CREATIVE CHAOS   ▋ blog

Angr-y Binary (rev)

PUBLISHED ON 01/12/2021 — EDITED ON 11/12/2023 — 247CTF, INFOSEC

As with almost every reversing challenge, let’s run cutter, leave it to analyse for a few minutes and then cancel it. Search for the addresses of the following functions:

maybe_flag 0xFFFFAAAA
no_flag 0xFFFFAAAB
print_flag 0xFFFFAAAC

Based on the challenge name, doing a search yields us with interesting idea:

angr

angr is a python framework for analyzing binaries. It combines both static and dynamic symbolic (“concolic”) analysis, making it applicable to a variety of tasks.

Useful reading where I got the code:

https://cexplr.com/writeups/angr/3_angr_post_1.html

Exploit script

#!/usr/bin/env python3
import angr
import sys

# Create the project and load the binary
project = angr.Project("./angr-y_binary")

# Create a state based on the current loaded binary
state = project.factory.entry_state()

# Construct the simulation manager set with the current state
simmgr = project.factory.simulation_manager(state)

# Find the address to find and avoid
find = 0xFFFFAAAC
avoid = 0xFFFFAAAB

# Start exploring different inputs and hopefully find the find function that we want
simmgr.explore(find=find,avoid=avoid)

# if there is a solution,
if simmgr.found[0]:
    print("found a solution")
    # Print out the input that Angr had found
    print(simmgr.found[0].posix.dumps(sys.stdin.fileno()))
else:
    print("No found solutions")

Use the brute forced password to login and obtain the flag.

TAGS: ANGR, CTF, HACK, PYTHON