ctfhacker
diff --git a/‎flareon-2018/level6/README.md
+3 b/‎flareon-2018/level6/README.md
+3
diff --git a/‎flareon-2018/level6/magic000
95.6 KB b/‎flareon-2018/level6/magic000
95.6 KB
diff --git a/‎flareon-2018/level6/magic001
95.6 KB b/‎flareon-2018/level6/magic001
95.6 KB
diff --git a/‎flareon-2018/level6/magic002
95.6 KB b/‎flareon-2018/level6/magic002
95.6 KB
diff --git a/‎flareon-2018/level6/magic003
95.6 KB b/‎flareon-2018/level6/magic003
95.6 KB
diff --git a/‎flareon-2018/level6/magic004
95.6 KB b/‎flareon-2018/level6/magic004
95.6 KB
diff --git a/‎flareon-2018/level6/magic005
95.6 KB b/‎flareon-2018/level6/magic005
95.6 KB
diff --git a/‎flareon-2018/level6/magic006
95.6 KB b/‎flareon-2018/level6/magic006
95.6 KB
diff --git a/‎flareon-2018/level6/magic007
95.6 KB b/‎flareon-2018/level6/magic007
95.6 KB
diff --git a/‎flareon-2018/level6/magic008
95.6 KB b/‎flareon-2018/level6/magic008
95.6 KB
diff --git a/‎flareon-2018/level6/magic009
95.6 KB b/‎flareon-2018/level6/magic009
95.6 KB
diff --git a/‎flareon-2018/level6/reconstruct.py
+39 b/‎flareon-2018/level6/reconstruct.py
+39
diff --git a/‎flareon-2018/level6/small_win.py
+56 b/‎flareon-2018/level6/small_win.py
+56
diff --git a/‎flareon-2018/level6/small_win2.py
+55 b/‎flareon-2018/level6/small_win2.py
+55
diff --git a/‎flareon-2018/level6/small_win3.py
+60 b/‎flareon-2018/level6/small_win3.py
+60
diff --git a/‎flareon-2018/level6/small_win4.py
+78 b/‎flareon-2018/level6/small_win4.py
+78
diff --git a/‎flareon-2018/level6/small_win5.py
+78 b/‎flareon-2018/level6/small_win5.py
+78
@@ -0,0 +1,3 @@
+## Writeup
+
+[Full Writeup](http://ctfhacker.com/reverse/2018/09/16/flareon-2018-level6-angr.html)
@@ -0,0 +1,39 @@
+from binaryninja import *
+from collections import namedtuple
+import sys
+
+Struct = namedtuple('Struct', ['function_addr', 'offset', 'length'])
+
+def decrypt(filename):
+    bv = BinaryViewType.get_view_of_file(filename)
+    print(bv)
+    # bv.add_analysis_option("linearsweep")
+    # bv.update_analysis_and_wait()
+
+    code_addr = 0x605100
+    len_addr = 0x605108
+    key_addr = 0x605118
+
+    data = []
+
+    for x in range(33):
+        curr_len = struct.unpack('<I', bv.read(len_addr, 4))[0]
+        curr_code = struct.unpack('<I', bv.read(code_addr, 4))[0]
+        curr_key = struct.unpack('<I', bv.read(key_addr, 4))[0]
+
+        # print(hex(curr_code))
+        # print(hex(code_addr))
+        curr_struct = [x for x in struct.unpack('<QIII', bv.read(code_addr, 4 * 5))]
+        data.append(Struct(curr_struct[0], curr_struct[2], curr_struct[3]))
+
+        for i, (code, key) in enumerate(zip(bv.read(curr_code, curr_len), bv.read(curr_key, curr_len))):
+            curr_char = chr(ord(code) ^ ord(key))
+            bv.write(curr_code + i, curr_char)
+
+        code_addr += 288
+        len_addr += 288
+        key_addr += 288
+
+    bv.save('./magic_patched')
+
+    return data
@@ -0,0 +1,56 @@
+import angr
+import claripy
+from reconstruct import decrypt
+
+result = '?' * 0x45
+global_addr = 0x605100
+n = 0
+
+new_filename = './magic'
+data = decrypt(new_filename)
+
+proj = angr.Project('./magic_patched', load_options={"auto_load_libs": False})
+
+state = proj.factory.blank_state(addr=data[n].function_addr, add_options={angr.options.LAZY_SOLVES})
+
+input_addr = 0x10000 * n
+key_len = data[n].length
+
+input = claripy.BVS("input", 8*(key_len))
+for i in xrange(key_len):
+    state.add_constraints(input.get_byte(i) != 0)
+
+state.memory.store(input_addr, input)
+
+key_addr = (0x605120 + n*0x120)
+state.regs.rdi = claripy.BVV(input_addr, 8*8)
+state.regs.rsi = claripy.BVV(key_len,    8*8)
+state.regs.rdx = claripy.BVV(key_addr,   8*8)
