BITSCTF babyrev writeup using angr

Hello You, babyrev is an easy rev challenge that you can solve in so many ways, but today i’m going to explain how to solve it using a simple python script.

main function

you can see that it is printing Enter a string: and using fgets to get user input then if the strlen equals to 24 it will go to the block of code where it call myfunc which is the function that checks the flag

when you see a view like this, then it might be a great idea to think about angr. Let’s review the code:

Here we can see multiple blocks like these where you can see that the flag is there but it is scattered, this would be a long if else statement, and as i said you can go there get these values one by one or maybe do some regular expression etc…

Angr Time

import angr

# here we ceate a project 
p = angr.Project("/local/babyrev")

# create a state that points at the entry state
s = p.factory.entry_state()

# createa a simulation manager to simulates all the steps 
sm = p.factory.simgr(s)

# find address and bad addresses 
find_addr = 0x40131a
bad_addr = [0x4013b1,  0x40132b]

# here the magic begins 
# symobolic execution goes brrrrrrrrrrr
sm.explore(find=find_addr, avoid=bad_addr)


# get the bits that worked
sm.found[0].posix.dumps(0)

I would recommend using Ipython3 and docker when using angr, you can use this command to get angr image on your machine:

sudo docker run -it --rm -v $PWD:/local angr/angr

How to get the good addresses and bad addresses

win addres

the program prints Yippee :3 when u get the right flag so I used 0x401329 ,you will notice that I added 0x400000 to the address because that is the default base address in angr but you can change it if you want

bad address

the same here

and that is how I got the 0x4013b1, 0x40132b

That’s it for today Thanks for reading :P