Skip to content

Instantly share code, notes, and snippets.

@0xcpu

0xcpu/elementary.md

Created Mar 17, 2019
Embed
What would you like to do?
Elementary(rev, warmup) - Confidence 2019

Search in IDA for mov eax, 0 and exclude from results those occuring in main function. (Let's save all this in a file named step1)

Then filter the information from step1 to extract only addresses, For example, using this command:

awk '{ print $1 }' step1 | cut -d':' -f2 > avoid_addr

Then use angr script to find a solution.

import angr
import claripy

# angr uses 0x400000 as base address for PIE executables

START = 0x40071a # start of main
FIND  = 0x40077f # Good job message basic block
AVOID = [0x400786] # Wrong messages bassic block
with open("avoid_addr", "r") as fin:
    for l in fin:
        # add other addresses to avoid, all those "mov eax, 0"
        AVOID.append(0x400000 + int(l.strip(), 16))

BUF_LEN = 104


def char(state, c):
    return state.solver.And(c <= '~', c >= ' ')


def main():
    p = angr.Project("elementary")

    flag = claripy.BVS('flag', BUF_LEN * 8)
    state = p.factory.blank_state(addr=START, stdin=flag)

    for c in flag.chop(8):
        state.solver.add(char(state, c))

    ex = p.factory.simulation_manager(state)
    ex.use_technique(angr.exploration_techniques.Explorer(find=FIND, avoid=AVOID))

    ex.run()

    return ex.found[0].posix.dumps(0).decode("utf-8")


if __name__ == '__main__':
    print("flag: {}".format(main()))

Profit: flag: p4{I_really_hope_you_automated_this_somehow_otherwise_it_might_be_a_bit_frustrating_to_do_this_manually}

@0xcpu

This comment has been minimized.

