Skip to content

Instantly share code, notes, and snippets.

@Bono-iPad

Bono-iPad/Stage3.py Secret

Created April 3, 2016 04:37
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Bono-iPad/47644c455a39e6df6314190314adb164 to your computer and use it in GitHub Desktop.
Save Bono-iPad/47644c455a39e6df6314190314adb164 to your computer and use it in GitHub Desktop.
Download ZIP
Nuit du Hack CTF Quals - 2016 Matriochka stage 3 (solved with angr)
Raw
Stage3.py
import angr, simuvex, claripy
import logging
logging.basicConfig()
#angr.path_group.l.setLevel('DEBUG')
addr = [0x4007fd,0x40085c,0x4008c7,0x400926,0x40098a,0x4009e8,0x400a4c,0x400ab0,0x400b14,0x400b73,0x400bd7,0x400c36,0x400c95,0x400d0c,0x400d6b,0x400dcf,0x400e2e,0x400e8d,0x400eec,0x400f4b,0x400faa]
find = [0x40084a,0x4008b5,0x400914,0x400978,0x4009d6,0x400a3a,0x400a9e,0x400b02,0x400b61,0x400bc5,0x400c24,0x400c83,0x400cfa,0x400d59,0x400dbd,0x400e1c,0x400e7b,0x400eda,0x400f39,0x400f98,0x400ffc]
ans = ""
for now in range(len(addr)):
p = angr.Project("./stage3.bin")
initial_state = p.factory.blank_state(addr=addr[now])
flag = claripy.BVS('flag', 8)
initial_state.memory.store(0x6040c0+now,flag)
pg = p.factory.path_group(initial_state, immutable=False)
pg.explore(find=find[now])
print pg.found[0].state.se.any_str(pg.found[0].state.memory.load(0x6040c0+now, 22))
ans = ans + pg.found[0].state.se.any_str(pg.found[0].state.memory.load(0x6040c0+now, 1))
now = now + 1
print ans
# Did_you_like_signals?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment