blob: c325a798c9268a1b51a87a48fba88b692ac19322 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
trying to symbolically solve, should be possible, angr as intransparent as ever
problem is that the plt entries are not updated yet, which is why
just using call_state fails
its only a few functions, could do it by hand.. but to actually learn
something i should try to automate it.
basically want that angr can make it through the init process so the funcs are init.
we can avoid a state blowup by skipping the input checks and encoding them
into input constraints. then we just jump ahead after the checks have been performed (0x4020d0).
to avoid another blowup, we use lazy evaluation.
a hacky way to get simulation state output is to use sigalarm and reschedule in the
handler. more standard way is logging.getLogger("..").setLevel(logging.DEBUG)
if angr just fails and you know it should be possible - its probably more
advanced crypto that you would not be able to reverse with symbolic execution anyways.
z3 fails silently - love it!
the binarydb is fucked, bad signature matching caused the md5 function to look
like it was caused address sanitizer compile..
for future interest, the binary in the bndb is patched incorrectly!
always google those constants quickly, before wasting time
find out its md5, brute with hashcat after removing two candidates.. 5 min on gtx970
|
