Skip to content

Instantly share code, notes, and snippets.

@Bono-iPad Bono-iPad/ Secret
Created Apr 3, 2016

What would you like to do?
Nuit du Hack CTF Quals - 2016 Matriochka stage 3 (solved with angr)
import angr, simuvex, claripy
import logging
addr = [0x4007fd,0x40085c,0x4008c7,0x400926,0x40098a,0x4009e8,0x400a4c,0x400ab0,0x400b14,0x400b73,0x400bd7,0x400c36,0x400c95,0x400d0c,0x400d6b,0x400dcf,0x400e2e,0x400e8d,0x400eec,0x400f4b,0x400faa]
find = [0x40084a,0x4008b5,0x400914,0x400978,0x4009d6,0x400a3a,0x400a9e,0x400b02,0x400b61,0x400bc5,0x400c24,0x400c83,0x400cfa,0x400d59,0x400dbd,0x400e1c,0x400e7b,0x400eda,0x400f39,0x400f98,0x400ffc]
ans = ""
for now in range(len(addr)):
p = angr.Project("./stage3.bin")
initial_state = p.factory.blank_state(addr=addr[now])
flag = claripy.BVS('flag', 8),flag)
pg = p.factory.path_group(initial_state, immutable=False)
print pg.found[0][0].state.memory.load(0x6040c0+now, 22))
ans = ans + pg.found[0][0].state.memory.load(0x6040c0+now, 1))
now = now + 1
print ans
# Did_you_like_signals?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.