Skip to content

Instantly share code, notes, and snippets.

@Bono-iPad Bono-iPad/stage1.py Secret
Created Jan 3, 2017

Embed
What would you like to do?
年賀状CTF stage1
import angr
import claripy, simuvex, base64
def main():
p = angr.Project('stage1.exe', load_options={'main_opts': {'custom_base_addr': 0x10000000}})
state = p.factory.blank_state(addr=0x10001530, remove_options={simuvex.s_options.LAZY_SOLVES})
q = "ERV5vdff++FakEbRj0z8UyhZPPBYLLPm5xYAeVPPKsGlvRzPH4Bq+o1tZQB2wgzn"
q = base64.b64decode(q)
print len(q)
state.memory.store(0xd0000000, state.se.BVV(int((q + "\x00").encode('hex'),16),49*8))
state.memory.store(0xd0000100, state.se.BVV(int("HappyNewYear2017\x00".encode('hex'),16),17*8))
state.regs.rcx = 0xd0000000
state.regs.rdx = 12
state.regs.r8 = 0xd0000100
state.regs.rsp = 0xffffff
pg = p.factory.path_group(state)
e = pg.explore(find=0x10001726)
print e
s = e.found[0].state
print "%r" % s.se.any_str( s.memory.load(s.regs.rax,100) )
if __name__ == '__main__':
main()
"""
$ python stage1.py
WARNING | 2017-01-03 14:02:48,998 | cle.pe | The PE module is not well-supported. Good luck!
48
<PathGroup with 1 found>
'NYC{L0gg1ng_Cl1pb04rd_w17h_Dll_1nj3c710n}\x00\x00\x00)\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
"""
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.