+print("Start {} - rdi: {} rsi: {} rdx: {}".format(state.regs.rip, state.regs.rdi, state.regs.rsi, state.regs.rdx))
+state.stack_push(0xdeadbeef)
+
+simgr = proj.factory.simulation_manager(state)
+
+def find_func(state):
+    if state.regs.rip.args[0] == 0xdeadbeef:
+        if state.regs.rax.args[0] == 1:
+            global result
+            ans = state.solver.eval(input, cast_to=str)
+            print(ans)
+            print(n, repr(ans))
+            offset = data[n].offset
+            ans_len = data[n].length
+            result = result[:offset] + ans + result[offset+ans_len:]
+            print(n, result)
+            with open('status', 'a') as f:
+                f.write('{} {}\n'.format(n, result))
+            return True
+
+def avoid_func(state):
+    if state.regs.rip.args[0] == 0xdeadbeef and state.regs.rax.args[0] == 0:
+        return True
+
+simgr.explore(find=find_func, avoid=avoid_func)
+print(simgr)
+
+print('RESULT', result)
@@ -0,0 +1,55 @@
+import angr
+import claripy
+from reconstruct import decrypt
+
+result = '?' * 0x45
+global_addr = 0x605100
+
+new_filename = './magic'
+data = decrypt(new_filename)
+for n in xrange(33):
+    proj = angr.Project('./magic_patched', load_options={"auto_load_libs": False})
+
+    state = proj.factory.blank_state(addr=data[n].function_addr, add_options={angr.options.LAZY_SOLVES})
+
+    input_addr = 0x10000 * n
+    key_len = data[n].length
+
+    input = claripy.BVS("input", 8*(key_len))
+    for i in xrange(key_len):
+        state.add_constraints(input.get_byte(i) != 0)
+
+    state.memory.store(input_addr, input)
+
+    key_addr = (0x605120 + n*0x120)
+    state.regs.rdi = claripy.BVV(input_addr, 8*8)
+    state.regs.rsi = claripy.BVV(key_len,    8*8)
+    state.regs.rdx = claripy.BVV(key_addr,   8*8)
+    print("Start {} - rdi: {} rsi: {} rdx: {}".format(state.regs.rip, state.regs.rdi, state.regs.rsi, state.regs.rdx))
+    state.stack_push(0xdeadbeef)
+
+    simgr = proj.factory.simulation_manager(state)
+
+    def find_func(state):
+        if state.regs.rip.args[0] == 0xdeadbeef:
+            if state.regs.rax.args[0] == 1:
+                global result
+                ans = state.solver.eval(input, cast_to=str)
+                # print(ans)
+                # print(n, repr(ans))
+                offset = data[n].offset
+                ans_len = data[n].length
+                result = result[:offset] + ans + result[offset+ans_len:]
+                print(n, result)
+                with open('status', 'a') as f:
+                    f.write('{} {}\n'.format(n, result))
+                return True
+
+    def avoid_func(state):
+        if state.regs.rip.args[0] == 0xdeadbeef and state.regs.rax.args[0] == 0:
+            return True
+
+    simgr.explore(find=find_func, avoid=avoid_func)
+    # print(simgr)
+
+    print('RESULT', result)
@@ -0,0 +1,60 @@
+import angr
+import claripy
+from reconstruct import decrypt
+
+result = '?' * 0x45
+global_addr = 0x605100
+
+new_filename = './magic'
+data = decrypt(new_filename)
+for n in xrange(33):
+    n  = 21
+    proj = angr.Project('./magic_patched', load_options={"auto_load_libs": False})
+
+    state = proj.factory.blank_state(addr=data[n].function_addr, add_options={angr.options.LAZY_SOLVES})
+
+    input_addr = 0x10000 * n
+    key_len = data[n].length
+
+    input = claripy.BVS("input", 8*(key_len))
+    for i in xrange(key_len):
+        state.add_constraints(input.get_byte(i) != 0)
+
+    state.memory.store(input_addr, input)
+
+    key_addr = (0x605120 + n*0x120)
+    state.regs.rdi = claripy.BVV(input_addr, 8*8)
+    state.regs.rsi = claripy.BVV(key_len,    8*8)
+    state.regs.rdx = claripy.BVV(key_addr,   8*8)
