""" """ def je_hook(state): # print("je HOOK: Here: {}".format(hex(state.cpu.EIP))) print('constra', state.constraints) res = state.solve_one(state.cpu.read_register('EDI')) # res = state.solve_one(state.cpu.EDI) print(chr(res), res) state.cpu.BL = res """ def exit_hook(state): # print("EXIT HOOK: Here: {}".format(hex(state.cpu.EIP))) state.abandon() for index, items in enumerate(addrs): entry, je_statement, exit_call = items # m.add_hook(je_statement, je_hook) m.add_hook(exit_call, exit_hook) """ def print_ip(state): if 0x400000 < state.cpu.RIP < 0x500000: print(hex(state.cpu.RIP)) """ m.verbosity = 0 m.workers = 1 m.run()
def test(): from manticore.native import Manticore from subprocess import check_output import sys """ Leverages Manticore to solve the manticore challenge: https://blog.trailofbits.com/2017/05/15/magic-with-manticore/ Author: @ctfhacker python win.py =MANTICORE== real 0m52.039s user 0m50.272s sys 0m2.340s """ file = "" if __name__ == "__main__": file = "manticore_challenge" else: file = "./test_manticore_challenge/manticore_challenge" addrs = [] def get_exits(): """ Extract exit calls from each check function using objdump """ def addr(line): """ Get just the address from a line of objdump output """ return int(line.split()[0][:-1], 16) exits_disasm = check_output("objdump -d %s | grep exit" % file, shell=True) exits_disasm = exits_disasm.decode() exits = [addr(line) for line in exits_disasm.split("\n")[2:-1]] for e in exits: yield e m = Manticore(file) m.context["solved"] = False buff_addr = None @m.hook(0x4009A4) def hook(state): """ Jump over `puts` and `fgets` calls """ state.cpu.EIP = 0x4009C1 @m.hook(0x4009C8) def hook(state): """ Inject symbolic buffer instead of fgets """ with m.locked_context() as context: context["buff_addr"] = state.cpu.RDI buffer = state.new_symbolic_buffer(12) state.cpu.write_bytes(state.cpu.RDI, buffer) @m.hook(0x400981) def hook(state): """ Finish all the checks, solve for the solution """ buff_addr = "" with m.locked_context() as context: buff_addr = context["buff_addr"] res = "".join(map(chr, state.solve_buffer(buff_addr, 12))) print("solution: " + res) # =MANTICORE== with m.locked_context() as context: if "=MANTICORE" in res: context["solved"] = True state.abandon() # Be sure to abandon and not continue execution def exit_hook(state): """ Abandon hook for each exit call """ state.abandon() """ For each exit that we found in each of the checks, add the exit_hook to that call """ for index, exit in enumerate(get_exits()): m.add_hook(exit, exit_hook) m.verbosity = 0 m.workers = 1 m.should_profile = True m.run() assert m.context["solved"]