読みづらいからって怒らないでください😢
be_angryという問題名から多分angrだろと思いました
angrでした
おわり
#!python
import angr
import claripy
### Settings section
# set input type 'arg' or 'stdin'
input_type = 'stdin'
# set text showing at getting the flag
suc_txt = 'Correct!!'
# win address in exec
find_addr = 0x1009f9
# lose addresses in exec
avoid_addr = [0x1009b9, 0x10089a, 0x1009de, 0x100a03]
# replace to exec's name
p = angr.Project('./chall')
# mode
KNOWN_LENGTH = 1
FIND_SUC_TXT = 2
mode = KNOWN_LENGTH | FIND_SUC_TXT
# flag's length
flag_len = 0x27
### End of settings section
if (mode & KNOWN_LENGTH) == 1:
flag = claripy.BVS('flag', flag_len * 8)
argv = [p.filename]
argv.append(flag)
if input_type == 'arg':
state = p.factory.entry_state(args=argv)
else:
state = p.factory.entry_state(stdin=flag)
# bind charcters only printables
for b in flag.chop(8):
state.add_constraints(b >= 0x21)
state.add_constraints(b < 0x7f)
simgr = p.factory.simulation_manager(state)
else:
state = p.factory.entry_state()
simgr = p.factory.simulation_manager(state)
# explore
if (mode & FIND_SUC_TXT) == FIND_SUC_TXT:
simgr.explore(find=lambda s: suc_txt.encode() in s.posix.dumps(1))
else:
simgr.explore(find=(find_addr), avoid=(avoid_addr))
# check
if len(simgr.found) >= 1:
if input_type == 'arg':
print(simgr.found[0].solver.eval(argv[1], cast_to=bytes))
else:
print(simgr.found[0].posix.dumps(0))
else:
for i in simgr.deadended:
if i.posix.dumps(1).find(suc_txt.encode()) != -1:
if input_type == 'arg':
print(i.solver.eval(argv[1], cast_to=bytes))
else:
print(i.posix.dumps(0))
exit()
print("Not found")ctf4b{3nc0d3_4r1thm3t1c}