Tags: angr crackme
Rating: 3.0
```python
#!/usr/bin/env python2
# By BestPig
import angr
import claripy
FLAG_LENGHT = 39
p = angr.Project('./patched_crack_me',
load_options={'auto_load_libs': False}
)
flag_val = claripy.BVS('flag', FLAG_LENGHT * 8)
flag = flag_val.chop(8)
state = p.factory.entry_state(args=["easy_crack_me", flag_val])
# Constraint for check at 0x4007ee
for i, c in enumerate('TWCTF{'):
state.add_constraints(flag[i] == c)
state.add_constraints(flag[-1] == '}')
# Constraint for check at 0x400d90
state.add_constraints(flag[37] == '5')
state.add_constraints(flag[7] == 'f')
state.add_constraints(flag[11] == '8')
state.add_constraints(flag[12] == '7')
state.add_constraints(flag[23] == '2')
state.add_constraints(flag[31] == '4')
# Just a cheat, for use with claripy.If
# I just want to increase a counter, but
# claripy doesn't let me to put integer
# So just declare two value and force them to 1 and 0
# What I want -> cnt += claripy.If(flag[i] == ord(c), 1, 0)
t = claripy.BVS('t', 8)
state.add_constraints(t == 1)
f = claripy.BVS('f', 8)
state.add_constraints(f == 0)
# Check at 0x400891
# I nope this check on the binary
# At first, I nop them because I doesn't understood what
# the code was doing, and angr was to long to found something
# that match it, so I nope them and keep implements other
# It was not working, but now, I implements it, and it still
# to long with original binary, but the correct flag was found
# by angr with the nopped version
# I nop everything between 0x400891 and 0x400948
check_occurrence = [3,2,2,0,3,2,1,3,3,1,1,3,1,2,2,3]
for index, c in enumerate("0123456789abcdef"):
cnt = 0
for i in range(FLAG_LENGHT):
cnt += claripy.If(flag[i] == ord(c), t, f)
state.add_constraints(cnt == check_occurrence[index])
# Check at 0x400d09
vals = [
128, 128, 255, 128, 255, 255, 255, 255, 128, 255,
255, 128, 128, 255, 255, 128, 255, 255, 128, 255,
128, 128, 255, 255, 255, 255, 128, 255, 255, 255,
128, 255
]
for i, v in enumerate(vals):
if v == 128:
state.add_constraints(flag[i + 6] > 96)
state.add_constraints(flag[i + 6] <= 102)
else:
state.add_constraints(flag[i + 6] > 47)
state.add_constraints(flag[i + 6] <= 57)
sm = p.factory.simulation_manager(state)
good = 0x400E24
sm.explore(find=good, avoid=[
0x4007C6, 0x40080E,
0x400BDE, 0x400C2C,
0x400D17, 0x400D81]
)
s = sm.found[0]
solution = sm.found[0].solver.eval(flag_val, cast_to=bytes)
print("Flag: %s" % solution)
```
I don't understand lel
