Tags: rev angr
Rating:
```python
# Solution for swampctf 2018 journey
import angr
# unpack the binary first with `upc -d journey`
p = angr.Project('journey')
# the binary is statically linked. For better performance we hook the functions.
p.hook(134542912, angr.SIM_PROCEDURES['libc']['puts'])
p.hook(134541424, angr.SIM_PROCEDURES['libc']['scanf'])
p.hook(134592704, angr.SIM_PROCEDURES['libc']['strlen'])
p.hook(134592320, angr.SIM_PROCEDURES['libc']['strcmp'])
p.hook(134516768, angr.SIM_PROCEDURES['glibc']['__libc_start_main'])
state = p.factory.entry_state(add_options=angr.options.unicorn)
for _ in xrange(17):
k = state.posix.files[0].read_from(1)
state.solver.add(k >= ' ')
state.solver.add(k <= '~')
state.posix.files[0].seek(0)
state.posix.files[0].length = 18
ex = p.surveyors.Explorer(
start=state,
find=(0x08048986, ),
avoid=(0x080489B8, )
)
ex.run()
for i in ex.found:
a = i.posix.dumps(0).split('\0')[0]
print("flag{%s}" % a)
# flag{wkitfudrpxkgsvviq}
```
