Skip to content

Instantly share code, notes, and snippets.

@cedriczirtacic
Created September 3, 2020 21:27
Show Gist options
  • Save cedriczirtacic/960229db9fe50a05e15a07d304af774b to your computer and use it in GitHub Desktop.
Save cedriczirtacic/960229db9fe50a05e15a07d304af774b to your computer and use it in GitHub Desktop.
HTB/headache
import sys
path = sys.argv[1]
main_addr = 0x1faf
main_size = 1749
main_real = ''
main = ''
key = "a15abe90c112d09369d9f9da9a8c046e"
key_len = len(key)
print(path)
with open(path, 'rb') as fd:
main = fd.read()
def decrypt_main():
global main_real
main_real = list(main)
with open(sys.argv[1] + ".patched", 'wb') as fd:
i = 0
j = i
while True:
if i >= main_size:
break
if j == key_len:
j = 0
pos = main_addr + i
main_real[pos] = chr(ord(main[pos]) ^ ord(key[j]))
i+=1; j+=1
fd.write(''.join(main_real))
decrypt_main()
import angr
import sys
branch_addr = 0x2660
#pushes_addr = 0x22a0
flags_addr = 0x220d
path = sys.argv[1]
proj = angr.Project(path, load_options={'main_opts': {'base_addr': 0x0}})
state = proj.factory.blank_state(addr=flags_addr)
state.regs.rbp = 0x1000
simgr = proj.factory.simgr(state)
#simgr.run(until=lambda sm: sm.active[0].addr >= pushes_addr)
#data_pushed = []
#for i in range(21):
# data_pushed.append(simgr.active[0].mem[(0x1000+i)-0xc0].uint8_t.concrete)
flag = ''
try:
while True:
simgr.run(until=lambda sm: sm.active[0].addr >= branch_addr)
if len(simgr.active) == 3:
s = simgr.active[2]
flag += chr(s.mem[(0x1000)-0x19].uint8_t.concrete)
except IndexError as e:
pass
print(flag)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment