EKOPARTY CTF 2017: Warm Up

,

rev苦手勢なのでangrでなんとかなる問題しか倒せない。

solution

読むと次のようになってる。angrすればすぐでる。

get_input:
  4009ae:	55                   	push   rbp
  4009af:	48 89 e5             	mov    rbp,rsp
  4009b2:	bf 04 17 4a 00       	mov    edi,0x4a1704  # "Enter your values: "
  4009b7:	b8 00 00 00 00       	mov    eax,0x0
  4009bc:	e8 ef ed 00 00       	call   0x40f7b0 # puts
  4009c1:	be 60 cd 6c 00       	mov    esi,0x6ccd60  # buf
  4009c6:	bf 18 17 4a 00       	mov    edi,0x4a1718  # "%s"
  4009cb:	b8 00 00 00 00       	mov    eax,0x0
  4009d0:	e8 0b ef 00 00       	call   0x40f8e0 # scanf
  4009d5:	90                   	nop
  4009d6:	5d                   	pop    rbp
  4009d7:	c3                   	ret    #=> main 0x400e6d
check_input:
  4009d8:	55                   	push   rbp
  4009d9:	48 89 e5             	mov    rbp,rsp
  4009dc:	b8 62 cd 6c 00       	mov    eax,0x6ccd62
  4009e1:	0f b6 10             	movzx  edx,BYTE PTR [rax]
  4009e4:	b8 1b 17 4a 00       	mov    eax,0x4a171b
  ...
  400c6c:	bf 41 17 4a 00       	mov    edi,0x4a1741  # "valid!"
  400c71:	e8 3a f5 00 00       	call   0x4101b0  # puts
  400c76:	b8 01 00 00 00       	mov    eax,0x1  # success
  400c7b:	e9 dd 00 00 00       	jmp    0x400d5d
  400c80:	b8 00 00 00 00       	mov    eax,0x0  # failure
  400c85:	e9 d3 00 00 00       	jmp    0x400d5d
  ...
  400d51:	b8 00 00 00 00       	mov    eax,0x0
  400d56:	eb 05                	jmp    0x400d5d
  400d58:	b8 00 00 00 00       	mov    eax,0x0
  400d5d:	5d                   	pop    rbp
  400d5e:	c3                   	ret    
main:
  400e5f:	55                   	push   rbp
  400e60:	48 89 e5             	mov    rbp,rsp
  400e63:	b8 00 00 00 00       	mov    eax,0x0
  400e68:	e8 41 fb ff ff       	call   0x4009ae # get_input
  400e6d:	b8 00 00 00 00       	mov    eax,0x0
  400e72:	e8 d8 ff ff ff       	call   0x400e4f # xxx_check_input
  400e77:	5d                   	pop    rbp
  400e78:	c3                   	ret    
  400e79:	0f 1f 80 00 00 00 00 	nop    DWORD PTR [rax+0x0]

implementation

#!/usr/bin/env python2
import angr
import claripy

binary = './warmup'
check_function = 0x4009d8
valid = 0x400c6c
invalid = 0x400d5d
buf = 0x6ccd60

p = angr.Project(binary, load_options={ 'auto_load_libs': False })
state = p.factory.entry_state(addr=check_function)

len_flag = 64
flag = claripy.BVS('flag', 8 * len_flag)
state.memory.store(buf, flag)

pathgroup = p.factory.path_group(state)
pathgroup.explore(find=valid, avoid=invalid)
for path in pathgroup.found:
    print repr(path.state.se.any_str(flag))