ochoto/angr.py

## angr.py
#!/usr/bin/env python2

"""
In this challenge we are given a binary that checks an input given from stdin.
If it is correct, it will call get_flag in a separate library and print(it.)
However, we don't have the library so need to find the correct input and input
it over netcat. If it is incorrect, only 'Goodbye' is printed.
Reversing shows that the program verifies the input character by character.]
Because of the program's linear nature and reliance on verbose constraints,
angr is perfect for solving this challenge quickly. On a virtual machine
with one core and 4 GB of RAM, it took ~26 seconds to solve.
Author: scienceman (@docileninja)
Team: PPP (CMU)
"""

import angr
import claripy
import subprocess

START = 0x400000 + 0x000010a0 # start of main
FIND =  0x400000 + 0x0000119f # part of program that prints the flag
AVOID = 0x400000 + 0x00001198 # all addresses after a failed check occur on a fixed interval

BUF_LEN = 16

def char(state, c):
    '''returns constraints s.t. c is printable'''
    return state.solver.And(c <= '~', c >= ' ', c!="@", c!=" ")

def main():
    p = angr.Project('crackme')

    print('creating state')
    flag = claripy.BVS('flag', BUF_LEN*8)
    state = p.factory.blank_state(addr=START, stdin=flag)

    print('adding constaints to stdin')
    for c in flag.chop(8):
        state.solver.add(char(state, c))

    print('creating state and simgr')
    ex = p.factory.simulation_manager(state)
    ex.use_technique(angr.exploration_techniques.Explorer(find=FIND, avoid=AVOID))

    print('running explorer')
    ex.run()

    print('found solution')
    correct_input = ex.one_found.posix.dumps(0) # ex._f is equiv. to ex.found[0]
    return correct_input


if __name__ == '__main__':
    team = main()
print('found: {}'.format(repr(team)))
	#!/usr/bin/env python2

	"""
	In this challenge we are given a binary that checks an input given from stdin.
	If it is correct, it will call get_flag in a separate library and print(it.)
	However, we don't have the library so need to find the correct input and input
	it over netcat. If it is incorrect, only 'Goodbye' is printed.
	Reversing shows that the program verifies the input character by character.]
	Because of the program's linear nature and reliance on verbose constraints,
	angr is perfect for solving this challenge quickly. On a virtual machine
	with one core and 4 GB of RAM, it took ~26 seconds to solve.
	Author: scienceman (@docileninja)
	Team: PPP (CMU)
	"""

	import angr
	import claripy
	import subprocess

	START = 0x400000 + 0x000010a0 # start of main
	FIND = 0x400000 + 0x0000119f # part of program that prints the flag
	AVOID = 0x400000 + 0x00001198 # all addresses after a failed check occur on a fixed interval

	BUF_LEN = 16

	def char(state, c):
	'''returns constraints s.t. c is printable'''
	return state.solver.And(c <= '~', c >= ' ', c!="@", c!=" ")

	def main():
	p = angr.Project('crackme')

	print('creating state')
	flag = claripy.BVS('flag', BUF_LEN*8)
	state = p.factory.blank_state(addr=START, stdin=flag)

	print('adding constaints to stdin')
	for c in flag.chop(8):
	state.solver.add(char(state, c))

	print('creating state and simgr')
	ex = p.factory.simulation_manager(state)
	ex.use_technique(angr.exploration_techniques.Explorer(find=FIND, avoid=AVOID))

	print('running explorer')
	ex.run()

	print('found solution')
	correct_input = ex.one_found.posix.dumps(0) # ex._f is equiv. to ex.found[0]
	return correct_input


	if __name__ == '__main__':
	team = main()
	print('found: {}'.format(repr(team)))