+    print("Start {} - rdi: {} rsi: {} rdx: {}".format(state.regs.rip, state.regs.rdi, state.regs.rsi, state.regs.rdx))
+    state.stack_push(0xdeadbeef)
+
+    simgr = proj.factory.simulation_manager(state)
+
+    def find_func(state):
+        if state.regs.rip.args[0] == 0xdeadbeef:
+            if state.regs.rax.args[0] == 1:
+                global result
+                try:
+                    ans = state.solver.eval(input, cast_to=str)
+                    # print(ans)
+                    # print(n, repr(ans))
+                    offset = data[n].offset
+                    ans_len = data[n].length
+                    result = result[:offset] + ans + result[offset+ans_len:]
+                    # print(n, result)
+                    with open('status', 'a') as f:
+                        f.write('{} {}\n'.format(n, result))
+                    return True
+                except:
+                    print('ERROR: n={}'.format(n))
+
+
+    def avoid_func(state):
+        if state.regs.rip.args[0] == 0xdeadbeef and state.regs.rax.args[0] == 0:
+            return True
+
+    simgr.explore(find=find_func, avoid=avoid_func)
+    # print(simgr)
+
+    # print('RESULT', result)
@@ -0,0 +1,78 @@
+import angr
+import claripy
+from reconstruct import decrypt
+
+def hook_mem_write(state):
+    if not state.inspect.instruction:
+        return
+    print('{:x} [{}] = {}'.format(state.inspect.instruction,
+                                  state.inspect.mem_write_address, 
+                                  state.inspect.mem_write_expr))
+
+def hook_mem_read(state):
+    if not state.inspect.instruction:
+        return
+    print('{:x} {} = [{}]'.format(state.inspect.instruction,
+                                  state.inspect.mem_read_expr, 
+                                  state.inspect.mem_read_address))
+
+result = '?' * 0x45
+global_addr = 0x605100
+
+new_filename = './magic'
+data = decrypt(new_filename)
+import IPython; shell = IPython.terminal.embed.InteractiveShellEmbed(); shell.mainloop()
+for n in xrange(33):
+    # n  = 21
+    proj = angr.Project('./magic_patched', load_options={"auto_load_libs": False})
+
+    state = proj.factory.blank_state(addr=data[n].function_addr, add_options={angr.options.LAZY_SOLVES,
+                                                                              angr.options.ZERO_FILL_UNCONSTRAINED_MEMORY})
+    # state.inspect.b('mem_write', when=angr.BP_AFTER, action=hook_mem_write)
+    # state.inspect.b('mem_read', when=angr.BP_AFTER, action=hook_mem_read)
+
+    input_addr = 0x10000 * n
+    key_len = data[n].length
+
+    input = claripy.BVS("input", 8*(key_len))
+    for i in xrange(key_len):
+        state.add_constraints(input.get_byte(i) != 0)
+
+    state.memory.store(input_addr, input)
+
+    key_addr = (0x605120 + n*0x120)
+    state.regs.rdi = claripy.BVV(input_addr, 8*8)
+    state.regs.rsi = claripy.BVV(key_len,    8*8)
+    state.regs.rdx = claripy.BVV(key_addr,   8*8)
+    print("Start {} - rdi: {} rsi: {} rdx: {}".format(state.regs.rip, state.regs.rdi, state.regs.rsi, state.regs.rdx))
+    state.stack_push(0xdeadbeef)
+
+    simgr = proj.factory.simulation_manager(state)
+
+    def find_func(state):
+        if state.regs.rip.args[0] == 0xdeadbeef:
+            if state.regs.rax.args[0] == 1:
+                global result
+                try:
+                    ans = state.solver.eval(input, cast_to=str)
+                    print(ans)
+                    print(n, repr(ans))
+                    offset = data[n].offset
+                    ans_len = data[n].length
+                    result = result[:offset] + ans + result[offset+ans_len:]
