Skip to content

Instantly share code, notes, and snippets.

@inaz2 inaz2/crackme.c
Last active Aug 13, 2019

Embed
What would you like to do?
solving easy crackme by angr
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int crackme(char *s, int n)
{
if (strlen(s) != 13) {
return 0;
}
if (strcmp(s, "hacktheplanet") != 0) {
return 0;
}
if (n != 1337) {
return 0;
}
return 1;
}
int main(int argc, char *argv[])
{
if (crackme(argv[1], atoi(argv[2])) == 1) {
puts("good job!");
} else {
puts("wrong.");
}
return 0;
}
# gcc crackme.c -o crackme
# objdump -M intel -d crackme | sed -n '/<crackme>:/,/^$/p'
00000000004005f6 <crackme>:
4005f6: 55 push rbp
4005f7: 48 89 e5 mov rbp,rsp
4005fa: 48 83 ec 10 sub rsp,0x10
4005fe: 48 89 7d f8 mov QWORD PTR [rbp-0x8],rdi
400602: 89 75 f4 mov DWORD PTR [rbp-0xc],esi
400605: 48 8b 45 f8 mov rax,QWORD PTR [rbp-0x8]
400609: 48 89 c7 mov rdi,rax
40060c: e8 9f fe ff ff call 4004b0 <strlen@plt>
400611: 48 83 f8 0d cmp rax,0xd
400615: 74 07 je 40061e <crackme+0x28>
400617: b8 00 00 00 00 mov eax,0x0
40061c: eb 31 jmp 40064f <crackme+0x59>
40061e: 48 8b 45 f8 mov rax,QWORD PTR [rbp-0x8]
400622: be 34 07 40 00 mov esi,0x400734
400627: 48 89 c7 mov rdi,rax
40062a: e8 a1 fe ff ff call 4004d0 <strcmp@plt>
40062f: 85 c0 test eax,eax
400631: 74 07 je 40063a <crackme+0x44>
400633: b8 00 00 00 00 mov eax,0x0
400638: eb 15 jmp 40064f <crackme+0x59>
40063a: 81 7d f4 39 05 00 00 cmp DWORD PTR [rbp-0xc],0x539
400641: 74 07 je 40064a <crackme+0x54>
400643: b8 00 00 00 00 mov eax,0x0
400648: eb 05 jmp 40064f <crackme+0x59>
40064a: b8 01 00 00 00 mov eax,0x1
40064f: c9 leave
400650: c3 ret
# python solve.py
arg1 = 'hacktheplanet\x00\x00\x00'
arg2 = 1337
# ./crackme hacktheplanet 1337
good job!
import angr
p = angr.Project('./crackme', load_options={'auto_load_libs': False})
s = p.factory.blank_state(addr=0x4005f6)
initial_path = p.factory.path(s)
pg = p.factory.path_group(initial_path)
e = pg.explore(find=0x40064a, avoid=0x40064f)
if len(e.found) > 0:
s = e.found[0].state
arg1 = s.se.any_int(s.memory.load(s.regs.rbp-0x8, 8, endness='Iend_LE'))
arg2 = s.se.any_int(s.memory.load(s.regs.rbp-0xc, 4, endness='Iend_LE'))
print "arg1 = %r" % s.se.any_str(s.memory.load(arg1, 0x10))
print "arg2 = %d" % arg2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.