not_malware_angr.py

#!/usr/bin/env python3

# patch out all the init checks for angr
from pwn import *
binary = ELF('not_malware')
binary.write(0x18d1,5*b'\x90')
binary.write(0x12aa,5*b'\x90')
binary.write(0x12af,5*b'\x90')
binary.write(0x12b4,5*b'\x90')
binary.save('not_malware_patched')
os.chmod('not_malware_patched',0o755)

import angr, time, io, claripy
FIND_ADDR=0x401729 # puts("Thanks!");
t=time.time()
binary = open('./not_malware_patched','rb').read()
proj = angr.Project(io.BytesIO(binary),auto_load_libs=False)

input_len = 37
ccard_chars = [claripy.BVS('ccard_%d' % i, 8) for i in range(input_len)]
ccard = claripy.Concat(*ccard_chars + [claripy.BVV(b'\n')])
state = proj.factory.entry_state(stdin=ccard)

for i, k in enumerate(ccard_chars):
    # only printable characters
    state.solver.add(k < 0x7f)
    state.solver.add(k > 0x20)
    if i <= 7:
        # first 8 chars are lowercase letters
        state.solver.add(k >= 0x61)
        state.solver.add(k <= 0x7a)
    elif i >= 9 and i <= 11:
        # then 3 digits
        state.solver.add(k >= 0x30)
        state.solver.add(k <= 0x39)
    elif i >= 13 and i <= 32:
        # then 20 digits
        state.solver.add(k >= 0x30)
        state.solver.add(k <= 0x39)
    elif i >= 34 and i <= 36:
        # then 3 lowercase letters
        state.solver.add(k >= 0x61)
        state.solver.add(k <= 0x7a)

simgr = proj.factory.simulation_manager(state)
simgr.use_technique(angr.exploration_techniques.DFS())
simgr.explore(find=FIND_ADDR)
print(simgr.found[0].posix.dumps(0))
print(time.time() - t,end="")
print(" seconds")