Tags: symexec angr 

Rating: 5.0

Search in IDA for `mov eax, 0` and exclude from results those occuring in `main` function. (Let's save all this in a file named `step1`)

Then filter the information from `step1` to extract only addresses, For example, using this command:

`awk '{ print $1 }' step1 | cut -d':' -f2 > avoid_addr`

Then use angr script to find a solution.

import angr
import claripy

# angr uses 0x400000 as base address for PIE executables

START = 0x40071a # start of main
FIND = 0x40077f # Good job message basic block
AVOID = [0x400786] # Wrong messages bassic block
with open("avoid_addr", "r") as fin:
for l in fin:
# add other addresses to avoid, all those "mov eax, 0"
AVOID.append(0x400000 + int(l.strip(), 16))

BUF_LEN = 104

def char(state, c):
return state.solver.And(c <= '~', c >= ' ')

def main():
p = angr.Project("elementary")

flag = claripy.BVS('flag', BUF_LEN * 8)
state = p.factory.blank_state(addr=START, stdin=flag)

for c in flag.chop(8):
state.solver.add(char(state, c))

ex = p.factory.simulation_manager(state)
ex.use_technique(angr.exploration_techniques.Explorer(find=FIND, avoid=AVOID))


return ex.found[0].posix.dumps(0).decode("utf-8")

if __name__ == '__main__':
print("flag: {}".format(main()))

Profit: `flag: p4{I_really_hope_you_automated_this_somehow_otherwise_it_might_be_a_bit_frustrating_to_do_this_manually}`

Original writeup (https://gist.github.com/0xcpu/bad0b86f2a52b65ce4af06008d58a4c7).