Tags: angr re 

Rating:

## Question

Fred is trying to learn how to deal with dragons. Can you help him out?

[dragonpit](https://github.com/tj-oconnor/ctf-writeups/blob/main/umdctf/dragonplt/dragonPit)

## Solution

We are given a binary that has been compiled to run only with GLIBC version 2.34

```
./dragonPit
./dragonPit: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./dragonPit)
```

Rather than patch it, I chose to solve this one symbolically. We see it takes input from stdin and then compares that input at ```0x1312```. When the user inputs incorrect input, the binary input jumps to ```0x13a4```.

```
00001312 e8b9fdffff call strcmp
00001317 85c0 test eax, eax
00001319 0f8585000000 jne 0x13a4
```

On correct input, the program prints out the flag using a format string. We see below that ```RSI``` will hold the parameter containing the flag.

```
....
00001384 488d45c0 lea rax, [rbp-0x40 {var_48}]
00001388 4889c6 mov rsi, rax {var_48}
0000138b 488d05a20c0000 lea rax, [rel data_2034] {"%.20s\n"}
00001392 4889c7 mov rdi, rax {data_2034, "%.20s\n"}
00001395 b800000000 mov eax, 0x0
0000139a e811fdffff call printf
0000139f e9ce000000 jmp 0x1472
```

We then wrote a simple script to use angr to symbolically solve for the correct input, stopping at the ```printf``` call at ```0x139a```. We will then print the character array pointed to by the RSI register.

```python
from pwn import *
import angr
import logging

logging.getLogger('angr').setLevel(logging.CRITICAL)
logging.getLogger('pwnlib').setLevel(logging.CRITICAL)

e = context.binary = ELF("./dragonpit")

MAIN = e.sym['main']
BAD = 0x13a4
GOOD = 0x139a

p = angr.Project(e.file.name,load_options={'main_opts': {'base_addr': 0}})
s = p.factory.blank_state(addr=MAIN, add_options={angr.sim_options.SYMBOL_FILL_UNCONSTRAINED_REGISTERS})

sim = p.factory.simgr(s)
sim.explore(find=GOOD, avoid=BAD)

flag = b''
for i in range(0,20):
flag += b''+sim.found[0].mem[sim.found[0].regs.rsi+i].char.concrete

print('\n[+] Flag: %s' %flag)
```

Running the program yields our flag.

```
python3 re-dragonpit.py

[+] Flag: b'UMDCTF{BluSt0l3dr4g}'
```

Original writeup (https://github.com/tj-oconnor/ctf-writeups/tree/main/umdctf/dragonplt).