Stash - cscg24-license - CSCG 2024 Challenge 'Most unique license checker'

	cscg24-license CSCG 2024 Challenge 'Most unique license checker'
	git clone https://git.sinitax.com/sinitax/cscg24-license
	Log \| Files \| Refs \| sfeed.txt

commit c4cc7c6341e6326c1a2a5a42768ce27bd3535380
Author: Louis Burda <quent.burda@gmail.com>
Date:   Thu,  4 Apr 2024 04:52:26 +0200

Stash

Diffstat:
A solve/solve  | 107 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

1 file changed, 107 insertions(+), 0 deletions(-)
diff --git a/solve/solve b/solve/solve
@@ -0,0 +1,107 @@
+#!/usr/bin/env python3
+
+import angr
+import claripy
+import sys
+import signal
+
+def sigalarm(_a, _b):
+    print("STATE", sim, sim.active)
+    signal.signal(signal.SIGALRM, sigalarm)
+    signal.alarm(1)
+signal.signal(signal.SIGALRM, sigalarm)
+
+key_addr = 0x1000
+keylen = 29
+key = [claripy.BVS(f"key_{i}", 8) for i in range(keylen)]
+
+project = angr.Project("./licensecheck", auto_load_libs=False)
+
+blank = project.factory.blank_state()
+options = {angr.options.INITIALIZE_ZERO_REGISTERS}
+state = project.factory.call_state(0x402030, key_addr,
+        ret_addr=0x4016d6,
+        prototype="int check(const char *)",
+        add_options=options)
+
+state.memory.store(state.regs.rsp - 0x2000, 0x2000 * b"\x00")
+state.memory.store(0x4cd000, open("got.plt", "rb").read())
+state.regs.rbp = state.regs.rsp
+state.regs.fs = blank.regs.fs
+
+binfile = angr.SimFile("licensecheck", open("licensecheck", "rb").read())
+binfile.set_state(state)
+
+for i in range(0, keylen):
+    if (i + 1) % 6 == 0:
+        key[i] = b'-'
+    elif i in (4, 12, 14):
+        key[i] = b'B'
+    else:
+        isalpha = claripy.And(key[i] >= 0x41, key[i] <= 0x41 + 0x19)
+        isnum = claripy.And(key[i] >= 0x30, key[i] <= 0x30 + 9)
+        state.solver.add(claripy.Or(isalpha, isnum))
+        #state.solver.add(key.get_byte(i) >= 0x30)
+        #state.solver.add(key.get_byte(i) <= 0x41+0x19)
+
+state.memory.store(key_addr, claripy.Concat(*key, b"\x00" * 0x40))
+
+def print_key(state):
+    keystr = b""
+    for c in key:
+        if type(c) != bytes:
+            keystr += state.solver.eval(c, cast_to=bytes)
+        else:
+            keystr += c
+    print(keystr)
+print_key(state)
+
+sim = project.factory.simgr(state)
+
+# sim.explore(find=0x403800)
+# print("__libc_start_main", sim)
+# sim.stash(from_stash="found", to_stash="active")
+# 
+# sim.explore(find=0x4061c0)
+# print("main", sim)
+
+#raise False
+
+def checkpoint(addr, text):
+    sim.explore(find=addr)
+    print(text, sim)
+    assert(len(sim.found) == 1 and len(sim.active) == 0)
+    sim.stash(from_stash="found", to_stash="active")
+
+def findall(addr, text, avoid=[]):
+    while len(sim.active) > 0:
+        sim.explore(find=addr, avoid=avoid)
+        print(text, sim)
+
+checkpoint(0x402058, "before strlen")
+checkpoint(0x40205d, "after strlen")
+checkpoint(0x40207f, "after len check")
+
+assert(len(sim.active) == 1)
+
+signal.alarm(1)
+findall(0x4020d0, "before content check")
+print(sim.found[0].solver.eval(key, cast_to=bytes))
+
+sim.active[0].options.add(angr.options.LAZY_SOLVES)
+
+while True:
+    sim.explore(find=0x4016ed)
+    print("found", sim)
+    for state in sim.found:
+        print(state.solver.eval(key, cast_to=bytes))
+    sim.stash(from_stash="found", to_stash="deadended")
+
+raise 0
+
+
+
+sim.explore(find=0x4016ed, avoid=[])
+print("found", sim)
+for state in sim.found:
+    print(state.solver.eval_upto(key, 2, cast_to=bytes))