[SECCON Beginners CTF 2020] mask

The price of mask goes down. So does the point (it's easy)!

解説

華麗に脳死angrキメました

#!python

import angr
import claripy

### Settings section

# set input type 'arg' or 'stdin'
input_type = 'arg'
# set text showing at getting the flag
suc_txt = 'Correct! Submit your FLAG.'
# flag's length
flag_len = 29
# win address in exec
find_addr = 0x1012d6
# lose addresses in exec
avoid_addr = [0x1011b0, 0x1012e4, 0x1012fd]
# replace to exec's name
p = angr.Project('./mask')

### End of settings section

flag = claripy.BVS('flag', flag_len * 8)
argv = [p.filename]
argv.append(flag)

if input_type == 'arg':
    state = p.factory.entry_state(args=argv)
else:
    state = p.factory.entry_state(stdin=flag)

# bind charcters only printables
for b in flag.chop(8):
    state.add_constraints(b >= 0x21)
    state.add_constraints(b < 0x7f)

simgr = p.factory.simulation_manager(state)

# explore
simgr.explore(find=(find_addr), avoid=(avoid_addr))
# simgr.explore(find=lambda s: suc_txt.encode() in s.posix.dumps(1))

# check
if len(simgr.found) >= 1:
    if input_type == 'arg':
        print(simgr.found[0].solver.eval(argv[1], cast_to=bytes))
    else:
        print(simgr.found[0].posix.dumps(0))
else:
    for i in simgr.deadended:
        if i.posix.dumps(1).find(suc_txt.encode()) != -1:
            if input_type == 'arg':
                print(i.solver.eval(argv[1], cast_to=bytes))
            else:
                print(i.posix.dumps(0))
            exit()
    print("Not found")

ctf4b{dont_reverse_face_mask}