+                    print(n, result)
+                    with open('status', 'a') as f:
+                        f.write('{} {}\n'.format(n, result))
+                    return True
+                except:
+                    print('ERROR: n={}'.format(n))
+
+
+    def avoid_func(state):
+        if state.regs.rip.args[0] == 0xdeadbeef and state.regs.rax.args[0] == 0:
+            return True
+
+    simgr.explore(find=find_func, avoid=avoid_func)
+    # print(simgr)
+
+    # print('RESULT', result)
@@ -0,0 +1,78 @@
+import angr
+import claripy
+from reconstruct import decrypt
+
+def hook_mem_write(state):
+    if not state.inspect.instruction:
+        return
+    print('{:x} [{}] = {}'.format(state.inspect.instruction,
+                                  state.inspect.mem_write_address, 
+                                  state.inspect.mem_write_expr))
+
+def hook_mem_read(state):
+    if not state.inspect.instruction:
+        return
+    print('{:x} {} = [{}]'.format(state.inspect.instruction,
+                                  state.inspect.mem_read_expr, 
+                                  state.inspect.mem_read_address))
+
+result = '?' * 0x45
+global_addr = 0x605100
+
+new_filename = './magic'
+data = decrypt(new_filename)
+import IPython; shell = IPython.terminal.embed.InteractiveShellEmbed(); shell.mainloop()
+for n in xrange(33):
+    # n  = 21
+    proj = angr.Project('./magic_patched', load_options={"auto_load_libs": False})
+
+    state = proj.factory.blank_state(addr=data[n].function_addr, add_options={angr.options.LAZY_SOLVES,
+                                                                              angr.options.ZERO_FILL_UNCONSTRAINED_MEMORY})
+    # state.inspect.b('mem_write', when=angr.BP_AFTER, action=hook_mem_write)
+    # state.inspect.b('mem_read', when=angr.BP_AFTER, action=hook_mem_read)
+
+    input_addr = 0x10000 * n
+    key_len = data[n].length
+
+    input = claripy.BVS("input", 8*(key_len))
+    for i in xrange(key_len):
+        state.add_constraints(input.get_byte(i) != 0)
+
+    state.memory.store(input_addr, input)
+
+    key_addr = (0x605120 + n*0x120)
+    state.regs.rdi = claripy.BVV(input_addr, 8*8)
+    state.regs.rsi = claripy.BVV(key_len,    8*8)
+    state.regs.rdx = claripy.BVV(key_addr,   8*8)
+    print("Start {} - rdi: {} rsi: {} rdx: {}".format(state.regs.rip, state.regs.rdi, state.regs.rsi, state.regs.rdx))
+    state.stack_push(0xdeadbeef)
+
+    simgr = proj.factory.simulation_manager(state)
+
+    def find_func(state):
+        if state.regs.rip.args[0] == 0xdeadbeef:
+            if state.regs.rax.args[0] == 1:
+                global result
+                try:
+                    ans = state.solver.eval(input, cast_to=str)
+                    print(ans)
+                    print(n, repr(ans))
+                    offset = data[n].offset
+                    ans_len = data[n].length
+                    result = result[:offset] + ans + result[offset+ans_len:]
+                    print(n, result)
+                    with open('status', 'a') as f:
+                        f.write('{} {}\n'.format(n, result))
+                    return True
+                except:
+                    print('ERROR: n={}'.format(n))
+
+
+    def avoid_func(state):
+        if state.regs.rip.args[0] == 0xdeadbeef and state.regs.rax.args[0] == 0:
+            return True
+
+    simgr.explore(find=find_func, avoid=avoid_func)
+    # print(simgr)
+
+    # print('RESULT', result)
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+## Writeup`
	`2`	`+`
	`3`	`+[Full Writeup](http://ctfhacker.com/reverse/2018/09/16/flareon-2018-level6-angr.html)`