Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # You can download the binary here: https://drive.google.com/file/d/1k2drNM95jkXb39--81S0a_A2PzQwP_5t/view?usp=sharing
- # The correct flag is 'SUCTF{Un1c0rn_Engin3_Is_@_P0wer7ul_TO0ls!}'
- import angr, claripy
- import archinfo
- p = angr.Project('./data', main_opts={'backend': 'blob', 'arch': 'mips', 'segments': [(0, 0x400000, 28928)]})
- state = p.factory.call_state(0x4000CC, 0x500000, 0x600000, add_options={angr.options.LAZY_SOLVES, angr.options.CONSTRAINT_TRACKING_IN_SOLVER})
- state.regs.fp = state.regs.sp - 0x18
- state.mem[state.regs.fp + 0x18].uint32_t = state.regs.a0
- state.mem[state.regs.fp + 0x1C].uint32_t = state.regs.a1
- state.mem[state.regs.fp + 0xC].uint32_t = 0
- flag_chars = [claripy.BVS('flag_%d' % i, 8) for i in range(42)]
- for i,c in enumerate(flag_chars):
- state.mem[0x500000 + i].uint8_t = ((8 * c) | (c >> 5)) ^ i
- sm = p.factory.simulation_manager(state)
- sm.explore(find=0x407068)
- cmpbuf = 'FFFFFF94FFFFFF3800000126FFFFFF28FFFFFC1000000294FFFFFC9E000006EA000000DC00000006FFFFFF0CFFFFFDF6FFFFFA82FFFFFCD000000182000003DE0000014E000002B2FFFFF8D800000174FFFFFAA6FFFFF9D4000001C2FFFFF97C0000035A00000146FFFFFF3CFFFFFA14000001CE000007DCFFFFFD48000000980000085EFFFFFDB0FFFFFFBC0000036EFFFFFF4EFFFFF836000005C0000006AE0000069400000022'
- cmpbuf = bytes.fromhex(cmpbuf)
- fs = sm.found[0]
- import struct
- for i in range(len(cmpbuf)>>2):
- cur = struct.unpack(">I", cmpbuf[i*4:i*4+4])[0]
- fs.solver.add(claripy.BVV(cur,32) == fs.memory.load(0x600000+i*4, 4, endness=archinfo.Endness.BE))
- correct = list(map(ord,'SUCTF{Un1c0rn_Engin3_Is_@_P0wer7ul_TO0ls!}'))
- for i in range(len(correct)):
- fs.solver.add(flag_chars[i] == correct[i])
- fs.solver.add(*[c < 128 for c in flag_chars])
- fs.solver.add(*[c > 32 for c in flag_chars])
- ret = ''
- for c in flag_chars:
- ret += chr(sm.found[0].solver.eval(c))
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement