def angr_convert2asm(request):
insns = []
asms = []
try:
filename = req_get_param(request, 'filename')
arch = getarch(filename)
p = angr.Project(filename,
load_options={
'auto_load_libs': False,
'main_opts': {
'backend': 'blob',
'base_addr': 0,
'arch': arch,
},
})
maxadd = p.loader.max_addr
minadd = p.loader.min_addr
print(minadd, maxadd)
# let's disasm with capstone to search targets
insn_bytes = p.loader.memory.load(0, maxadd)
for cs_insn in p.arch.capstone.disasm(insn_bytes, 0):
insns.append(CapstoneInsn(cs_insn))
print("0x%x:\t%s\t\t%s" %
(cs_insn.address, cs_insn.mnemonic, cs_insn.op_str))
# print(str(CapstoneInsn(cs_insn)))
block = CapstoneBlock(0, insns, 0, p.arch)
for ins in block.insns:
asms.append(str(ins))
# print(ins)
except Exception as e:
print("Critical failure:", e)
return sys_app_err('ERROR_INTERNAL_ERROR')
return sys_app_ok_p({
'ASM': asms,
})
def main():
p = angr.Project('./0ctf_momo', load_options={'auto_load_libs': False})
addr = after_fgets
size = mov_congrats - after_fgets
# let's disasm with capstone to search targets
insn_bytes = ''.join(p.loader.memory.read_bytes(addr, size))
insns = []
for cs_insn in p.arch.capstone.disasm(insn_bytes, addr):
insns.append(CapstoneInsn(cs_insn))
block = CapstoneBlock(addr, insns, 0, p.arch)
targets = []
# let's keep track of the state
state = 0
for ins in block.insns:
if state == 0:
if ins.op_str == 'edx, dword ptr [edx*4 + 0x81fe260]':
state += 1
continue
if state == 1:
if ins.op_str == 'al, byte ptr [0x81fe6e0]':
state += 1
continue
if state == 2:
if ins.op_str == 'dl, byte ptr [0x81fe6e4]':
targets.append(ins.address + ins.size)
state = 0
print "found {:d} targets".format(len(targets))
assert len(targets) == 28
flag_arr = ['0', 'c', 't', 'f', '{']
for target in targets[5:]:
print "\nexamining target {:#x}:".format(target)
for trychar in string.printable:
print trychar,
sys.stdout.flush()
flag = ''.join(flag_arr) + trychar
state = p.factory.entry_state()
state.posix.files[0].content.store(0, flag + "\n")
e = p.surveyors.Explorer(start=state, find=(target, ))
e.run()
assert len(e.found) == 1
np = e.found[0]
while (True):
nb_size = target - np.addr
if nb_size <= 0:
break
np = p.factory.successors(np, size=nb_size).flat_successors[0]
assert nb_size == 0
al = np.regs.eax[7:0]
dl = np.regs.edx[7:0]
al_val = al._model_concrete.value
dl_val = dl._model_concrete.value
if al_val == dl_val:
flag_arr.append(trychar)
break
return ''.join(flag_arr)
def main():
p = angr.Project('./momo', auto_load_libs=False)
addr = after_fgets
size = mov_congrats - after_fgets
# let's disasm with capstone to search targets
insn_bytes = p.loader.memory.load(addr, size)
insns = []
for cs_insn in p.arch.capstone.disasm(insn_bytes, addr):
insns.append(CapstoneInsn(cs_insn))
block = CapstoneBlock(addr, insns, 0, p.arch)
targets = []
# let's keep track of the state
state = 0
for ins in block.insns:
if state == 0:
if ins.op_str == 'edx, dword ptr [edx*4 + 0x81fe260]':
state += 1
continue
if state == 1:
if ins.op_str == 'al, byte ptr [0x81fe6e0]':
state += 1
continue
if state == 2:
if ins.op_str == 'dl, byte ptr [0x81fe6e4]':
targets.append(ins.address + ins.size)
state = 0
print("found {:d} targets".format(len(targets)))
assert len(targets) == 28
flag_arr = bytearray(b'0ctf{')
for target in targets[5:]:
print(hex(target))
print("\nexamining target {:#x}:".format(target))
for trychar in string.printable:
print("testing:" + trychar, )
sys.stdout.flush()
flag = bytes(flag_arr) + trychar.encode()
state = p.factory.entry_state(stdin=flag + b"\n")
e = p.factory.simulation_manager(state)
e.explore(find=target)
assert len(e.found) == 1
np = e.found[0]
while True:
nb_size = target - np.addr
if nb_size <= 0:
break
np = p.factory.successors(np, size=nb_size).flat_successors[0]
assert nb_size == 0
al = np.regs.eax[7:0]
dl = np.regs.edx[7:0]
al_val = al._model_concrete.value
dl_val = dl._model_concrete.value
if al_val == dl_val:
flag_arr.append(ord(trychar))
print("one flag_byte found:" + trychar)
print("flag now:" + flag_arr.decode())
sys.stdout.flush()
break
return bytes(flag_arr)