Earlier this year, I participated in the “hackcon” CTF. At the time, I did not solve the “AngryReverser” challenge, and I was pretty pissed with myself for not doing so – this appeared to be a straightforward solve.
Today, I attempted to solve this challenge with angr (primarily so I could learn angr), and I was successful. I will present the writeup below:
AngryReverser
This challenge was presented as a binary, “yolomolo”. You can download this (as well as the solution and flag) here: angryreverser
Initial analysis of the binary, reveals what appears to be a debug check:
And the “GoHomeOrGoCrazy” function, which is tremendous:
Further analysis breaks shows this function comes in three parts. Part 1, which ranges from approximately 0x40065C to 0x4029FD, consists of a static stack initialization function. There are no effective branches, and a lot of hard-coded data is moved onto the stack:
The second part of the function, ranging from this point to the end of the function, is a series of linear equations. If you fail one of the “equation blocks”, you end up in a no-no zone with a ptrace debug check, which appears designed to fail:
At this point, it is clear that this challenge should be solved via symbolic execution – angr is our tool of choice. Unfortunately, a naive angr script (stdin/stdout based) doesn’t work, giving us an error that nothing is on stdout (YMMV: sorry, forgot to grab a screencap).
Instead, to make this work, we can modify our angr script, and use two “failure” conditions:
- Printing “NOPE” at 0x405AB4
- Using “ptrace”
To enable this, we also quickly patch our binary to remove the first ptrace call (at 0x405AAA), as there is no path to avoid this. You can find the revised Python script here.
I’d like to thank the hackcon team for putting together this event: unfortunately, I was not able to enjoy all the challenges because I suck at computers, but I hope next year I will be more prepared to tackle these challenges.
