icchy/solve.py

## solve.py
from unicorn import *
from unicorn.x86_const import *
from capstone import *
from capstone.x86_const import *


flag = ""
rax_flag = False
def hook(uc, address, size, userdata):
    cs = Cs(CS_ARCH_X86, CS_MODE_64)
    code = uc.mem_read(address, size)
    asm = cs.disasm(str(code), address)

    for a in asm:
        global flag
        global rax_flag
        print('0x%x: \t%s\t%s\n' % (a.address, a.mnemonic, a.op_str))
        if rax_flag:
            rax = uc.reg_read(UC_X86_REG_RAX)
            flag += chr(rax)
            rax_flag = False
        if 'xor' in a.mnemonic:
            rax_flag = True


addr = 0x400000
stack = 0x600000
stack_size = 0x100000
emu = Uc(UC_ARCH_X86, UC_MODE_64)

emu.mem_map(stack-stack_size, stack_size)
emu.reg_write(UC_X86_REG_RSP, stack)
emu.reg_write(UC_X86_REG_RBP, stack)

emu.mem_map(addr, 0x10000)
emu.mem_write(addr, open('./validation').read())

emu.hook_add(UC_HOOK_CODE, hook)

emu.emu_start(addr+0x65a, addr+0x694)

print flag
	from unicorn import *
	from unicorn.x86_const import *
	from capstone import *
	from capstone.x86_const import *


	flag = ""
	rax_flag = False
	def hook(uc, address, size, userdata):
	cs = Cs(CS_ARCH_X86, CS_MODE_64)
	code = uc.mem_read(address, size)
	asm = cs.disasm(str(code), address)

	for a in asm:
	global flag
	global rax_flag
	print('0x%x: \t%s\t%s\n' % (a.address, a.mnemonic, a.op_str))
	if rax_flag:
	rax = uc.reg_read(UC_X86_REG_RAX)
	flag += chr(rax)
	rax_flag = False
	if 'xor' in a.mnemonic:
	rax_flag = True


	addr = 0x400000
	stack = 0x600000
	stack_size = 0x100000
	emu = Uc(UC_ARCH_X86, UC_MODE_64)

	emu.mem_map(stack-stack_size, stack_size)
	emu.reg_write(UC_X86_REG_RSP, stack)
	emu.reg_write(UC_X86_REG_RBP, stack)

	emu.mem_map(addr, 0x10000)
	emu.mem_write(addr, open('./validation').read())

	emu.hook_add(UC_HOOK_CODE, hook)

	emu.emu_start(addr+0x65a, addr+0x694)

	print flag