basic crackme
バイナリよりFLAGの長さは 40 = 0x24
code:solve.rb
import angr
import claripy
import binascii
length = 40 # according to binary
p = angr.Project("./crackme")
flag = claripy.BVS("flag", length*8)
for i, x in enumerate(flag.chop(8)):
if i == length - 2:
state.add_constraints(x == b'}')
continue
if i < 9:
state.add_constraints(x == b'KosenCTF{'i) else:
flag_format = claripy.Or(
claripy.And(x >= b'A', x <= b'Z'),
claripy.And(x >= b'a', x <= b'z'),
claripy.And(x >= b'0', x <= b'9'),
x == b'_',
x == b'-',
x == b'#',
x == b'!',
x == b'?'
)
state.add_constraints(flag_format)
simgr = p.factory.simulation_manager(state)
simgr.explore(find=0x4013b7, avoid=0x4013c5) # simgr.explore(find=lambda s: b"This is the your flag :)" in s.posix.dumps(1), avoid=lambda s: b"Try harder!" in s.posix.dumps(1))
try:
print(simstate.posix.dumps(1))
print(simstate.solver.eval(flag, cast_to=bytes))
except Exception as e:
print(e)
KosenCTF{w3lc0m3_t0_y0-k0-s0_r3v3rs1ng}