc_cb(state):
    print "malloc!"
    state.regs.eax = 0xc0000000  # concrete address


 def strlen_cb(state):
    print "strlen!"
    state.regs.eax = flag_len  # flag length

 # using angr for symbolic execution
 # load the binary into an angr project
 p = angr.Project("./100")

 # To avoid calling malloc(), we cannot simulate malloc() function.
 p.hook(0x08048D8D, malloc_cb, length=5)

 # we know the size of flag
 p.hook(0x08049158, strlen_cb, length=5)

 # The blank_state constructor generates a SimState
 # that is little concrete data as possible of the program state
 # 0x8048870 is equal to address of main() function
 state = p.factory.blank_state(addr=0x8048870)

 flag_len = 38
 argv = ['./100', state.se.BVS('arg1', (flag_len + 1) * 8)]

 # We want those flags to be printable characters
 for i in xrange(flag_len):
    state.add_constraints(argv[1].get_byte(i) >= 0x20)
    state.add_constraints(argv[1].get_byte(i) <= 0x7D)

 # terminated null character
 state.add_constraints(argv[1].get_byte(flag_len) == 0)

 # Prepare the argc and argv
 state.memory.store(0xd0000000, argv[0])  # content of argv[0], which is the executable name
 state.memory.store(0xd0000010, argv[1])  # content of argv[1], which is our flag
 state.stack_push(0xd0000010)  # pointer to argv[1]
 state.stack_push(0xd0000000)  # pointer to argv[0]
 state.stack_push(state.regs.esp)  # argv
 state.stack_push(2)  # argc
 state.stack_push(0x8048870)  # address of main

 # Attempt to find a path
 path = p.factory.path(state=state)

 # symbolic exploration
 ex = p.surveyors.Explorer(
    start=path,
    find=(0x08049DB2),  # Yes!
    avoid=(0x08049DAD, 0x8049DD4, 0x8049DD9, 0x8049DDE),  # Sorry
 )

 ex.run()

 # One path will be found
 flag = ex.found[0].state.se.any_str(argv[1])
 print flag
 # flag{024baa8ac03ef22fdde61c0f11069f2f}
	#!/usr/bin/env python
	import angr


	def malloc_cb(state):
	print "malloc!"
	state.regs.eax = 0xc0000000 # concrete address


	def strlen_cb(state):
	print "strlen!"
	state.regs.eax = flag_len # flag length

	# using angr for symbolic execution
	# load the binary into an angr project
	p = angr.Project("./100")

	# To avoid calling malloc(), we cannot simulate malloc() function.
	p.hook(0x08048D8D, malloc_cb, length=5)

	# we know the size of flag
	p.hook(0x08049158, strlen_cb, length=5)

	# The blank_state constructor generates a SimState
	# that is little concrete data as possible of the program state
	# 0x8048870 is equal to address of main() function
	state = p.factory.blank_state(addr=0x8048870)

	flag_len = 38
	argv = ['./100', state.se.BVS('arg1', (flag_len + 1) * 8)]

	# We want those flags to be printable characters
	for i in xrange(flag_len):
	state.add_constraints(argv[1].get_byte(i) >= 0x20)
	state.add_constraints(argv[1].get_byte(i) <= 0x7D)

	# terminated null character
	state.add_constraints(argv[1].get_byte(flag_len) == 0)

	# Prepare the argc and argv
	state.memory.store(0xd0000000, argv[0]) # content of argv[0], which is the executable name
	state.memory.store(0xd0000010, argv[1]) # content of argv[1], which is our flag
	state.stack_push(0xd0000010) # pointer to argv[1]
	state.stack_push(0xd0000000) # pointer to argv[0]
	state.stack_push(state.regs.esp) # argv
	state.stack_push(2) # argc
	state.stack_push(0x8048870) # address of main

	# Attempt to find a path
	path = p.factory.path(state=state)

	# symbolic exploration
	ex = p.surveyors.Explorer(
	start=path,
	find=(0x08049DB2), # Yes!
	avoid=(0x08049DAD, 0x8049DD4, 0x8049DD9, 0x8049DDE), # Sorry
	)

	ex.run()

	# One path will be found
	flag = ex.found[0].state.se.any_str(argv[1])
	print flag
	# flag{024baa8ac03ef22fdde61c0f11069f2f}