Skip to content

Instantly share code, notes, and snippets.

Created Mar 5, 2017
What would you like to do?
Pragyan CTF Binary Exploitation 150
from unicorn import *
from unicorn.x86_const import *
from capstone import *
from capstone.x86_const import *
flag = ""
rax_flag = False
def hook(uc, address, size, userdata):
cs = Cs(CS_ARCH_X86, CS_MODE_64)
code = uc.mem_read(address, size)
asm = cs.disasm(str(code), address)
for a in asm:
global flag
global rax_flag
print('0x%x: \t%s\t%s\n' % (a.address, a.mnemonic, a.op_str))
if rax_flag:
rax = uc.reg_read(UC_X86_REG_RAX)
flag += chr(rax)
rax_flag = False
if 'xor' in a.mnemonic:
rax_flag = True
addr = 0x400000
stack = 0x600000
stack_size = 0x100000
emu = Uc(UC_ARCH_X86, UC_MODE_64)
emu.mem_map(stack-stack_size, stack_size)
emu.reg_write(UC_X86_REG_RSP, stack)
emu.reg_write(UC_X86_REG_RBP, stack)
emu.mem_map(addr, 0x10000)
emu.mem_write(addr, open('./validation').read())
emu.hook_add(UC_HOOK_CODE, hook)
emu.emu_start(addr+0x65a, addr+0x694)
print flag
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment