HTB/headache

decrypt_main.py

import sys

path = sys.argv[1]

main_addr = 0x1faf
main_size = 1749
main_real = ''
main	  = ''
key       = "a15abe90c112d09369d9f9da9a8c046e"
key_len   = len(key)

print(path)
with open(path, 'rb') as fd:
	main = fd.read()

def decrypt_main():
	global main_real
	main_real = list(main)

	with open(sys.argv[1] + ".patched", 'wb') as fd:
		i = 0
		j = i
		while True:
			if i >= main_size:
				break
			if j == key_len:
				j = 0
			pos = main_addr + i
			main_real[pos] = chr(ord(main[pos]) ^ ord(key[j]))
			i+=1; j+=1
		fd.write(''.join(main_real))

decrypt_main()

solve.py

import angr
import sys

branch_addr = 0x2660
#pushes_addr = 0x22a0
flags_addr  = 0x220d
path        = sys.argv[1]


proj    = angr.Project(path, load_options={'main_opts': {'base_addr': 0x0}})
state   = proj.factory.blank_state(addr=flags_addr)
state.regs.rbp = 0x1000

simgr   = proj.factory.simgr(state)

#simgr.run(until=lambda sm: sm.active[0].addr >= pushes_addr)
#data_pushed = []
#for i in range(21):
#    data_pushed.append(simgr.active[0].mem[(0x1000+i)-0xc0].uint8_t.concrete)

flag = ''
try:
    while True:
        simgr.run(until=lambda sm: sm.active[0].addr >= branch_addr)
        if len(simgr.active) == 3:
            s = simgr.active[2]
            flag += chr(s.mem[(0x1000)-0x19].uint8_t.concrete)
except IndexError as e:
    pass
print(flag)