notes (1290B)
1trying to symbolically solve, should be possible, angr as intransparent as ever 2 3problem is that the plt entries are not updated yet, which is why 4just using call_state fails 5 6its only a few functions, could do it by hand.. but to actually learn 7something i should try to automate it. 8 9basically want that angr can make it through the init process so the funcs are init. 10 11we can avoid a state blowup by skipping the input checks and encoding them 12into input constraints. then we just jump ahead after the checks have been performed (0x4020d0). 13 14to avoid another blowup, we use lazy evaluation. 15 16a hacky way to get simulation state output is to use sigalarm and reschedule in the 17handler. more standard way is logging.getLogger("..").setLevel(logging.DEBUG) 18 19if angr just fails and you know it should be possible - its probably more 20advanced crypto that you would not be able to reverse with symbolic execution anyways. 21z3 fails silently - love it! 22 23the binarydb is fucked, bad signature matching caused the md5 function to look 24like it was caused address sanitizer compile.. 25 26for future interest, the binary in the bndb is patched incorrectly! 27 28always google those constants quickly, before wasting time 29 30find out its md5, brute with hashcat after removing two candidates.. 5 min on gtx970