Would you like to have a yakisoba code?
(Hint: You'd better automate your analysis)
華麗に脳死angrキメました
#!python
import angr
import claripy
### Settings section
# set input type 'arg' or 'stdin'
input_type = 'stdin'
# set text showing at getting the flag
suc_txt = 'Correct'
# win address in exec
find_addr = 0x1006d9
# lose addresses in exec
avoid_addr = [100700, 0x100707]
# replace to exec's name
p = angr.Project('./yakisoba')
simgr = p.factory.simulation_manager()
# explore
simgr.explore(find=(find_addr), avoid=(avoid_addr))
# simgr.explore(find=lambda s: suc_txt.encode() in s.posix.dumps(1))
# check
if len(simgr.found) >= 1:
if input_type == 'arg':
print(simgr.found[0].solver.eval(argv[1], cast_to=bytes))
else:
print(simgr.found[0].posix.dumps(0))
else:
for i in simgr.deadended:
if i.posix.dumps(1).find(suc_txt.encode()) != -1:
if input_type == 'arg':
print(i.solver.eval(argv[1], cast_to=bytes))
else:
print(i.posix.dumps(0))
exit()
print("Not found")ctf4b{sp4gh3tt1_r1pp3r1n0}