13 Angr Static Binary

The instructions state that this is the same challenge as 00_angr_find, the only difference is that the binary is compiled as a static binary. So, all we need to do is copy the code from the previous challenge and then insert hooks for all the static functions with SimProcedures.

Nothing really to talk about, so here is the final code.

import sys

import pwn
import angr


def main():
    path_to_binary = "./13_angr_static_binary"
    project = angr.Project(path_to_binary)

    initial_state = project.factory.entry_state(
        add_options={
            angr.options.SYMBOL_FILL_UNCONSTRAINED_MEMORY,
            angr.options.SYMBOL_FILL_UNCONSTRAINED_REGISTERS,
        },
    )

    project.hook(0x804ED40, angr.SIM_PROCEDURES["libc"]["printf"]())
    project.hook(0x804ED80, angr.SIM_PROCEDURES["libc"]["scanf"]())
    project.hook(0x804F350, angr.SIM_PROCEDURES["libc"]["puts"]())
    project.hook(0x8048D10, angr.SIM_PROCEDURES["glibc"]["__libc_start_main"]())

    simulation = project.factory.simgr(initial_state)
    print_good_address = 0x80489E1
    simulation.explore(find=print_good_address)
    if simulation.found:
        solution_state = simulation.found[0]
        solution = solution_state.posix.dumps(sys.stdin.fileno()).decode()
        run_binary(solution, path_to_binary)
    else:
        raise Exception("Could not find the solution")


def run_binary(solution, path_to_binary):
    if type(solution) == str:
        solution = bytes(solution, "utf-8")
    print(f"[+] Solution found: {solution.decode()}")
    print("    [|] Running binary")
    pwn.context.log_level = "error"
    elf = pwn.ELF(path_to_binary, checksec=False)
    pty = pwn.process.PTY
    io = elf.process(stdin=pty, stdout=pty, level="warn")
    io.recvuntil(b":")
    io.sendline(solution)
    output = io.recvline().decode().splitlines()[0].strip()
    print(f"    [+] Output: {output}")


if __name__ == "__main__":
    main()