Copy link
Owner Author

@0xcpu 0xcpu commented Mar 17, 2019

avoid_addr file content

00000000000CEBAA
00000000000CEBD9
00000000000CEC08
00000000000CEC37
00000000000CEC66
00000000000CEC95
00000000000CECC4
00000000000CECF2
00000000000CED1E
00000000000CED4D
00000000000CED7C
00000000000CEDAB
00000000000CEDDA
00000000000CEE09
00000000000CEE38
00000000000CEE66
00000000000CEE92
00000000000CEEC1
00000000000CEEF0
00000000000CEF1F
00000000000CEF4E
00000000000CEF7C
00000000000CEFAB
00000000000CEFDA
00000000000CF006
00000000000CF035
00000000000CF064
00000000000CF092
00000000000CF0C1
00000000000CF0F0
00000000000CF11F
00000000000CF14E
00000000000CF17A
00000000000CF1A9
00000000000CF1D8
00000000000CF206
00000000000CF235
00000000000CF264
00000000000CF293
00000000000CF2C2
00000000000CF2EE
00000000000CF31D
00000000000CF34C
00000000000CF37B
00000000000CF3A9
00000000000CF3D8
00000000000CF407
00000000000CF436
00000000000CF462
00000000000CF491
00000000000CF4C0
00000000000CF4EF
00000000000CF51E
00000000000CF54D
00000000000CF57C
00000000000CF5AA
00000000000CF5D6
00000000000CF605
00000000000CF634
00000000000CF663
00000000000CF691
00000000000CF6C0
00000000000CF6EF
00000000000CF71E
00000000000CF74A
00000000000CF779
00000000000CF7A8
00000000000CF7D7
00000000000CF806
00000000000CF835
00000000000CF864
00000000000CF892
00000000000CF8BE
00000000000CF8ED
00000000000CF91C
00000000000CF94B
00000000000CF97A
00000000000CF9A8
00000000000CF9D7
00000000000CFA06
00000000000CFA32
00000000000CFA61
00000000000CFA90
00000000000CFABE
00000000000CFAED
00000000000CFB1C
00000000000CFB4B
00000000000CFB7A
00000000000CFBA6
00000000000CFBD5
00000000000CFC04
00000000000CFC33
00000000000CFC62
00000000000CFC91
00000000000CFCC0
00000000000CFCEE
00000000000CFD1A
00000000000CFD49
00000000000CFD78
00000000000CFDA6
00000000000CFDD5
00000000000CFE04
00000000000CFE33
00000000000CFE62
00000000000CFE8E
00000000000CFEBD
00000000000CFEEC
00000000000CFF1B
00000000000CFF49
00000000000CFF78
00000000000CFFA7
00000000000CFFD6
00000000000D0002
00000000000D0031
00000000000D0060
00000000000D008F
00000000000D00BE
00000000000D00ED
00000000000D011C
00000000000D014A
00000000000D0176
00000000000D01A5
00000000000D01D4
00000000000D0202
00000000000D0231
00000000000D0260
00000000000D028F
00000000000D02BE
00000000000D02EA
00000000000D0319
00000000000D0348
00000000000D0377
00000000000D03A6
00000000000D03D5
00000000000D0404
00000000000D0432
00000000000D045E
00000000000D048D
00000000000D04BC
00000000000D04EB
00000000000D051A
00000000000D0549
00000000000D0578
00000000000D05A6
00000000000D05D2
00000000000D0601
00000000000D0630
00000000000D065F
00000000000D068D
00000000000D06BC
00000000000D06EB
00000000000D071A
00000000000D0746
00000000000D0774
00000000000D07A3
00000000000D07D2
00000000000D0801
00000000000D0830
00000000000D085F
00000000000D088E
00000000000D08BA
00000000000D08E9
00000000000D0918
00000000000D0947
00000000000D0975
00000000000D09A4
00000000000D09D3
00000000000D0A02
00000000000D0A2E
00000000000D0A5D
00000000000D0A8C
00000000000D0ABB
00000000000D0AEA
00000000000D0B18
00000000000D0B47
00000000000D0B76
00000000000D0BA2
00000000000D0BD1
00000000000D0BFF
00000000000D0C2E
00000000000D0C5D
00000000000D0C8C
00000000000D0CBB
00000000000D0CEA
00000000000D0D16
00000000000D0D45
00000000000D0D74
00000000000D0DA2
00000000000D0DD1
00000000000D0E00
00000000000D0E2F
00000000000D0E5E
00000000000D0E8A
00000000000D0EB9
00000000000D0EE7
00000000000D0F16
00000000000D0F45
00000000000D0F74
00000000000D0FA3
00000000000D0FD2
00000000000D0FFE
00000000000D102D
00000000000D105C
00000000000D108A
00000000000D10B9
00000000000D10E8
00000000000D1117
00000000000D1146
00000000000D1172
00000000000D11A1
00000000000D11CF
00000000000D11FE
00000000000D122D
00000000000D125C
00000000000D128B
00000000000D12BA
00000000000D12E6
00000000000D1315
00000000000D1344
00000000000D1372
00000000000D13A1
00000000000D13D0
00000000000D13FF
00000000000D142E
00000000000D145A
00000000000D1489
00000000000D14B8
00000000000D14E6
00000000000D1515
00000000000D1544
00000000000D1573
00000000000D15A2
00000000000D15CE
00000000000D15FD
00000000000D162C
00000000000D165B
00000000000D1689
00000000000D16B8
00000000000D16E7
00000000000D1716
00000000000D1742
00000000000D1771
00000000000D17A0
00000000000D17CF
00000000000D17FE
00000000000D182D
00000000000D185C
00000000000D188A
00000000000D18B6
00000000000D18E5
00000000000D1914
00000000000D1943
00000000000D1972
00000000000D19A1
00000000000D19CF
00000000000D19FE
00000000000D1A2A
00000000000D1A59
00000000000D1A88
00000000000D1AB6
00000000000D1AE5
00000000000D1B14
00000000000D1B43
00000000000D1B72
00000000000D1B9E
00000000000D1BCD
00000000000D1BFB
00000000000D1C2A
00000000000D1C59
00000000000D1C88
00000000000D1CB7
00000000000D1CE6
00000000000D1D12
00000000000D1D41
