Rating: 5.0
objdump --disassemble=main -CM intel chall | grep 'mov DWORD PTR \[rbp-0x4\],0x0' | awk '{print $1}' | tr -d ":" > avoid
import angr
import claripy
import logging
logging.getLogger('claripy').setLevel('CRITICAL')
proj = angr.Project("./chall")
argv = claripy.BVS('argv',8*42)
initial_state = proj.factory.entry_state(args=["./chall",argv],add_options=angr.options.unicorn)
for i in range(42):
initial_state.add_constraints(argv.get_byte(i) >= '\x20')
initial_state.add_constraints(argv.get_byte(i) <= '\x7e')
sm = proj.factory.simulation_manager(initial_state)
with open("avoid","r") as avoid:
avoid=avoid.read().split("\n")[:-1]
av = [ 0x400000 + int(a,16) for a in avoid]
sm.explore(find=0x400000+0x2887, avoid=av)
flag = sm.found[0].solver.eval(argv,cast_to=bytes).decode()
print(flag)
flag: GLUG{C01nc1d3nc3_c4n_b3_fr3aky_T6LSERDYB6}
