Angry Grinbird

Angrybird

attachment It’s easy for angr(NO LOOPS), but not easy for human..

import angr
import time
import claripy
p=angr.Project('./angrybird',auto_load_libs=False)	
s=p.factory.blank_state(addr=0x0000000004007DA)
flag=[claripy.BVS("flag_%d"%i,8) for i in range(21)]
for x in range(21):
	s.memory.store(s.regs.rbp-0x50+x,flag[x])

sim=p.factory.simgr(s)
sim.active[0].options.add(angr.options.LAZY_SOLVES)
t=time.time()
#sim.explore(find=0x000000000404FB7)
av=[2+0x00000000004007ED,...,18346+0x00000000004007ED]# the list is too long ...you can get the list in the attachment
sim.explore(find=0x404fb7,avoid=av)
assert len(sim.found)==1
res=''
for x in range(21):
	res+=chr(sim.found[0].solver.eval(flag[x]))
print res
print time.time()-t
#Im_so_cute&pretty_:)
#140.029561996 s without avoid
#93.6487920284 s with the help of a list of avoid-addr  

However, I found the example script is much more faster than mine… Here is the log:

➜  C5 python solve.py 
WARNING | 2020-02-21 22:49:16,108 | angr.analyses.disassembly_utils | Your version of capstone does not support MIPS instruction groups.
33.5132930279
Im_so_cute&pretty_:)

I found Memsetis supper useful for speeding up when starting from a blank_state. My final code

import angr
import time
import claripy
p=angr.Project('./angrybird')	
s=p.factory.blank_state(addr=0x4007DA)
@p.hook(0x400590,length=6)
def n132_puts(ptr):
	s.rax=1;
flag=[claripy.BVS("flag_%d"%i,8) for i in range(21)]
for x in range(21):
	s.memory.store(s.regs.rbp-0x50+x,flag[x])
s.regs.rbp = s.regs.rsp+0x80
s.mem[s.regs.rbp-0x74].dword=21
s.mem[s.regs.rbp-0x70].qword=0x605018
s.mem[s.regs.rbp-0x68].qword=0x605020
s.mem[s.regs.rbp-0x60].qword=0x605028
s.mem[s.regs.rbp-0x58].qword=0x605038
sim=p.factory.simgr(s)

sim.active[0].options.add(angr.options.LAZY_SOLVES)

