ghostinthefingers
commented
1 year ago which challenge do you mean?
Closed BlackIce417 closed 1 year ago
ghostinthefingers
commented
1 year ago which challenge do you mean?
BlackIce417
commented
1 year ago which challenge do you mean?
Is there any simple way to this problem ? I tried to use angr to solve the problem , but PIE is on, so I can't store bitvectors.
ghostinthefingers
commented
1 year ago pls tell me the challenge name
BlackIce417
commented
1 year ago pls tell me the challenge name
vishwa2023 WednesdayThursdayFriday solveme
ghostinthefingers
commented
1 year ago import angr
import claripy
flag_length = 34
correct_address = 0x00102446
failure_address = 0x00102472
base_address = 0x00100000
proj = angr.Project("./solveme", load_options={"auto_load_libs": False}, main_opts={"base_addr": base_address})
flag_chars = [claripy.BVS(f"flag{i}", 8) for i in range(flag_length)]
flag = claripy.Concat(*flag_chars)
state = proj.factory.full_init_state(
args=['./solveme',flag],
add_options=angr.options.unicorn,
)
flag_format = "VishwaCTF{"
# give it the flag format for make the solve more easy
for i in range(10):
state.solver.add(flag_chars[i] == ord(flag_format[i]))
# we need only ascii printable characters
for i in range(10,34):
state.solver.add(flag_chars[i] >= ord('!'))
state.solver.add(flag_chars[i] <= ord('~'))
simgr = proj.factory.simulation_manager(state)
simgr.explore(find=correct_address,avoid=failure_address)
if simgr.found:
found = simgr.found[0]
res = found.solver.eval(flag, cast_to=bytes)
print(res.decode())Oh, thank you ~~ Could you tell me how to learn angr? I read angr's doc recently but I can't understand totally. Is there are any other efficient way to learn it? : )
ghostinthefingers
commented
1 year ago See angr examples and try to solve problems using angr. I am a member of Shellphish
BlackIce417
commented
1 year ago See angr examples and try to solve problems using angr. I am a member of Shellphish
thank you
To be honest i dont want to type so many words, so i want to use angr to find the flag. But as a reverse problem, it enables aslr/pie so i cant find the accurate entry point of the program. Do you have any idea use angr to solve this problem ?