Tags: angr crackme

Rating: 3.0

python
#!/usr/bin/env python2
# By BestPig

import angr
import claripy

FLAG_LENGHT = 39
p = angr.Project('./patched_crack_me',
)

flag_val = claripy.BVS('flag', FLAG_LENGHT * 8)
flag = flag_val.chop(8)

state = p.factory.entry_state(args=["easy_crack_me", flag_val])

# Constraint for check at 0x4007ee
for i, c in enumerate('TWCTF{'):

# Constraint for check at 0x400d90

# Just a cheat, for use with claripy.If
# I just want to increase a counter, but
# claripy doesn't let me to put integer
# So just declare two value and force them to 1 and 0
# What I want -> cnt += claripy.If(flag[i] == ord(c), 1, 0)

t = claripy.BVS('t', 8)

f = claripy.BVS('f', 8)

# Check at 0x400891
# I nope this check on the binary
# At first, I nop them because I doesn't understood what
# the code was doing, and angr was to long to found something
# that match it, so I nope them and keep implements other
# It was not working, but now, I implements it, and it still
# to long with original binary, but the correct flag was found
# by angr with the nopped version
# I nop everything between 0x400891 and 0x400948
check_occurrence = [3,2,2,0,3,2,1,3,3,1,1,3,1,2,2,3]
for index, c in enumerate("0123456789abcdef"):
cnt = 0
for i in range(FLAG_LENGHT):
cnt += claripy.If(flag[i] == ord(c), t, f)

# Check at 0x400d09
vals = [
128, 128, 255, 128, 255, 255, 255, 255, 128, 255,
255, 128, 128, 255, 255, 128, 255, 255, 128, 255,
128, 128, 255, 255, 255, 255, 128, 255, 255, 255,
128, 255
]

for i, v in enumerate(vals):
if v == 128:
state.add_constraints(flag[i + 6] > 96)
state.add_constraints(flag[i + 6] <= 102)
else:
state.add_constraints(flag[i + 6] > 47)
state.add_constraints(flag[i + 6] <= 57)

sm = p.factory.simulation_manager(state)
good = 0x400E24
sm.explore(find=good, avoid=[
0x4007C6, 0x40080E,
0x400BDE, 0x400C2C,
0x400D17, 0x400D81]
)

s = sm.found[0]
solution = sm.found[0].solver.eval(flag_val, cast_to=bytes)
print("Flag: %s" % solution)


friendlyfire331Sept. 5, 2019, 1:33 a.m.

I don't understand lel