Simple crackme style binary solved with a simple angr script.
Challenge Description
Points
100
Description
Give me your magic !
Solvers
2 Teams solved
Solution
The binary is a simple crackme challenge that prompts for the flag input.
$ ./6ca404a82514da5ef82fd6213e4f5e63_rev1
Give me your magic:ABCDEF
Try your best :)
If we decompile the main function, we can see that the user input is passed
through a few checks.
int main() {
memset(&var_30, 0x0, 0x28);
setvbuf(*stdout@@GLIBC_2.2.5, 0x0, 0x2, 0x0);
setvbuf(*stdin@@GLIBC_2.2.5, 0x0, 0x2, 0x0);
printf("Give me your magic:");
read(0x0, &var_30, 0x20);
if (((check1(&var_30) != 0x0) && (check2(&var_30 + 0x8) != 0x0)) &&
(check3(&var_30 + 0x10) != 0x0)) {
if (check4(&var_30 + 0x18) != 0x0) {
rax = printf("Here is your flag : FLAG{%s}\n", &var_30);
}
else {
rax = puts("Try your best :)");
}
}
else {
rax = puts("Try your best :)");
}
return rax;
}
Since the program looks like it’s really simple. We can try writing an angr script to solve it.
import angr
p = angr.Project("./6ca404a82514da5ef82fd6213e4f5e63_rev1")
@p.hook(0x40088d)
def printf_flag(state):
print "FLAG{%s}" % state.posix.dump_fd(0)
p.terminate_execution()
p.execute()
The address 0x40088d corresponds to the following disassembly.
0040088d mov edi, 0x40099b {"Here is your flag : FLAG{%s}\n"}
Running the script yields our flag instantly.
$ sudo docker run -v /vagrant/scc/rev1/:/rev1 -it angr/angr
(angr) angr@95b147957010:~$ cd /rev1/
(angr) angr@95b147957010:/rev1$ ls
6ca404a82514da5ef82fd6213e4f5e63_rev1
peda-session-6ca404a82514da5ef82fd6213e4f5e63_rev1.txt solve solver.py
(angr) angr@95b147957010:/rev1$ python solver.py
FLAG{s3cur1ty_w0uld_r3v3rs3_y0ur_l1f3}
(angr) angr@95b147957010:/rev1$
Flag: FLAG{s3cur1ty_w0uld_r3v3rs3_y0ur_l1f3}
Leave a Comment