#sim.explore(find=0x000000000404FB7)
av=[2+0x00000000004007ED,43+0x00000000004007ED,75+0x00000000004007ED,116+0x00000000004007ED,163+0x00000000004007ED,204+0x00000000004007ED,245+0x00000000004007ED,286+0x00000000004007ED,327+0x00000000004007ED,394+0x00000000004007ED,435+0x00000000004007ED,476+0x00000000004007ED,517+0x00000000004007ED,558+0x00000000004007ED,602+0x00000000004007ED,639+0x00000000004007ED,680+0x00000000004007ED,718+0x00000000004007ED,755+0x00000000004007ED,796+0x00000000004007ED,850+0x00000000004007ED,891+0x00000000004007ED,951+0x00000000004007ED,1001+0x00000000004007ED,1042+0x00000000004007ED,1092+0x00000000004007ED,1136+0x00000000004007ED,1173+0x00000000004007ED,1214+0x00000000004007ED,1251+0x00000000004007ED,1288+0x00000000004007ED,1326+0x00000000004007ED,1363+0x00000000004007ED,1404+0x00000000004007ED,1445+0x00000000004007ED,1477+0x00000000004007ED,1514+0x00000000004007ED,1555+0x00000000004007ED,1593+0x00000000004007ED,1637+0x00000000004007ED,1678+0x00000000004007ED,1739+0x00000000004007ED,1776+0x00000000004007ED,1817+0x00000000004007ED,1858+0x00000000004007ED,1899+0x00000000004007ED,1931+0x00000000004007ED,1972+0x00000000004007ED,2019+0x00000000004007ED,2056+0x00000000004007ED,2094+0x00000000004007ED,2142+0x00000000004007ED,2179+0x00000000004007ED,2220+0x00000000004007ED,2261+0x00000000004007ED,2293+0x00000000004007ED,2334+0x00000000004007ED,2375+0x00000000004007ED,2416+0x00000000004007ED,2457+0x00000000004007ED,2517+0x00000000004007ED,2558+0x00000000004007ED,2606+0x00000000004007ED,2647+0x00000000004007ED,2688+0x00000000004007ED,2729+0x00000000004007ED,2770+0x00000000004007ED,2811+0x00000000004007ED,2865+0x00000000004007ED,2906+0x00000000004007ED,2950+0x00000000004007ED,2991+0x00000000004007ED,3032+0x00000000004007ED,3064+0x00000000004007ED,3105+0x00000000004007ED,3146+0x00000000004007ED,3187+0x00000000004007ED,3228+0x00000000004007ED,3269+0x00000000004007ED,3310+0x00000000004007ED,3351+0x00000000004007ED,3392+0x00000000004007ED,3433+0x00000000004007ED,3474+0x00000000004007ED,3515+0x00000000004007ED,3556+0x00000000004007ED,3603+0x00000000004007ED,3644+0x00000000004007ED,3685+0x00000000004007ED,3726+0x00000000004007ED,3767+0x00000000004007ED,3814+0x00000000004007ED,3855+0x00000000004007ED,3896+0x00000000004007ED,3982+0x00000000004007ED,4023+0x00000000004007ED,4063+0x00000000004007ED,4104+0x00000000004007ED,4145+0x00000000004007ED,4199+0x00000000004007ED,4240+0x00000000004007ED,4294+0x00000000004007ED,4335+0x00000000004007ED,4376+0x00000000004007ED,4417+0x00000000004007ED,4458+0x00000000004007ED,4499+0x00000000004007ED,4540+0x00000000004007ED,4581+0x00000000004007ED,4622+0x00000000004007ED,4663+0x00000000004007ED,4710+0x00000000004007ED,4751+0x00000000004007ED,4799+0x00000000004007ED,4840+0x00000000004007ED,4881+0x00000000004007ED,4928+0x00000000004007ED,4969+0x00000000004007ED,5010+0x00000000004007ED,5047+0x00000000004007ED,5088+0x00000000004007ED,5128+0x00000000004007ED,5182+0x00000000004007ED,5229+0x00000000004007ED,5270+0x00000000004007ED,5311+0x00000000004007ED,5352+0x00000000004007ED,5393+0x00000000004007ED,5430+0x00000000004007ED,5468+0x00000000004007ED,5505+0x00000000004007ED,5546+0x00000000004007ED,5606+0x00000000004007ED,5647+0x00000000004007ED,5688+0x00000000004007ED,5725+0x00000000004007ED,5763+0x00000000004007ED,5800+0x00000000004007ED,5837+0x00000000004007ED,5878+0x00000000004007ED,5925+0x00000000004007ED,5966+0x00000000004007ED,6007+0x00000000004007ED,6048+0x00000000004007ED,6089+0x00000000004007ED,6130+0x00000000004007ED,6171+0x00000000004007ED,6212+0x00000000004007ED,6253+0x00000000004007ED,6294+0x00000000004007ED,6331+0x00000000004007ED,6368+0x00000000004007ED,6406+0x00000000004