Skip to content
This repository was archived by the owner on Aug 22, 2025. It is now read-only.

Sharon rev150 #29

Open
sharon-lin wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Sharon rev150 #29

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
d2d0026
added bbctf2017
sharon-lin Jan 6, 2019
4c45450
added bbctf2017
sharon-lin Jan 6, 2019
02311ba
removed mcore_* files
sharontlin Jan 7, 2019
c27fbec
changed name of solve
sharon-lin Jan 7, 2019
d14d32a
added formatting changes
sharon-lin Jan 24, 2019
67592e5
Delete solve.py~
sharon-lin Feb 4, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added bugsbunnyctf2017-rev150/rev150
View file
Open in desktop
Binary file not shown.
62 changes: 62 additions & 0 deletions bugsbunnyctf2017-rev150/solve.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
from manticore.native import Manticore
import sys

prog = sys.argv[1]
params = sys.argv[2:]

"""
To run:
$ python rev150.py ./rev150 00000000000000000000

The symbolic execution will overwrite the integer value with some number from 0 to 99999999999999999999 (you know that there are only 20 digits from IDA Pro. The program increments until the correct value is found.

For testing purposes, the solution is 42813724579039578812.

Run time: 9:10.62
"""

m = Manticore(prog, params)

"""
Here, we are setting the initial password (from IDA Pro, we can deduce a majority of the digits). We know that the password consists of 20 digits, all of which must be numeric.
"""
with m.locked_context() as context:
context['password'] = 42810720579039578812

@m.hook(0x401be2)
def inject_password(state):
"""
At this point, we inject our chosen password into the address holding the password inputted to the
binary. The password is formatted to be 20 digits long.
"""
with m.locked_context() as context:
formatted_pwd = f"{context['password']:020}"
print(f"[+] injecting password: {formatted_pwd}")
state.cpu.write_bytes(state.cpu.RDI,formatted_pwd)

@m.hook(0x401e5a)
def failed(state):
"""
If the password is incorrect, we will increment the password (so long as it remains 20 digits) and
return to the original point of injection.
"""
with m.locked_context() as context:
if len(str(context['password'])) == 20:
context['password'] += 1000000000000
state.cpu.RIP = 0x401be2
print("[-] incorrect password")
else:
print("[-] no password found")
m.terminate()

@m.hook(0x401e49)
def success(state):
"""
If our password passes all of the checks, we can return it as the flag.
"""
with m.locked_context() as context:
print(f"[+] success. flag: BugsBunny{{context['password']}}")
m.terminate()

m.verbosity(1)
m.run()