CTF Challenge Examples ====================== angr is very often used in CTFs. These are example scripts resulting from that use, mostly from Shellphish but also from many others. ReverseMe example: HackCon 2016 - angry-reverser ------------------------------------------------ Script author: Stanislas Lejay (github: `@P1kachu `_\ ) Script runtime: ~31 minutes Here is the `binary `_ and the `script `_ ReverseMe example: SecurityFest 2016 - fairlight ------------------------------------------------ Script author: chuckleberryfinn (github: `@chuckleberryfinn `_\ ) Script runtime: ~20 seconds A simple reverse me that takes a key as a command line argument and checks it against 14 checks. Possible to solve the challenge using angr without reversing any of the checks. Here is the `binary `_ and the `script `_ ReverseMe example: DEFCON Quals 2016 - baby-re ---------------------------------------------- Authors David Manouchehri (github: `@Manouchehri `_\ ), Stanislas Lejay (github: `@P1kachu `_\ ) and Audrey Dutcher (github: @rhelmot). Script runtime: 10 sec Here is the `binary `_ and the `script `_ ReverseMe example: Google CTF - Unbreakable Enterprise Product Activation (150 points) -------------------------------------------------------------------------------------- Script 0 author: David Manouchehri (github: `@Manouchehri `_\ ) Script runtime: 4.5 sec Script 1 author: Adam Van Prooyen (github: `@docileninja `_\ ) Script runtime: 6.7 sec A Linux binary that takes a key as a command line argument and checks it against a series of constraints. Challenge Description: .. We need help activating this product -- we've lost our license key :( You're our only hope! Here are the binary and scripts: `script 0 `_\ , `script_1 `_ ReverseMe example: EKOPARTY CTF - Fuckzing reverse (250 points) --------------------------------------------------------------- Author: Adam Van Prooyen (github: `@docileninja `_\ ) Script runtime: 29 sec A Linux binary that takes a team name as input and checks it against a series of constraints. Challenge Description: .. Hundreds of conditions to be meet, will you be able to surpass them? Both sample binaries and the script are located `here `_ and additional information be found at the author's `write-up `_. ReverseMe example: WhiteHat Grant Prix Global Challenge 2015 - Re400 -------------------------------------------------------------------- Author: Fish Wang (github: @ltfish) Script runtime: 5.5 sec A Windows binary that takes a flag as argument, and tells you if the flag is correct or not. "I have to patch out some checks that are difficult for angr to solve (e.g., it uses some bytes of the flag to decrypt some data, and see if those data are legit Windows APIs). Other than that, angr works really well for solving this challenge." The `binary `_ and the `script `_. ReverseMe example: EKOPARTY CTF 2015 - rev 100 ---------------------------------------------- Author: Fish Wang (github: @ltfish) Script runtime: 5.5 sec This is a painful challenge to solve with angr. I should have done things in a smarter way. Here is the `binary `_ and the `script `_. ReverseMe example: ASIS CTF Finals 2015 - fake ---------------------------------------------- Author: Fish Wang (github: @ltfish) Script runtime: 1 min 57 sec The solution is pretty straight-forward. The `binary `_ and the `script `_. ReverseMe example: Defcamp CTF Qualification 2015 - Reversing 100 ----------------------------------------------------------------- Author: Fish Wang (github: @ltfish) angr solves this challenge with almost zero user-interference. See the `script `_ and the `binary `_. ReverseMe example: Defcamp CTF Qualification 2015 - Reversing 200 ----------------------------------------------------------------- Author: Fish Wang (github: @ltfish) angr solves this challenge with almost zero user-interference. Veritesting is required to retrieve the flag promptly. The `script `_ and the `binary `_. It takes a few minutes to run on my laptop. ReverseMe example: MMA CTF 2015 - HowToUse ------------------------------------------ Author: Audrey Dutcher (github: @rhelmot) We solved this simple reversing challenge with angr, since we were too lazy to reverse it or run it in Windows. The resulting `script `_ shows how we grabbed the flag out of the `DLL `_. CrackMe example: MMA CTF 2015 - SimpleHash ------------------------------------------ Author: Chris Salls (github: @salls) This crackme is 95% solvable with angr, but we did have to overcome some difficulties. The `script `_ describes the difficulties that were encountered and how we worked around them. The binary can be found `here `_. ReverseMe example: FlareOn 2015 - Challenge 10 ---------------------------------------------- Author: Fish Wang (github: @ltfish) angr acts as a binary loader and an emulator in solving this challenge. I didn't have to load the driver onto my Windows box. The `script `_ demonstrates how to hook at arbitrary program points without affecting the intended bytes to be executed (a zero-length hook). It also shows how to read bytes out of memory and decode as a string. By the way, here is the `link `_ to the intended solution from FireEye. ReverseMe example: FlareOn 2015 - Challenge 2 --------------------------------------------- Author: Chris Salls (github: @salls) This `reversing challenge `_ is simple to solve almost entirely with angr, and a lot faster than trying to reverse the password checking function. The script is `here `_ ReverseMe example: 0ctf 2016 - momo ----------------------------------- Author: Fish Wang (github: @ltfish), ocean (github: @ocean1) This challenge is a `movfuscated `_ binary. To find the correct password after exploring the binary with Qira it is possible to understand how to find the places in the binary where every character is checked using capstone and using angr to load the `binary `_ and brute-force the single characters of the flag. Be aware that the `script `_ is really slow. Runtime: > 1 hour. CrackMe example: 9447 CTF 2015 - Reversing 330, "nobranch" ---------------------------------------------------------- Author: Audrey Dutcher (github: @rhelmot) angr cannot currently solve this problem natively, as the problem is too complex for z3 to solve. Formatting the constraints to z3 a little differently allows z3 to come up with an answer relatively quickly. (I was asleep while it was solving, so I don't know exactly how long!) The script for this is `here `_ and the binary is `here `_. CrackMe example: ais3_crackme ----------------------------- Author: Antonio Bianchi, Tyler Nighswander ais3_crackme has been developed by Tyler Nighswander (tylerni7) for ais3 summer school. It is an easy crackme challenge, checking its command line argument. ReverseMe: Modern Binary Exploitation - CSCI 4968 ------------------------------------------------- Author: David Manouchehri (GitHub `@Manouchehri `_\ ) `This folder `_ contains scripts used to solve some of the challenges with angr. At the moment it only contains the examples from the IOLI crackme suite, but eventually other solutions will be added. CrackMe example: Android License Check -------------------------------------- Author: Bernhard Mueller (GitHub `@b-mueller `_\ ) A `native binary for Android/ARM `_ that validates a license key passed as a command line argument. It was created for the symbolic execution tutorial in the `OWASP Mobile Testing Guide `_.