00000000000D1D70
00000000000D1D9F
00000000000D1DCE
00000000000D1DFD
00000000000D1E2B
00000000000D1E5A
00000000000D1E86
00000000000D1EB5
00000000000D1EE3
00000000000D1F12
00000000000D1F41
00000000000D1F70
00000000000D1F9F
00000000000D1FCE
00000000000D1FFA
00000000000D2029
00000000000D2058
00000000000D2086
00000000000D20B5
00000000000D20E4
00000000000D2113
00000000000D2142
00000000000D216E
00000000000D219D
00000000000D21CB
00000000000D21FA
00000000000D2229
00000000000D2258
00000000000D2287
00000000000D22B6
00000000000D22E2
00000000000D2311
00000000000D2340
00000000000D236F
00000000000D239E
00000000000D23CD
00000000000D23FC
00000000000D242A
00000000000D2456
00000000000D2485
00000000000D24B4
00000000000D24E3
00000000000D2511
00000000000D2540
00000000000D256F
00000000000D259E
00000000000D25CA
00000000000D25F8
00000000000D2627
00000000000D2656
00000000000D2685
00000000000D26B4
00000000000D26E3
00000000000D2712
00000000000D273E
00000000000D276D
00000000000D279C
00000000000D27CB
00000000000D27FA
00000000000D2829
00000000000D2857
00000000000D2886
00000000000D28B2
00000000000D28E1
00000000000D2910
00000000000D293F
00000000000D296E
00000000000D299D
00000000000D29CC
00000000000D29FA
00000000000D2A26
00000000000D2A55
00000000000D2A84
00000000000D2AB2
00000000000D2AE1
00000000000D2B10
00000000000D2B3F
00000000000D2B6E
00000000000D2B9A
00000000000D2BC9
00000000000D2BF7
00000000000D2C26
00000000000D2C55
00000000000D2C84
00000000000D2CB3
00000000000D2CE2
00000000000D2D0E
00000000000D2D3D
00000000000D2D6C
00000000000D2D9B
00000000000D2DC9
00000000000D2DF8
00000000000D2E27
00000000000D2E56
00000000000D2E82
00000000000D2EB1
00000000000D2EE0
00000000000D2F0F
00000000000D2F3D
00000000000D2F6C
00000000000D2F9B
00000000000D2FCA
00000000000D2FF6
00000000000D3025
00000000000D3053
00000000000D3082
00000000000D30B1
00000000000D30E0
00000000000D310F
00000000000D313E
00000000000D316A
00000000000D3199
00000000000D31C8
00000000000D31F7
00000000000D3226
00000000000D3254
00000000000D3283
00000000000D32B2
00000000000D32DE
00000000000D330D
00000000000D333C
00000000000D336B
00000000000D339A
00000000000D33C9
00000000000D33F7
00000000000D3426
00000000000D3452
00000000000D3480
00000000000D34AF
00000000000D34DE
00000000000D350D
00000000000D353C
00000000000D356B
00000000000D359A
00000000000D35C6
00000000000D35F4
00000000000D3623
00000000000D3652
00000000000D3681
00000000000D36B0
00000000000D36DF
00000000000D370E
00000000000D373A
00000000000D3769
00000000000D3798
00000000000D37C6
00000000000D37F5
00000000000D3824
00000000000D3853
00000000000D3882
00000000000D38AE
00000000000D38DD
00000000000D390C
00000000000D393A
00000000000D3969
00000000000D3998
00000000000D39C7
00000000000D39F6
00000000000D3A22
00000000000D3A50
00000000000D3A7F
00000000000D3AAE
00000000000D3ADD
00000000000D3B0C
00000000000D3B3B
00000000000D3B6A
00000000000D3B96
00000000000D3BC5
00000000000D3BF4
00000000000D3C23
00000000000D3C51
00000000000D3C80
00000000000D3CAF
00000000000D3CDE
00000000000D3D0A
00000000000D3D39
00000000000D3D68
00000000000D3D96
00000000000D3DC5
00000000000D3DF4
00000000000D3E23
00000000000D3E52
00000000000D3E7E
00000000000D3EAC
00000000000D3EDB
00000000000D3F0A
00000000000D3F39
00000000000D3F68
00000000000D3F97
00000000000D3FC6
00000000000D3FF2
00000000000D4021
00000000000D4050
00000000000D407F
00000000000D40AE
00000000000D40DC
00000000000D410B
00000000000D413A
00000000000D4166
00000000000D4195
00000000000D41C4
00000000000D41F3
00000000000D4222
00000000000D4251
00000000000D427F
00000000000D42AE
00000000000D42DA
00000000000D4309
00000000000D4338
00000000000D4367
00000000000D4396
00000000000D43C5
00000000000D43F4
00000000000D4422
00000000000D444E
00000000000D447D
00000000000D44AC
00000000000D44DB
00000000000D450A
00000000000D4538
00000000000D4567
00000000000D4596
00000000000D45C2
00000000000D45F1
00000000000D4620
00000000000D464F
00000000000D467D
00000000000D46AC
00000000000D46DB
00000000000D470A
00000000000D4736
00000000000D4765
00000000000D4794
00000000000D47C3
00000000000D47F2
00000000000D4821
00000000000D4850
00000000000D487E
00000000000D48AA
00000000000D48D8
00000000000D4907
00000000000D4936
00000000000D4965
00000000000D4994
00000000000D49C3
00000000000D49F2
00000000000D4A1E
00000000000D4A4D
00000000000D4A7C
00000000000D4AAB
00000000000D4ADA
00000000000D4B09
00000000000D4B37
00000000000D4B66
00000000000D4B92
00000000000D4BC1
00000000000D4BF0
00000000000D4C1F
00000000000D4C4E
00000000000D4C7D
00000000000D4CAB
00000000000D4CDA
00000000000D4D06
00000000000D4D35
00000000000D4D63
00000000000D4D92
00000000000D4DC1
00000000000D4DF0
00000000000D4E1F
00000000000D4E4E
00000000000D4E7A
00000000000D4EA8
00000000000D4ED7
00000000000D4F06
00000000000D4F35
00000000000D4F64
00000000000D4F93
00000000000D4FC2
00000000000D4FEE
