內容物
- very_success
分析
程式執行起來之後就在問密碼
沒意外是 password-checker
DIE 打開發現是 32-bit PE
用 x86 asm 寫的
並且少了 DOS Header
flag 長度 50字元
然後因為我覺得這題的 asm 好醜
於是乎用 angr 炸下去
flag
a_Little_b1t_harder_plez@flare-on.com
script
import angr
import claripy
import sys
def main():
binary = "./very_success"
project = angr.Project(binary)
start_address = 0x40104c
initial_state = project.factory.blank_state(
addr=start_address,
add_options = {
angr.options.SYMBOL_FILL_UNCONSTRAINED_MEMORY,
angr.options.SYMBOL_FILL_UNCONSTRAINED_REGISTERS
}
)
stack_base = 0x7ffff000
initial_state.regs.ebp = stack_base
initial_state.regs.esp = stack_base - 0x20
flag = claripy.BVS("flag",8*50)
flag_address = 0x402159
initial_state.memory.store(flag_address,flag)
initial_state.memory.store(
stack_base - 4,
claripy.BVV(50, 32),
endness=project.arch.memory_endness
)
initial_state.memory.store(
stack_base - 0x10,
claripy.BVV(0x4010E4, 32),
endness=project.arch.memory_endness
)
simulation = project.factory.simgr(initial_state)
simulation.explore(find=0x40106b,avoid=0x4010d7)
if simulation.found:
print(simulation.found[0].solver.eval(flag,cast_to=bytes).decode())
if __name__ == '__main__':
main()