007ED,6443+0x00000000004007ED,6484+0x00000000004007ED,6525+0x00000000004007ED,6579+0x00000000004007ED,6620+0x00000000004007ED,6674+0x00000000004007ED,6711+0x00000000004007ED,6768+0x00000000004007ED,6806+0x00000000004007ED,6843+0x00000000004007ED,6884+0x00000000004007ED,6925+0x00000000004007ED,6966+0x00000000004007ED,7007+0x00000000004007ED,7048+0x00000000004007ED,7089+0x00000000004007ED,7126+0x00000000004007ED,7163+0x00000000004007ED,7200+0x00000000004007ED,7238+0x00000000004007ED,7275+0x00000000004007ED,7329+0x00000000004007ED,7379+0x00000000004007ED,7439+0x00000000004007ED,7480+0x00000000004007ED,7517+0x00000000004007ED,7554+0x00000000004007ED,7592+0x00000000004007ED,7629+0x00000000004007ED,7670+0x00000000004007ED,7763+0x00000000004007ED,7813+0x00000000004007ED,7850+0x00000000004007ED,7897+0x00000000004007ED,7938+0x00000000004007ED,7986+0x00000000004007ED,8027+0x00000000004007ED,8081+0x00000000004007ED,8122+0x00000000004007ED,8160+0x00000000004007ED,8197+0x00000000004007ED,8238+0x00000000004007ED,8279+0x00000000004007ED,8320+0x00000000004007ED,8361+0x00000000004007ED,8402+0x00000000004007ED,8452+0x00000000004007ED,8493+0x00000000004007ED,8534+0x00000000004007ED,8571+0x00000000004007ED,8608+0x00000000004007ED,8649+0x00000000004007ED,8686+0x00000000004007ED,8744+0x00000000004007ED,8781+0x00000000004007ED,8828+0x00000000004007ED,8869+0x00000000004007ED,8910+0x00000000004007ED,8964+0x00000000004007ED,9005+0x00000000004007ED,9046+0x00000000004007ED,9100+0x00000000004007ED,9137+0x00000000004007ED,9178+0x00000000004007ED,9219+0x00000000004007ED,9256+0x00000000004007ED,9293+0x00000000004007ED,9340+0x00000000004007ED,9381+0x00000000004007ED,9418+0x00000000004007ED,9456+0x00000000004007ED,9493+0x00000000004007ED,9534+0x00000000004007ED,9588+0x00000000004007ED,9629+0x00000000004007ED,9670+0x00000000004007ED,9707+0x00000000004007ED,9748+0x00000000004007ED,9794+0x00000000004007ED,9835+0x00000000004007ED,9885+0x00000000004007ED,9922+0x00000000004007ED,9969+0x00000000004007ED,10006+0x00000000004007ED,10047+0x00000000004007ED,10088+0x00000000004007ED,10147+0x00000000004007ED,10185+0x00000000004007ED,10235+0x00000000004007ED,10276+0x00000000004007ED,10317+0x00000000004007ED,10349+0x00000000004007ED,10390+0x00000000004007ED,10431+0x00000000004007ED,10472+0x00000000004007ED,10513+0x00000000004007ED,10545+0x00000000004007ED,10599+0x00000000004007ED,10640+0x00000000004007ED,10672+0x00000000004007ED,10713+0x00000000004007ED,10754+0x00000000004007ED,10795+0x00000000004007ED,10836+0x00000000004007ED,10877+0x00000000004007ED,10918+0x00000000004007ED,10989+0x00000000004007ED,11034+0x00000000004007ED,11075+0x00000000004007ED,11116+0x00000000004007ED,11176+0x00000000004007ED,11230+0x00000000004007ED,11262+0x00000000004007ED,11303+0x00000000004007ED,11344+0x00000000004007ED,11385+0x00000000004007ED,11426+0x00000000004007ED,11467+0x00000000004007ED,11508+0x00000000004007ED,11540+0x00000000004007ED,11581+0x00000000004007ED,11628+0x00000000004007ED,11669+0x00000000004007ED,11710+0x00000000004007ED,11751+0x00000000004007ED,11805+0x00000000004007ED,11837+0x00000000004007ED,11891+0x00000000004007ED,11932+0x00000000004007ED,11973+0x00000000004007ED,12053+0x00000000004007ED,12094+0x00000000004007ED,12135+0x00000000004007ED,12189+0x00000000004007ED,12243+0x00000000004007ED,12284+0x00000000004007ED,12325+0x00000000004007ED,12366+0x00000000004007ED,12407+0x00000000004007ED,12448+0x00000000004007ED,12502+0x00000000004007ED,12556+0x00000000004007ED,12610+0x00000000004007ED,12651+0x00000000004007ED,12688+0x00000000004007ED,12726+0x00000000004007ED,12763+0x00000000004007ED,12804+0x00000000004007ED,12845+0x00000000004007ED,12886+0x00000000004007ED,12927+