reverse - google ctf - 150 - unbreakable-enterprise-product-activation

感覺不少隊伍都是用 angr 來解這題,但還是來紀錄一下自己寫的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#!/usr/bin/env python
# -*- coding: utf-8 -*-

import angr
import collections


def printModel(pg, string):
print '=====' + string + '====='
m = pg.found[0].state.se._solver.result.model
od = collections.OrderedDict(sorted(m.items()))
s = ''
for k, v in od.iteritems():
# print k, v
s += chr(v)
print s


def main():
angr.l.setLevel('DEBUG')
angr.analyses.veritesting.l.setLevel('DEBUG')
p = angr.Project('./unbreakable-enterprise-product-activation', load_options={"auto_load_libs": False})

s = p.factory.blank_state(addr=0x4005bd)
for i in xrange(0, 67):
bvs = s.se.BVS('%03d' % i, 8)
if i == 0:
s.se.add(bvs == ord('C'))
s.memory.store(0x6042C0 + i, bvs)

find_addrs = (0x400830, )
avoid_addrs = ()
pg = p.factory.path_group(s, immutable=False)
pg.explore(find=find_addrs, avoid=avoid_addrs)
print pg

printModel(pg, 'ans')

if __name__ == '__main__':
main()
# CTF{0The1Quick2Brown3Fox4Jumped5Over6The7Lazy8Fox9}

是說另一題 150 分的 audio_visual_receiver_code,會有 path explosion,單用 angr 跑無法跑完,可能用 fuzz + symbolic 可以?。