Spirotot/solve.py

## solve.py

# coding: utf-8

# In[2]:

import angr
import simuvex
angr.path_group.l.setLevel('DEBUG')

user_input = None


# In[3]:

def get_std_hook(state):
    print 'get_std_hook'
    state.regs.eax = 1

def writefile_hook(state):
    print 'writefile hook'
    get_std_hook(state)

def readfile_hook(state):
    print 'readfile hook'
    #print hex(state.se.any_int(state.memory.load(state.se.any_int(state.regs.esp) + 0x4, 4)))
    #print hex(state.se.any_int(state.regs.esp))
    #print hex(state.se.any_int(state.memory.load(state.se.any_int(state.regs.ebp) + 0x94, 4)))
    #state.memory.store(state.se.any_int(state.regs.esp) + 4, user_input)
    #state.memory.store(state.se.any_int(state.regs.ebp) + 4, 0x80)
    #state.memory.store(state.se.any_int(state.regs.esp) + 0x4, user_input)
    #state.memory.store(state.se.any_int(state.regs.ebp) + 4, 0x80)
    #print hex(state.se.any_int(state.regs.eax))
    state.memory.store(state.regs.eax, user_input)
    #print state.memory.load(state.regs.eax)

def ebp_hook(state):
    print 'ebp_hook'
    state.memory.store(state.se.any_int(state.regs.ebp) + 4, 0x80)

def malloc_hook(state):
    print 'malloc_hook'
    #print state.se.any_int(state.regs.eax)
    state.regs.eax = 0xC0000000

def strcmpy_hook(state):
    print 'strcmpy hook'
    #print hex(state.se.any_int(state.regs.esp) + 0x4)
    #print hex(state.se.any_int(state.regs.esp))
    #print state.memory.load(state.se.any_int(state.regs.esp) + 0x4, 4)

def interesting_hook(state):
    print 'interesting hook'
    #print state.regs.esp
    #print state.regs.eax
    #state.memory.store(state.se.any_int(state.regs.esp) + 0x4, 53)
    #print state.memory.load(state.regs.eax)
    #print state.memory.load(state.regs.esp)
    #print hex(state.se.any_int(state.regs.esp))
    #state.memory.store(state.regs.esp, user_input)


p = angr.Project('challenge1.exe', load_options={'auto_load_libs':False})

#p.hook(0x40142B, get_std_hook, length=6)
#p.hook(0x401436, get_std_hook, length=6)
p.hook(0x401457, writefile_hook, length=6)
p.hook(0x401473, readfile_hook, length=6)
p.hook(0x401283, malloc_hook, length=5)
#p.hook(0x40149A, strcmpy_hook, length=0)
p.hook(0x401487, interesting_hook, length=0)
#p.hook(0x401446, ebp_hook, length=0)
# In[ ]:

#initial_state = p.factory.blank_state(addr=0x401420)
#initial_state = p.factory.blank_state(addr=0x40143C, remove_options={simuvex.s_options.LAZY_SOLVES})
initial_state = p.factory.blank_state(addr=0x40143C, remove_options={simuvex.s_options.LAZY_SOLVES})
initial_state.regs.esp = 0xF0000000
initial_state.regs.ebp = 0xE0000000
user_input = initial_state.se.BVS("user_input", 8 * 0x80)

initial_path = p.factory.path(initial_state)
path_group = p.factory.path_group(initial_state)
path_group.explore(find=(0x4014AE,),avoid=(0x4014C7,))


# In[98]:


found = path_group.found[0]

print "FLAG: "

#print user_input
print found.state.se.any_str(user_input)


#print found.state.memory.load(found.state.se.any_int(found.state.regs.ebp) + 0x94, 4)
#print found.state.se.any_int(found.state.memory.load(0xC0000000, 4))

# In[ ]:

	# coding: utf-8

	# In[2]:

	import angr
	import simuvex
	angr.path_group.l.setLevel('DEBUG')

	user_input = None


	# In[3]:

	def get_std_hook(state):
	print 'get_std_hook'
	state.regs.eax = 1

	def writefile_hook(state):
	print 'writefile hook'
	get_std_hook(state)

	def readfile_hook(state):
	print 'readfile hook'
	#print hex(state.se.any_int(state.memory.load(state.se.any_int(state.regs.esp) + 0x4, 4)))
	#print hex(state.se.any_int(state.regs.esp))
	#print hex(state.se.any_int(state.memory.load(state.se.any_int(state.regs.ebp) + 0x94, 4)))
	#state.memory.store(state.se.any_int(state.regs.esp) + 4, user_input)
	#state.memory.store(state.se.any_int(state.regs.ebp) + 4, 0x80)
	#state.memory.store(state.se.any_int(state.regs.esp) + 0x4, user_input)
	#state.memory.store(state.se.any_int(state.regs.ebp) + 4, 0x80)
	#print hex(state.se.any_int(state.regs.eax))
	state.memory.store(state.regs.eax, user_input)
	#print state.memory.load(state.regs.eax)

	def ebp_hook(state):
	print 'ebp_hook'
	state.memory.store(state.se.any_int(state.regs.ebp) + 4, 0x80)

	def malloc_hook(state):
	print 'malloc_hook'
	#print state.se.any_int(state.regs.eax)
	state.regs.eax = 0xC0000000

	def strcmpy_hook(state):
	print 'strcmpy hook'
	#print hex(state.se.any_int(state.regs.esp) + 0x4)
	#print hex(state.se.any_int(state.regs.esp))
	#print state.memory.load(state.se.any_int(state.regs.esp) + 0x4, 4)

	def interesting_hook(state):
	print 'interesting hook'
	#print state.regs.esp
	#print state.regs.eax
	#state.memory.store(state.se.any_int(state.regs.esp) + 0x4, 53)
	#print state.memory.load(state.regs.eax)
	#print state.memory.load(state.regs.esp)
	#print hex(state.se.any_int(state.regs.esp))
	#state.memory.store(state.regs.esp, user_input)



	p = angr.Project('challenge1.exe', load_options={'auto_load_libs':False})

	#p.hook(0x40142B, get_std_hook, length=6)
	#p.hook(0x401436, get_std_hook, length=6)
	p.hook(0x401457, writefile_hook, length=6)
	p.hook(0x401473, readfile_hook, length=6)
	p.hook(0x401283, malloc_hook, length=5)
	#p.hook(0x40149A, strcmpy_hook, length=0)
	p.hook(0x401487, interesting_hook, length=0)
	#p.hook(0x401446, ebp_hook, length=0)
	# In[ ]:

	#initial_state = p.factory.blank_state(addr=0x401420)
	#initial_state = p.factory.blank_state(addr=0x40143C, remove_options={simuvex.s_options.LAZY_SOLVES})
	initial_state = p.factory.blank_state(addr=0x40143C, remove_options={simuvex.s_options.LAZY_SOLVES})
	initial_state.regs.esp = 0xF0000000
	initial_state.regs.ebp = 0xE0000000
	user_input = initial_state.se.BVS("user_input", 8 * 0x80)

	initial_path = p.factory.path(initial_state)
	path_group = p.factory.path_group(initial_state)
	path_group.explore(find=(0x4014AE,),avoid=(0x4014C7,))


	# In[98]:


	found = path_group.found[0]

	print "FLAG: "

	#print user_input
	print found.state.se.any_str(user_input)


	#print found.state.memory.load(found.state.se.any_int(found.state.regs.ebp) + 0x94, 4)
	#print found.state.se.any_int(found.state.memory.load(0xC0000000, 4))

	# In[ ]: