The price of mask goes down. So does the point (it's easy)!
華麗に脳死angrキメました
#!python
import angr
import claripy
### Settings section
# set input type 'arg' or 'stdin'
input_type = 'arg'
# set text showing at getting the flag
suc_txt = 'Correct! Submit your FLAG.'
# flag's length
flag_len = 29
# win address in exec
find_addr = 0x1012d6
# lose addresses in exec
avoid_addr = [0x1011b0, 0x1012e4, 0x1012fd]
# replace to exec's name
p = angr.Project('./mask')
### End of settings section
flag = claripy.BVS('flag', flag_len * 8)
argv = [p.filename]
argv.append(flag)
if input_type == 'arg':
state = p.factory.entry_state(args=argv)
else:
state = p.factory.entry_state(stdin=flag)
# bind charcters only printables
for b in flag.chop(8):
state.add_constraints(b >= 0x21)
state.add_constraints(b < 0x7f)
simgr = p.factory.simulation_manager(state)
# explore
simgr.explore(find=(find_addr), avoid=(avoid_addr))
# simgr.explore(find=lambda s: suc_txt.encode() in s.posix.dumps(1))
# check
if len(simgr.found) >= 1:
if input_type == 'arg':
print(simgr.found[0].solver.eval(argv[1], cast_to=bytes))
else:
print(simgr.found[0].posix.dumps(0))
else:
for i in simgr.deadended:
if i.posix.dumps(1).find(suc_txt.encode()) != -1:
if input_type == 'arg':
print(i.solver.eval(argv[1], cast_to=bytes))
else:
print(i.posix.dumps(0))
exit()
print("Not found")ctf4b{dont_reverse_face_mask}