Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <jni.h> /* This header file is a must for JNI source. Just include it, JDK and compiler will handle it.*/
- #include <stdio.h>
- #include <stdlib.h>
- #include <unistd.h>
- #include <fcntl.h>
- #include <stdlib.h>
- char *sneaky = "SOSNEAKY";
- JNIEXPORT int JNICALL Java_nsa_gov_authenticate(JNIEnv *env, jobject thiz, jstring username, jstring password){
- const char *nativeUsername = (*env)->GetStringUTFChars(env, username, 0);
- const char *nativePassword = (*env)->GetStringUTFChars(env, password, 0);
- int res = authenticate(nativeUsername, nativePassword);
- (*env)->ReleaseStringUTFChars(env, username, nativeUsername);
- (*env)->ReleaseStringUTFChars(env, password, nativePassword);
- return res;
- };
- int authenticate(char *username, char *password)
- {
- char stored_pw[9];
- stored_pw[8] = 0;
- int pwfile;
- // evil back d00r
- if (strcmp(password, sneaky) == 0) return 1;
- pwfile = open(username, O_RDONLY);
- read(pwfile, stored_pw, 8);
- if (strcmp(password, stored_pw) == 0) return 1;
- return 0;
- }
- =========================================================================================================
- import angr
- import claripy
- p = angr.Project('native_apps/app1/libs/armeabi/libapp1.so')
- username = claripy.BVS('username', 128)
- password = claripy.BVS('password', 128)
- authenticate_ = p.loader.main_object.get_symbol('authenticate').rebased_addr
- authenticate_state = p.factory.call_state(authenticate_, username, password)
- simgr = p.factory.simgr(authenticate_state)
- simgr.step(until=lambda lpg: len(lpg.active) > 1)
- for state in simgr.active:
- print state.regs.r1
- print state.mem[0x401fac].string.concrete #prints SOSNEAKY
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement