Tags: angr reversing 

Rating:

**Static analysis**
```
$ file rocca_pia
rocca_pia: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=0e2862fed0acfbbc7e8117b7e6206a11e508c737, for GNU/Linux 3.2.0, not stripped
```

```strings``` command hinted that the possible outputs are "Nice try" and "Nice flag".

After viewing the disassembly in Cutter, I noticed that the "success address" (address that will lead to win) is 0x00001286, and the "failure address" (address that will lead to a lose), is 0x00001294

Based on this information, I wrote a short angr script to find the flag:
```
import angr
import claripy

success_addr = 0x00001286
failure_addr = 0x00001294

flag_length = 32 # estimated length

proj = angr.Project('rocca_pia')

flag = claripy.BVS("flag", flag_length * 8)

state = proj.factory.full_init_state(
args=['./rocca_pia', flag]
)

sm = proj.factory.simulation_manager(state)
sm.explore(find=success_addr, avoid=failure_addr)

for end in sm.deadended:
print(end.solver.eval(flag, cast_to=bytes), end.posix.dumps(1))
```

Output:
b'dvCTF{I_l1k3_sw1mm1ng}\x137\x137\x137\x137\x13\x00' b'Nice flag\n'
b'\x00\x00\x00\x00\x00\x00\x00\x17\x001\x003\x93\x00\x00\x01\x007\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' b'Nice try\n'

BOOM!
Flag: dvCTF{I_l1k3_sw1mm1ng}