00000000000D501D
00000000000D504C
00000000000D507B
00000000000D50AA
00000000000D50D9
00000000000D5107
00000000000D5136
00000000000D5162
00000000000D5191
00000000000D51BF
00000000000D51EE
00000000000D521D
00000000000D524C
00000000000D527B
00000000000D52AA
00000000000D52D6
00000000000D5304
00000000000D5333
00000000000D5362
00000000000D5391
00000000000D53C0
00000000000D53EF
00000000000D541E
00000000000D544A
00000000000D5479
00000000000D54A8
00000000000D54D7
00000000000D5505
00000000000D5534
00000000000D5563
00000000000D5592
00000000000D55BE
00000000000D55ED
00000000000D561C
00000000000D564A
00000000000D5679
00000000000D56A8
00000000000D56D7
00000000000D5706
00000000000D5732
00000000000D5761
00000000000D5790
00000000000D57BF
00000000000D57EE
00000000000D581D
00000000000D584C
00000000000D587A
00000000000D58A6
00000000000D58D5
00000000000D5904
00000000000D5932
00000000000D5961
00000000000D5990
00000000000D59BF
00000000000D59EE
00000000000D5A1A
00000000000D5A49
00000000000D5A78
00000000000D5AA7
00000000000D5AD6
00000000000D5B05
00000000000D5B34
00000000000D5B62
00000000000D5B8E
00000000000D5BBD
00000000000D5BEC
00000000000D5C1A
00000000000D5C49
00000000000D5C78
00000000000D5CA7
00000000000D5CD6
00000000000D5D02
00000000000D5D31
00000000000D5D60
00000000000D5D8F
00000000000D5DBE
00000000000D5DED
00000000000D5E1B
00000000000D5E4A
00000000000D5E76
00000000000D5EA5
00000000000D5ED4
00000000000D5F03
00000000000D5F31
00000000000D5F60
00000000000D5F8F
00000000000D5FBE
00000000000D5FEA
00000000000D6019
00000000000D6048
00000000000D6076
00000000000D60A5
00000000000D60D4
00000000000D6103
00000000000D6132
00000000000D615E
00000000000D618D
00000000000D61BC
00000000000D61EB
00000000000D6219
00000000000D6248
00000000000D6277
00000000000D62A6
00000000000D62D2
00000000000D6301
00000000000D6330
00000000000D635F
00000000000D638D
00000000000D63BC
00000000000D63EB
00000000000D641A
00000000000D6446
00000000000D6475
00000000000D64A4
00000000000D64D3
00000000000D6502
00000000000D6531
00000000000D6560
00000000000D658E
00000000000D65BA
00000000000D65E8
00000000000D6617
00000000000D6646
00000000000D6675
00000000000D66A4
00000000000D66D3
00000000000D6702
00000000000D672E
00000000000D675D
00000000000D678C
00000000000D67BB
00000000000D67EA
00000000000D6819
00000000000D6847
00000000000D6876
00000000000D68A2
00000000000D68D1
00000000000D6900
00000000000D692F
00000000000D695E
00000000000D698D
00000000000D69BB
00000000000D69EA
00000000000D6A16
00000000000D6A45
00000000000D6A73
00000000000D6AA2
00000000000D6AD1
00000000000D6B00
00000000000D6B2F
00000000000D6B5E
00000000000D6B8A
00000000000D6BB9
00000000000D6BE8
00000000000D6C17
00000000000D6C46
00000000000D6C75
00000000000D6CA4
00000000000D6CD2
00000000000D6CFE
00000000000D6D2D
00000000000D6D5C
00000000000D6D8B
00000000000D6DBA
00000000000D6DE9
00000000000D6E17
00000000000D6E46
00000000000D6E72
00000000000D6EA1
00000000000D6ED0
00000000000D6EFF
00000000000D6F2E
00000000000D6F5D
00000000000D6F8B
00000000000D6FBA
00000000000D6FE6
00000000000D7015
00000000000D7044
00000000000D7073
00000000000D70A2
00000000000D70D1
00000000000D70FF
00000000000D712E
00000000000D715A
00000000000D7189
00000000000D71B7
00000000000D71E6
00000000000D7215
00000000000D7244
00000000000D7273
00000000000D72A2
00000000000D72CE
00000000000D72FD
00000000000D732B
00000000000D735A
00000000000D7389
00000000000D73B8
00000000000D73E7
00000000000D7416
00000000000D7442
00000000000D7471
00000000000D74A0
00000000000D74CE
00000000000D74FD
00000000000D752C
00000000000D755B
00000000000D758A
00000000000D75B6
00000000000D75E5
00000000000D7613
00000000000D7642
00000000000D7671
00000000000D76A0
00000000000D76CF
00000000000D76FE
00000000000D772A
00000000000D7759
00000000000D7788
00000000000D77B6
00000000000D77E5
00000000000D7814
00000000000D7843
00000000000D7872
00000000000D789E
00000000000D78CD
00000000000D78FC
00000000000D792B
00000000000D795A
00000000000D7988
00000000000D79B7
00000000000D79E6
00000000000D7A12
00000000000D7A41
00000000000D7A70
00000000000D7A9F
00000000000D7ACE
00000000000D7AFC
00000000000D7B2B
00000000000D7B5A
00000000000D7B86
00000000000D7BB5
00000000000D7BE4
00000000000D7C13
00000000000D7C42
00000000000D7C71
00000000000D7C9F
00000000000D7CCE
00000000000D7CFA
00000000000D7D29
00000000000D7D58
00000000000D7D87
00000000000D7DB6
00000000000D7DE4
00000000000D7E13
00000000000D7E42
00000000000D7E6A
00000000000D7E95
00000000000D7EC0
00000000000D7EEB
00000000000D7F16
00000000000D7F41
00000000000D7F6C
00000000000D7F96
00000000000D7FC2
00000000000D7FF0
00000000000D801F
00000000000D804E
00000000000D807D
00000000000D80AC
00000000000D80DB
00000000000D810A
00000000000D8136
00000000000D8165
00000000000D8194
00000000000D81C3
00000000000D81F2
00000000000D8220
00000000000D824C
00000000000D8278
@shellmage

