stevenjohnstone · March 25, 2019 22:07
diff --git a/env.py b/env.py
 #!/usr/bin/env python
 # coding: utf-8
 import angr
 import archinfo
 import claripy
 import time


 def main():
    p = angr.Project('ctf')


    load_addr = p.loader.main_object.min_addr

    success_addr = load_addr + 0x6c0
    failure_addr = load_addr + 0x6c7

    flag = claripy.BVS('env', 32*8)

    class getenv(angr.SimProcedure):
        def run(self, name):
            buf = self.inline_call(angr.SIM_PROCEDURES['libc']['malloc'], flag.size()).ret_expr
            self.state.memory.store(buf, flag)
            return buf

    p.hook_symbol('getenv', getenv())



    # use the unicorn emulator for simulation
    st = p.factory.full_init_state(
            args=['./env'],
            add_options = angr.options.unicorn, #takes a second off run time
            remove_options={angr.options.LAZY_SOLVES},
    )

    # constrain to printable ascii or nul byte
    for byte in flag.chop(8):
        st.add_constraints(claripy.Or(claripy.And(byte >= '\x20', byte <= '\x7e'),  byte == '\x00'))



    sm = p.factory.simulation_manager(st)

    # explore paths to success_addr while avoiding failure_addr
    sm.explore(find=success_addr, avoid=[failure_addr])

    if sm.found:
        # allow for the possibility of multiple answers
        answer = []
        for found in sm.found:
            answer.append(found.solver.eval(flag, cast_to=bytes).hex())

        return answer


    return "oops"



 if __name__ == "__main__":
    before = time.time()
    answers = main()
    print(answers)
    after = time.time()
    print("Time elapsed: {}".format(after - before))
	#!/usr/bin/env python
	# coding: utf-8
	import angr
	import archinfo
	import claripy
	import time


	def main():
	p = angr.Project('ctf')


	load_addr = p.loader.main_object.min_addr

	success_addr = load_addr + 0x6c0
	failure_addr = load_addr + 0x6c7

	flag = claripy.BVS('env', 32*8)

	class getenv(angr.SimProcedure):
	def run(self, name):
	buf = self.inline_call(angr.SIM_PROCEDURES['libc']['malloc'], flag.size()).ret_expr
	self.state.memory.store(buf, flag)
	return buf

	p.hook_symbol('getenv', getenv())



	# use the unicorn emulator for simulation
	st = p.factory.full_init_state(
	args=['./env'],
	add_options = angr.options.unicorn, #takes a second off run time
	remove_options={angr.options.LAZY_SOLVES},
	)

	# constrain to printable ascii or nul byte
	for byte in flag.chop(8):
	st.add_constraints(claripy.Or(claripy.And(byte >= '\x20', byte <= '\x7e'), byte == '\x00'))



	sm = p.factory.simulation_manager(st)

	# explore paths to success_addr while avoiding failure_addr
	sm.explore(find=success_addr, avoid=[failure_addr])

	if sm.found:
	# allow for the possibility of multiple answers
	answer = []
	for found in sm.found:
	answer.append(found.solver.eval(flag, cast_to=bytes).hex())

	return answer


	return "oops"



	if __name__ == "__main__":
	before = time.time()
	answers = main()
	print(answers)
	after = time.time()
	print("Time elapsed: {}".format(after - before))