# Imports
import angr
import claripy
We push the input values to the stack and then pop them right before the function exits. Since no value is pushed onto the stack during the execution of the function, we can safely manipulate the stack in the way we planned.
Load the binary.
project = angr.Project('bomb64')
Define the address for the start of the execution path.
# The address where the symbolic execution shall begin. It is right after parsing of two numbers taken as input.
addr_start = 0x400F60
# The address of the return of phase_3.
# We end it there so as to dump the stack and retrieve values before the stack frame is discarded.
addr_target = 0x400FC9
# The address of the first instruction of the explode_bomb function, which is to be avoided.
addr_bomb = 0x40143A
Define a blank state for the simulation, a state with most of it's data uninitialized. Pass the address where the state is initialized, along with the user input to be given via standard input.
state = project.factory.blank_state(addr=addr_start)
Setup the stack.
# Push the null value,
# so as to setup the stack as depicted in the pictures.
state.stack_push(0x0)
Push the symbolic values to be input on the stack.
# We push two symbolic values required as the pair-set values.
for i in range(2):
state.stack_push(claripy.BVS("num_{}".format(i), 32))
Create a simulation manager with this blank state that would help us manage the symbolic execution.
simgr = project.factory.simulation_manager(state)
We call the explore method of the simulation manager, tasked with finding an execution path that reaches the target address and avoids the address which explodes the bomb.
simgr.explore(find=addr_target, avoid=addr_bomb, enable_veritesting=True)
We dereference the execution path "found" by the simulation manager and dump the stack.
found = simgr.found[0]
Remove the stack setup first.
# Pop the null value we pushed to stack first,
# as part of stack setup.
found.stack_pop()
answer = []
curr = found.solver.eval(found.stack_pop())
print("Popped value: {0}".format(hex(curr)))
# Masking is done using bit-wise operators to split the values merged in the block.
lower_end = curr & 0xffffffff
print("Decimal number on the lower end: {0}".format(lower_end))
answer.append(str(lower_end))
higher_end = curr>>32 & 0xffffffff
answer.append(' ')
print("Decimal number on the higher end: {0}\n".format(higher_end))
answer.append(str(higher_end))
answer.append(' ')
# Removes the space in the end.
''.join(answer[:-1])
That's the two number combination we need to input to pass the third phase.
Let's add a constraint to specifically reach an end with values that satisfy each case in the jump table. Add the constraint on the first value since that is used to match a case in the table.
In the form:
state.solver.add(num_1 == x)
, where x is the integer value of a case out of the jump table.
Let's put it in a loop to get the all the values.
for x in range(0, 8):
# Load the binary.
project = angr.Project('bomb64')
# Init the addresses.
addr_start = 0x400F60
addr_target = 0x400FC9
addr_bomb = 0x40143A
# Init a blank state.
state = project.factory.blank_state(addr=addr_start)
# Setup the stack.
state.stack_push(0x0)
# Define the symbolic values.
num_1 = claripy.BVS("num_1", 32)
num_2 = claripy.BVS("num_2", 32)
# Add the constraint.
state.solver.add(num_1 == x)
# Push the input to the stack.
state.stack_push(num_1)
state.stack_push(num_2)
# Init the simulation manager.
simgr = project.factory.simulation_manager(state)
# Let Angr explore.
simgr.explore(find=addr_target, avoid=addr_bomb, enable_veritesting=True)
# Get the answer from the found state.
found = simgr.found[0]
found.stack_pop()
answer = []
curr = found.solver.eval(found.stack_pop())
lower_end = curr & 0xffffffff
answer.append(str(lower_end))
higher_end = curr>>32 & 0xffffffff
answer.append(' ')
answer.append(str(higher_end))
answer.append(' ')
# Removes the space in the end.
print(''.join(answer[:-1]))
And there we go. Values to satisfy all the cases in the jumptable.