In this challenge, we're presented with this binary, which looks like this in IDAPro:
Essentially, we have to find the right inputs to the program in order to retrieve the flag. However, brute-forcing is definitely not the right way to do it since there are 13 inputs and each one of them is a 64-bits integer. Therefore, one has to find the path to the flag and solve all the constraints that would lead to the flag. The solution to this is to use a binary analysis framework like angr. Using the symbolic execution engine of angr, combined with the constraints solver of angr, we can easily obtain the inputs that would lead to the flag and retrieve it. The following image shows the addresses that we want to reach and avoid:
Essentially, the script required to solve the challenge is only this short:
And there we go, the flag is Math is hard!!! Indeed, solving the constraints manually is super hard >.<
Essentially, we have to find the right inputs to the program in order to retrieve the flag. However, brute-forcing is definitely not the right way to do it since there are 13 inputs and each one of them is a 64-bits integer. Therefore, one has to find the path to the flag and solve all the constraints that would lead to the flag. The solution to this is to use a binary analysis framework like angr. Using the symbolic execution engine of angr, combined with the constraints solver of angr, we can easily obtain the inputs that would lead to the flag and retrieve it. The following image shows the addresses that we want to reach and avoid:
Essentially, the script required to solve the challenge is only this short:
import angr p = angr.Project('./baby-re') e = p.surveyors.Explorer(find=0x40293B, avoid=0x402941) e.run() print e.found[0].state.posix.dumps(1)
And there we go, the flag is Math is hard!!! Indeed, solving the constraints manually is super hard >.<
Comments
Post a Comment