This comment has been minimized.

Copy link

@shellmage shellmage commented Mar 17, 2019

what does the program really do?
i'm a beginner in re and i couldn't understand the checkflag function

@0xcpu

This comment has been minimized.

Copy link
Owner Author

@0xcpu 0xcpu commented Mar 17, 2019

(I assume that you're asking about the program we we're given to analyse, If you're asking what the Python script does, then I recommend to read about symbolic execution and constraint solving(ex: SMT solvers)).

In simple and short terms, the program reads input(a password), then each character is checked(at a granularity of bits, it verifies bits of each character to be more precise) if it satisfies a condition. If a condition is not satisfied, the execution is terminated, otherwise next check is executed and so until the password is correct.

I hope I made it a bit clearer. :)

@shellmage

This comment has been minimized.

Copy link

@shellmage shellmage commented Mar 18, 2019

oh, thank you!
i assumed that at the first place but, i found it hard to understand the disassembly of those functions, i've never seen that before(checking bits of a long string)

@nevesnunes

This comment has been minimized.

Copy link

@nevesnunes nevesnunes commented Jul 17, 2020

I've tested your script with angr version 8.20.6.8. I had to raise BUF_LEN to 128, leading to a bit vector of 1024 bits. Otherwise, angr just stops during the scanf with an unsatisfied state. Any clue why this would happen?

Edit: it's 1024, not 992

@0xcpu

This comment has been minimized.

Copy link
Owner Author

@0xcpu 0xcpu commented Jul 17, 2020

Hey,
I guess you raised the length to 124 (* 8 = 992) not 128 or ?
But I'm not sure what exactly may be the issue in this case. I tend to believe that something change in angr's internals. Maybe it's related to https://reverseengineering.stackexchange.com/questions/19164/problem-with-scanf-fgets-in-angr-stdin-exploration

Sorry I cannot give a clear answer. :/

@nevesnunes

This comment has been minimized.

Copy link

@nevesnunes nevesnunes commented Jul 21, 2020

Thanks for the reply. I had a typo in the total, it's 1024 bits. It does seem suspiciously well-rounded, I guess this would require a closer look at that scanf implementation. The solution space should fit in your original size, since it ends with <SimulationManager with 1 found, 713 avoid>.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment