disconnect3d/crack.py

## crack.py
import angr

# Just compile the modified code: `gcc modified.c`
# and run `python crack.py` (you need angr installed)

# NOTE: You can find WIN_ADDR with `objdump -Mintel -d a.out  | grep 1337`
WIN_ADDR = 0x40063e

p = angr.Project('./a.out')
pg = p.factory.path_group()


# This commented out line should probably make the job on original binary.
# However it took a lot of time, so I just changed the code a bit and hardcoded the address.
#results = pg.explore(find=lambda path: 'good' in path.state.posix.dumps(1))
results = pg.explore(find=WIN_ADDR)

print(repr(results.found[0].state.posix.dumps(0)))

# Result: "G\xa8GW\xde"
# yeah, it contains non printable characters (0xA8 and 0xDE bytes)
# ...still, they can be passed to stdin, so gg :)

# Some other working solutions:
# "G\xa8\xb8\xa8\xde"
# "GW\xb8W\xde"
# "GWG\xa8\xde"
# and finally, the intended one: "GWGW!"

## modified.c
/*
Done by disconnect3d from JHtC CTF team.

Modified code, to make it easier for angr.

Original code:
      #include <stdio.h>
      int check(char*b){char*p;for(p=b;*p;p++);if(((p-b)^42)!=47)return(
      ~0xffffffff);unsigned long long ch=0x1451723121264133ULL;for(p=b;*
      p;p++)ch=((ch<<9)|(ch>>55))^*p;return!!(14422328074577807877ULL==
      ch);}int main(void){char buf[1234];scanf("%1233s",buf);puts("nope"
      "\0good"+check(buf)*(6-1));return 0;}
*/

int check(char*b){
    char*p;

    for(p=b;*p;p++);
    if(((p-b)^42)!=47)
        return(~0xffffffff);

    unsigned long long ch=0x1451723121264133ULL;
    for(p=b;*p;p++)
        ch=((ch<<9)|(ch>>55))^*p;

    return!!(14422328074577807877ULL==ch);
}

int main(void){
    char buf[20];
    scanf("%20s",buf);

    if (strlen(buf) == 5 && check(buf))
        return 0x1337;

    //puts("nope""\0good"+check(buf)*(6-1));

    return 0;
}
	import angr

	# Just compile the modified code: `gcc modified.c`
	# and run `python crack.py` (you need angr installed)

	# NOTE: You can find WIN_ADDR with `objdump -Mintel -d a.out \| grep 1337`
	WIN_ADDR = 0x40063e

	p = angr.Project('./a.out')
	pg = p.factory.path_group()


	# This commented out line should probably make the job on original binary.
	# However it took a lot of time, so I just changed the code a bit and hardcoded the address.
	#results = pg.explore(find=lambda path: 'good' in path.state.posix.dumps(1))
	results = pg.explore(find=WIN_ADDR)

	print(repr(results.found[0].state.posix.dumps(0)))

	# Result: "G\xa8GW\xde"
	# yeah, it contains non printable characters (0xA8 and 0xDE bytes)
	# ...still, they can be passed to stdin, so gg :)

	# Some other working solutions:
	# "G\xa8\xb8\xa8\xde"
	# "GW\xb8W\xde"
	# "GWG\xa8\xde"
	# and finally, the intended one: "GWGW!"
	/*
	Done by disconnect3d from JHtC CTF team.

	Modified code, to make it easier for angr.

	Original code:
	#include <stdio.h>
	int check(charb){charp;for(p=b;*p;p++);if(((p-b)^42)!=47)return(
	~0xffffffff);unsigned long long ch=0x1451723121264133ULL;for(p=b;*
	p;p++)ch=((ch<<9)\|(ch>>55))^*p;return!!(14422328074577807877ULL==
	ch);}int main(void){char buf[1234];scanf("%1233s",buf);puts("nope"
	"\0good"+check(buf)*(6-1));return 0;}
	*/

	int check(char*b){
	char*p;

	for(p=b;*p;p++);
	if(((p-b)^42)!=47)
	return(~0xffffffff);

	unsigned long long ch=0x1451723121264133ULL;
	for(p=b;*p;p++)
	ch=((ch<<9)\|(ch>>55))^*p;

	return!!(14422328074577807877ULL==ch);
	}

	int main(void){
	char buf[20];
	scanf("%20s",buf);

	if (strlen(buf) == 5 && check(buf))
	return 0x1337;

	//puts("nope""\0good"+check(buf)*(6-1));

	return 0;
	}