magic function
バイナリを読むとFLAGの長さは 0x18
code:exploit.py
import angr
import claripy
import binascii
length = 0x18 # according to binary
p = angr.Project("./chall")
flag = claripy.BVS("flag", length*8)
for i, x in enumerate(flag.chop(8)):
if i == length - 1:
state.add_constraints(x == b'}')
continue
if i < 9:
state.add_constraints(x == b'KosenCTF{'i) else:
flag_format = claripy.Or(
claripy.And(x >= b'A', x <= b'Z'),
claripy.And(x >= b'a', x <= b'z'),
claripy.And(x >= b'0', x <= b'9'),
x == b'_',
x == b'-',
x == b'#',
x == b'!',
x == b'?'
)
state.add_constraints(flag_format)
simgr = p.factory.simulation_manager(state)
simgr.explore(find=0x40086a, avoid=0x400884) try:
print(simstate.posix.dumps(1))
print(simstate.solver.eval(flag, cast_to=bytes))
except Exception as e:
print(e)