chapter5.py

#!/usr/bin/env python
# coding: utf-8
import angr
import archinfo
import claripy
import time


def main():
    p = angr.Project('ctf')
    print(p.loader.all_objects)

    load_addr = p.loader.main_object.min_addr
    stop_addr = load_addr + 0xd95




    class getenv(angr.SimProcedure):
        def run(self, name):
            buf = self.inline_call(angr.SIM_PROCEDURES['libc']['malloc'], 1).ret_expr
            self.state.memory.store(buf, claripy.BVV(0, 8))
            return buf

    p.hook_symbol('getenv', getenv())


    st = p.factory.full_init_state(
	      args=['./ctf', b'show_me_the_flag'],
              add_options = angr.options.unicorn,
    )


    sm = p.factory.simulation_manager(st)

    sm.explore(find=stop_addr)

    if sm.found:
        found = sm.found[0]
        return found.mem[found.regs.rsi].deref.string.concrete.decode()

    return "oops"



if __name__ == "__main__":
    before = time.time()
    answers = main()
    print(answers)
    after = time.time()
    print("Time elapsed: {}".format(after - before))