Tags: symexec angr
Rating: 5.0
Search in IDA for `mov eax, 0` and exclude from results those occuring in `main` function. (Let's save all this in a file named `step1`)
Then filter the information from `step1` to extract only addresses, For example, using this command:
`awk '{ print $1 }' step1 | cut -d':' -f2 > avoid_addr`
Then use angr script to find a solution.
```python
import angr
import claripy
# angr uses 0x400000 as base address for PIE executables
START = 0x40071a # start of main
FIND = 0x40077f # Good job message basic block
AVOID = [0x400786] # Wrong messages bassic block
with open("avoid_addr", "r") as fin:
for l in fin:
# add other addresses to avoid, all those "mov eax, 0"
AVOID.append(0x400000 + int(l.strip(), 16))
BUF_LEN = 104
def char(state, c):
return state.solver.And(c <= '~', c >= ' ')
def main():
p = angr.Project("elementary")
flag = claripy.BVS('flag', BUF_LEN * 8)
state = p.factory.blank_state(addr=START, stdin=flag)
for c in flag.chop(8):
state.solver.add(char(state, c))
ex = p.factory.simulation_manager(state)
ex.use_technique(angr.exploration_techniques.Explorer(find=FIND, avoid=AVOID))
ex.run()
return ex.found[0].posix.dumps(0).decode("utf-8")
if __name__ == '__main__':
print("flag: {}".format(main()))
```
Profit: `flag: p4{I_really_hope_you_automated_this_somehow_otherwise_it_might_be_a_bit_frustrating_to_do_this_manually}`
