commit c4cc7c6341e6326c1a2a5a42768ce27bd3535380
Author: Louis Burda <quent.burda@gmail.com>
Date: Thu, 4 Apr 2024 04:52:26 +0200
Stash
Diffstat:
A | solve/solve | | | 107 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
1 file changed, 107 insertions(+), 0 deletions(-)
diff --git a/solve/solve b/solve/solve
@@ -0,0 +1,107 @@
+#!/usr/bin/env python3
+
+import angr
+import claripy
+import sys
+import signal
+
+def sigalarm(_a, _b):
+ print("STATE", sim, sim.active)
+ signal.signal(signal.SIGALRM, sigalarm)
+ signal.alarm(1)
+signal.signal(signal.SIGALRM, sigalarm)
+
+key_addr = 0x1000
+keylen = 29
+key = [claripy.BVS(f"key_{i}", 8) for i in range(keylen)]
+
+project = angr.Project("./licensecheck", auto_load_libs=False)
+
+blank = project.factory.blank_state()
+options = {angr.options.INITIALIZE_ZERO_REGISTERS}
+state = project.factory.call_state(0x402030, key_addr,
+ ret_addr=0x4016d6,
+ prototype="int check(const char *)",
+ add_options=options)
+
+state.memory.store(state.regs.rsp - 0x2000, 0x2000 * b"\x00")
+state.memory.store(0x4cd000, open("got.plt", "rb").read())
+state.regs.rbp = state.regs.rsp
+state.regs.fs = blank.regs.fs
+
+binfile = angr.SimFile("licensecheck", open("licensecheck", "rb").read())
+binfile.set_state(state)
+
+for i in range(0, keylen):
+ if (i + 1) % 6 == 0:
+ key[i] = b'-'
+ elif i in (4, 12, 14):
+ key[i] = b'B'
+ else:
+ isalpha = claripy.And(key[i] >= 0x41, key[i] <= 0x41 + 0x19)
+ isnum = claripy.And(key[i] >= 0x30, key[i] <= 0x30 + 9)
+ state.solver.add(claripy.Or(isalpha, isnum))
+ #state.solver.add(key.get_byte(i) >= 0x30)
+ #state.solver.add(key.get_byte(i) <= 0x41+0x19)
+
+state.memory.store(key_addr, claripy.Concat(*key, b"\x00" * 0x40))
+
+def print_key(state):
+ keystr = b""
+ for c in key:
+ if type(c) != bytes:
+ keystr += state.solver.eval(c, cast_to=bytes)
+ else:
+ keystr += c
+ print(keystr)
+print_key(state)
+
+sim = project.factory.simgr(state)
+
+# sim.explore(find=0x403800)
+# print("__libc_start_main", sim)
+# sim.stash(from_stash="found", to_stash="active")
+#
+# sim.explore(find=0x4061c0)
+# print("main", sim)
+
+#raise False
+
+def checkpoint(addr, text):
+ sim.explore(find=addr)
+ print(text, sim)
+ assert(len(sim.found) == 1 and len(sim.active) == 0)
+ sim.stash(from_stash="found", to_stash="active")
+
+def findall(addr, text, avoid=[]):
+ while len(sim.active) > 0:
+ sim.explore(find=addr, avoid=avoid)
+ print(text, sim)
+
+checkpoint(0x402058, "before strlen")
+checkpoint(0x40205d, "after strlen")
+checkpoint(0x40207f, "after len check")
+
+assert(len(sim.active) == 1)
+
+signal.alarm(1)
+findall(0x4020d0, "before content check")
+print(sim.found[0].solver.eval(key, cast_to=bytes))
+
+sim.active[0].options.add(angr.options.LAZY_SOLVES)
+
+while True:
+ sim.explore(find=0x4016ed)
+ print("found", sim)
+ for state in sim.found:
+ print(state.solver.eval(key, cast_to=bytes))
+ sim.stash(from_stash="found", to_stash="deadended")
+
+raise 0
+
+
+
+sim.explore(find=0x4016ed, avoid=[])
+print("found", sim)
+for state in sim.found:
+ print(state.solver.eval_upto(key, 2, cast_to=bytes))