Simple crackme style binary solved with a simple angr script.

Challenge Description




Give me your magic !


2 Teams solved


The binary is a simple crackme challenge that prompts for the flag input.

$ ./6ca404a82514da5ef82fd6213e4f5e63_rev1
Give me your magic:ABCDEF
Try your best :)

If we decompile the main function, we can see that the user input is passed through a few checks.

int main() {
    memset(&var_30, 0x0, 0x28);
    setvbuf(*stdout@@GLIBC_2.2.5, 0x0, 0x2, 0x0);
    setvbuf(*stdin@@GLIBC_2.2.5, 0x0, 0x2, 0x0);
    printf("Give me your magic:");
    read(0x0, &var_30, 0x20);
    if (((check1(&var_30) != 0x0) && (check2(&var_30 + 0x8) != 0x0)) &&
         (check3(&var_30 + 0x10) != 0x0)) {
            if (check4(&var_30 + 0x18) != 0x0) {
                    rax = printf("Here is your flag : FLAG{%s}\n", &var_30);
            else {
                    rax = puts("Try your best :)");
    else {
            rax = puts("Try your best :)");
    return rax;

Since the program looks like it’s really simple. We can try writing an angr script to solve it.

import angr

p = angr.Project("./6ca404a82514da5ef82fd6213e4f5e63_rev1")

def printf_flag(state):
    print "FLAG{%s}" % state.posix.dump_fd(0)


The address 0x40088d corresponds to the following disassembly.

0040088d  mov     edi, 0x40099b  {"Here is your flag : FLAG{%s}\n"}

Running the script yields our flag instantly.

$ sudo docker run -v /vagrant/scc/rev1/:/rev1 -it angr/angr
(angr) angr@95b147957010:~$ cd /rev1/
(angr) angr@95b147957010:/rev1$ ls
peda-session-6ca404a82514da5ef82fd6213e4f5e63_rev1.txt  solve
(angr) angr@95b147957010:/rev1$ python
(angr) angr@95b147957010:/rev1$

Flag: FLAG{s3cur1ty_w0uld_r3v3rs3_y0ur_l1f3}

Leave a Comment