ChrisTheCoolHut/launch_code_solve.py

## launch_code_solve.py
import angr, claripy
from pwn import *
file_name = "./launch_code"

# 1639874435
# Test nonce
nonce = 1639874435

def get_codes(nonce):

    if isinstance(nonce,bytes):
        nonce = int(nonce)

    num1 = claripy.BVS('num1', 8*8)
    num2 = claripy.BVS('num2', 8*8)
    num3 = claripy.BVS('num3', 8*8)
    num4 = claripy.BVS('num4', 8*8)

    class hookNothing(angr.SimProcedure):
        IS_FUNCTION = True

        def run(self):
            return 0  # Fair dice roll

    # Place real nonce here
    class hookNonce(angr.SimProcedure):
        IS_FUNCTION = True

        def run(self):
            return nonce

    class hookGetNums(angr.SimProcedure):
        IS_FUNCTION = True

        def run(self):
            self.state.regs.r12 = num1
            self.state.regs.r11 = num2
            self.state.regs.r10 = num3
            self.state.regs.r9 = num4
            return num4

    p = angr.Project('./launch_code', auto_load_libs=False)

    # Speed up our solve
    for sym in ["print_logo", "timeout", "srand", "time"]:
        p.hook_symbol(sym, hookNothing())

    # Use predictable nonce
    p.hook_symbol("rand", hookNonce())

    # p.hook_symbol("get_launch_auth", hookGetNums())

    state = p.factory.entry_state()

    simgr = p.factory.simgr(state)

    simgr.explore(find=0x004016cd)

    path = simgr.found[0]
    solver = path.solver

    vals = "{} {} {} {}".format(solver.eval(num1),
    solver.eval(num2),
    solver.eval(num3),
    solver.eval(num4))

    print(path.posix.dumps(0))

    return vals

# p = process(file_name)
#0.cloud.chals.io:12499
p = remote("0.cloud.chals.io",12499)

p.readuntil(b'Random nonce = ')
nonce = p.readline().replace(b'\n',b'')
print(nonce)
codes = get_codes(nonce)
print(codes)
p.interactive()
# shctf{Every-cUb1c-1nch-0f-spAce-is-a-m1racl3}
	import angr, claripy
	from pwn import *
	file_name = "./launch_code"

	# 1639874435
	# Test nonce
	nonce = 1639874435

	def get_codes(nonce):

	if isinstance(nonce,bytes):
	nonce = int(nonce)

	num1 = claripy.BVS('num1', 8*8)
	num2 = claripy.BVS('num2', 8*8)
	num3 = claripy.BVS('num3', 8*8)
	num4 = claripy.BVS('num4', 8*8)

	class hookNothing(angr.SimProcedure):
	IS_FUNCTION = True

	def run(self):
	return 0 # Fair dice roll

	# Place real nonce here
	class hookNonce(angr.SimProcedure):
	IS_FUNCTION = True

	def run(self):
	return nonce

	class hookGetNums(angr.SimProcedure):
	IS_FUNCTION = True

	def run(self):
	self.state.regs.r12 = num1
	self.state.regs.r11 = num2
	self.state.regs.r10 = num3
	self.state.regs.r9 = num4
	return num4

	p = angr.Project('./launch_code', auto_load_libs=False)

	# Speed up our solve
	for sym in ["print_logo", "timeout", "srand", "time"]:
	p.hook_symbol(sym, hookNothing())

	# Use predictable nonce
	p.hook_symbol("rand", hookNonce())

	# p.hook_symbol("get_launch_auth", hookGetNums())

	state = p.factory.entry_state()

	simgr = p.factory.simgr(state)

	simgr.explore(find=0x004016cd)

	path = simgr.found[0]
	solver = path.solver

	vals = "{} {} {} {}".format(solver.eval(num1),
	solver.eval(num2),
	solver.eval(num3),
	solver.eval(num4))

	print(path.posix.dumps(0))

	return vals

	# p = process(file_name)
	#0.cloud.chals.io:12499
	p = remote("0.cloud.chals.io",12499)

	p.readuntil(b'Random nonce = ')
	nonce = p.readline().replace(b'\n',b'')
	print(nonce)
	codes = get_codes(nonce)
	print(codes)
	p.interactive()
	# shctf{Every-cUb1c-1nch-0f-spAce-is-a-m1racl3}