Tags: angr rev
Rating:
You are supplied a 64-bit ELF executable which takes an input from stdin and runs it through a number of nested check functions. The following angr/claripy script returns the correct input value to reach "Correct!" in ~5 minutes.
```
#!/usr/bin/env python3
import angr
import claripy
import time
def solve():
proj = angr.Project("./babymix",
main_opts = {"base_addr": 0},
auto_load_libs = False)
password_bytes = [claripy.BVS("byte_%d" % i, 8) for i in range(22)]
password_bytes_ast = claripy.Concat(*password_bytes + [claripy.BVV(b'\n')])
st = proj.factory.full_init_state(
args=['./babymix'],
add_options=angr.options.unicorn,
stdin=password_bytes_ast
)
for k in password_bytes:
st.solver.add(k < 0x7f)
st.solver.add(k > 0x20)
sm = proj.factory.simulation_manager(st)
sm.run()
out = b''
for pp in sm.deadended:
out = pp.posix.dumps(1)
if b'Correct!' in out:
out = pp.solver.eval(password_bytes_ast, cast_to=bytes).decode("utf-8", "ignore")
print(out)
return
if __name__ == "__main__":
before = time.time()
solve()
after = time.time()
print("Time elapsed: {}".format(after - before))
```
