2016 DEF CON CTF Qualifier) Reversing - amadhj Write up

5/24/2016 0 Comments

Reverse me and get the flag. Get it here.

This program is simple, take data as input.
Input is checked by function.
If input meets the requirements for printing flag, program shows the flag for getting score.





But this binary has too many branchs.




In these case, we can find approachable path by using symbolic execution.

import angr
import logging

proj = angr.Project('./amadhj', load_options={'auto_load_libs':False})

logging.basicConfig()
logging.getLogger('angr.surveyors.explorer').setLevel(logging.DEBUG)

state = proj.factory.blank_state(addr=0x4022ce)

path = proj.factory.path(state=state)
ex = proj.surveyors.Explorer(start=path, find=(0x4021cc,),enable_veritesting=True)
ex.run()

if ex.found:
        print "found"
        found = ex.found[0].state.posix.dumps(0)
        print found

Output is here.


h2spice@ubuntu-16:~/ctf/quals-2016/amadhj$ ./amadhj
kZvvn  cHNLtBwBS  CG Q_KxtPGdwBC
The flag is: Da robats took err jerbs.

If you need my help, tell me anytime. Facebook