0x00000000004007ED,12964+0x00000000004007ED,13011+0x00000000004007ED,13048+0x00000000004007ED,13095+0x00000000004007ED,13136+0x00000000004007ED,13177+0x00000000004007ED,13218+0x00000000004007ED,13259+0x00000000004007ED,13300+0x00000000004007ED,13337+0x00000000004007ED,13374+0x00000000004007ED,13421+0x00000000004007ED,13462+0x00000000004007ED,13503+0x00000000004007ED,13557+0x00000000004007ED,13598+0x00000000004007ED,13639+0x00000000004007ED,13680+0x00000000004007ED,13717+0x00000000004007ED,13754+0x00000000004007ED,13801+0x00000000004007ED,13842+0x00000000004007ED,13883+0x00000000004007ED,13924+0x00000000004007ED,13987+0x00000000004007ED,14052+0x00000000004007ED,14106+0x00000000004007ED,14147+0x00000000004007ED,14201+0x00000000004007ED,14238+0x00000000004007ED,14275+0x00000000004007ED,14313+0x00000000004007ED,14350+0x00000000004007ED,14391+0x00000000004007ED,14445+0x00000000004007ED,14486+0x00000000004007ED,14527+0x00000000004007ED,14564+0x00000000004007ED,14601+0x00000000004007ED,14639+0x00000000004007ED,14676+0x00000000004007ED,14717+0x00000000004007ED,14758+0x00000000004007ED,14812+0x00000000004007ED,14853+0x00000000004007ED,14891+0x00000000004007ED,14928+0x00000000004007ED,14969+0x00000000004007ED,15010+0x00000000004007ED,15051+0x00000000004007ED,15092+0x00000000004007ED,15133+0x00000000004007ED,15170+0x00000000004007ED,15211+0x00000000004007ED,15248+0x00000000004007ED,15285+0x00000000004007ED,15335+0x00000000004007ED,15373+0x00000000004007ED,15410+0x00000000004007ED,15451+0x00000000004007ED,15492+0x00000000004007ED,15533+0x00000000004007ED,15574+0x00000000004007ED,15615+0x00000000004007ED,15652+0x00000000004007ED,15693+0x00000000004007ED,15730+0x00000000004007ED,15767+0x00000000004007ED,15808+0x00000000004007ED,15845+0x00000000004007ED,15883+0x00000000004007ED,15920+0x00000000004007ED,15961+0x00000000004007ED,16002+0x00000000004007ED,16043+0x00000000004007ED,16084+0x00000000004007ED,16125+0x00000000004007ED,16162+0x00000000004007ED,16203+0x00000000004007ED,16240+0x00000000004007ED,16277+0x00000000004007ED,16318+0x00000000004007ED,16355+0x00000000004007ED,16392+0x00000000004007ED,16429+0x00000000004007ED,16467+0x00000000004007ED,16504+0x00000000004007ED,16545+0x00000000004007ED,16586+0x00000000004007ED,16623+0x00000000004007ED,16660+0x00000000004007ED,16707+0x00000000004007ED,16748+0x00000000004007ED,16789+0x00000000004007ED,16830+0x00000000004007ED,16871+0x00000000004007ED,16912+0x00000000004007ED,16944+0x00000000004007ED,16985+0x00000000004007ED,17026+0x00000000004007ED,17067+0x00000000004007ED,17108+0x00000000004007ED,17149+0x00000000004007ED,17181+0x00000000004007ED,17222+0x00000000004007ED,17263+0x00000000004007ED,17304+0x00000000004007ED,17345+0x00000000004007ED,17386+0x00000000004007ED,17427+0x00000000004007ED,17468+0x00000000004007ED,17535+0x00000000004007ED,17576+0x00000000004007ED,17617+0x00000000004007ED,17658+0x00000000004007ED,17699+0x00000000004007ED,17740+0x00000000004007ED,17794+0x00000000004007ED,17835+0x00000000004007ED,17876+0x00000000004007ED,17917+0x00000000004007ED,17958+0x00000000004007ED,17999+0x00000000004007ED,18036+0x00000000004007ED,18083+0x00000000004007ED,18124+0x00000000004007ED,18165+0x00000000004007ED,18206+0x00000000004007ED,18243+0x00000000004007ED,18299+0x00000000004007ED,18346+0x00000000004007ED]
t=time.time()
sim.explore(find=0x404fb7,avoid=av)
print time.time()-t
assert len(sim.found)==1
res=''
for x in range(21):
	res+=chr(sim.found[0].solver.eval(flag[x]))
print res
# ➜  C5 python exp.py
# WARNING | 2020-02-22 00:50:59,738 | angr.analyses.disassembly_utils | Your version of capstone does not support MIPS instruction groups.
# 11.1680550575

summary

Hook+memset == Faster