Last active
October 31, 2017 12:38
-
-
Save 1Project/1aece4bb0f4a4a8d5818e71993e61335 to your computer and use it in GitHub Desktop.
SSB task solution
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import angr | |
p = angr.Project('./task_0.elf', auto_load_libs=False) | |
# Create a blank state | |
st = p.factory.blank_state() | |
# Constrain to be non-null and non-newline: | |
for _ in xrange(12): | |
k = st.posix.files[0].read_from(1) | |
st.se.add(k != 0) | |
st.se.add(k != 10) | |
# Reset the symbolic stdin's properties and set its length. | |
st.posix.files[0].seek(0) | |
st.posix.files[0].length = 12 | |
# Construct a SimulationManager to perform symbolic execution. | |
# Step until there is nothing left to be stepped. | |
sm = p.factory.simgr(st) | |
sm.run() | |
# Get the stdout of every path that reached an exit syscall. The flag | |
# should be in one of these! | |
out = '' | |
for pp in sm.deadended: | |
out = pp.posix.dumps(1) | |
if 'Done' in out: | |
print 'Result: ', out | |
print 'Flag is (hex): ', pp.posix.dumps(0).encode('hex') | |
print 'Flag is:', pp.posix.dumps(0) | |
fo = open('solution2.txt', 'wb') | |
fo.write(pp.posix.dumps(0)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment