global buff_addr
buff_addr = state.cpu.RDI
buffer = state.new_symbolic_buffer(12)
state.cpu.write_bytes(buff_addr, buffer)
@m.hook(0x400981)
def hook(state):
""" Finish all the checks, solve for the solution """
res = ''.join(map(chr, state.solve_buffer(buff_addr, 12)))
print(res) # =MANTICORE==
state.abandon() # Be sure to abandon and not continue execution
def exit_hook(state):
""" Abandon hook for each exit call """
state.abandon()
"""
For each exit that we found in each of the checks,
add the exit_hook to that call
"""
for index, exit in enumerate(get_exits()):
m.add_hook(exit, exit_hook)
m.verbosity = 0
m.workers = 1
m.should_profile = True
m.run()
def test():
from manticore.native import Manticore
"""
Leverages Manticore to solve the Google 2016 challenge:
unbreakable-enterprise-product-activation
Author: @ctfhacker
Binary: https://github.com/ctfs/write-ups-2016/blob/master/google-ctf-2016/reverse/unbreakable-enterprise-product-activation-150/unbreakable-enterprise-product-activation.bz2
"""
m = None
if __name__ == "__main__":
m = Manticore("unbreakable")
else:
m = Manticore("test_google2016_unbreakable/unbreakable")
m.context["solved"] = False
"""
These values can be found at 0x4005b8
"""
input_addr = 0x6042C0
num_bytes = 0x33
# Entry point
@m.hook(0x400729)
def hook(state):
""" CAUTION: HACK """
""" From entry point, jump directly to code performing check """
# Create a symbolic buffer for our input
buffer = state.new_symbolic_buffer(0x43)
# We are given in the challenge that the flag begins with CTF{
# So we can apply constraints to ensure that is true
state.constrain(buffer[0] == ord("C"))
state.constrain(buffer[1] == ord("T"))
state.constrain(buffer[2] == ord("F"))
state.constrain(buffer[3] == ord("{"))
# Store our symbolic input in the global buffer read by the check
state.cpu.write_bytes(input_addr, buffer)
# By default, `hook` doesn't patch the instruction, so we hop over
# the hooked strncpy and execute the next instruction
state.cpu.EIP = 0x4005BD
# Failure case
@m.hook(0x400850)
def hook(state):
""" Stop executing paths that reach the `failure` function"""
print("Invalid path.. abandoning")
state.abandon()
# Success case
@m.hook(0x400724)
def hook(state):
print("Hit the final state.. solving")
state._solver._command = "z3 -t:240000 -smt2 -in" # Hack around travis timeouts
res = "".join(map(chr, state.solve_buffer(input_addr, num_bytes)))
print(res) # CTF{0The1Quick2Brown3Fox4Jumped5Over6The7Lazy8Fox9}
with m.locked_context() as w:
if "CTF{0The1Quick2Brown3Fox4Jumped5Over6The7Lazy8Fox9}" == res:
w["solved"] = True
# We found the flag, no need to continue execution
m.kill()
m.should_profile = True
m.run()
assert m.context["solved"] == True
def test():
from manticore.native import Manticore
from subprocess import check_output
import sys
"""
Leverages Manticore to solve the manticore challenge:
https://blog.trailofbits.com/2017/05/15/magic-with-manticore/
Author: @ctfhacker
python win.py
=MANTICORE==
real 0m52.039s
user 0m50.272s
sys 0m2.340s
"""
file = ""
if __name__ == "__main__":
file = "manticore_challenge"
else:
file = "./test_manticore_challenge/manticore_challenge"
addrs = []
def get_exits():
""" Extract exit calls from each check function using objdump """
def addr(line):
""" Get just the address from a line of objdump output """
return int(line.split()[0][:-1], 16)
exits_disasm = check_output("objdump -d %s | grep exit" % file,
shell=True)
exits_disasm = exits_disasm.decode()
exits = [addr(line) for line in exits_disasm.split("\n")[2:-1]]
for e in exits:
yield e
m = Manticore(file)
m.context["solved"] = False
buff_addr = None
@m.hook(0x4009A4)
def hook(state):
""" Jump over `puts` and `fgets` calls """
state.cpu.EIP = 0x4009C1
@m.hook(0x4009C8)
def hook(state):
""" Inject symbolic buffer instead of fgets """
with m.locked_context() as context:
context["buff_addr"] = state.cpu.RDI
buffer = state.new_symbolic_buffer(12)
state.cpu.write_bytes(state.cpu.RDI, buffer)
@m.hook(0x400981)
def hook(state):
""" Finish all the checks, solve for the solution """
buff_addr = ""
with m.locked_context() as context:
buff_addr = context["buff_addr"]
res = "".join(map(chr, state.solve_buffer(buff_addr, 12)))
print("solution: " + res) # =MANTICORE==
with m.locked_context() as context:
if "=MANTICORE" in res:
context["solved"] = True
state.abandon() # Be sure to abandon and not continue execution
def exit_hook(state):
""" Abandon hook for each exit call """
state.abandon()
"""
For each exit that we found in each of the checks,
add the exit_hook to that call
"""
for index, exit in enumerate(get_exits()):
m.add_hook(exit, exit_hook)
m.verbosity = 0
m.workers = 1
m.should_profile = True
m.run()
assert m.context["solved"]