Restrict solutions to be in range A..Z

sharkmoos · Jul 25, 2017 · 2784f5d · 2784f5d
1 parent 805a7b5
commit 2784f5d
Show file tree

Hide file tree

Showing 19 changed files with 104 additions and 88 deletions.
diff --git a/00_angr_find/00_angr_find.c.templite b/00_angr_find/00_angr_find.c.templite
@@ -8,7 +8,6 @@ userdef = ''.join(random.choice(userdef_charset) for _ in range(8))
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <sys/ptrace.h>
 
 #define USERDEF "${ userdef }$"
 #define LEN_USERDEF ${ write(len(userdef)) }$
@@ -21,7 +20,7 @@ void print_msg() {
 }
 
 int complex_function(int value, int i) {
-#define LAMBDA 31
+#define LAMBDA 3
   if (!('A' <= value && value <= 'Z')) {
     printf("Try again.\n");
     exit(1);

diff --git a/01_angr_avoid/01_angr_avoid.c.templite b/01_angr_avoid/01_angr_avoid.c.templite
@@ -1,7 +1,7 @@
 ${
 import random, os
 random.seed(os.urandom(8))
-userdef_charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
+userdef_charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
 userdef = ''.join(random.choice(userdef_charset) for _ in range(8))
 
 def check_string_recursive(array0, array1, random_list, bit):
@@ -28,7 +28,6 @@ def check_string_recursive(array0, array1, random_list, bit):
 #include <string.h>
 #include <unistd.h>
 #include <stdint.h>
-#include <sys/syscall.h>
 
 #define USERDEF "${ userdef }$"
 #define LEN_USERDEF ${ write(len(userdef)) }$
@@ -46,10 +45,12 @@ void print_msg() {
 }
 
 int complex_function(int value, int i) {
-  if (!(33 < value && value < (33+94))) {
-    printf("Try again.\n"); exit(1);
+#define LAMBDA 5
+  if (!('A' <= value && value <= 'Z')) {
+    printf("Try again.\n");
+    exit(1);
   }
-  return (((value - 33 + 3*i) % 94) + 33);
+  return ((value - 'A' + (LAMBDA * i)) % ('Z' - 'A' + 1)) + 'A';
 }
 
 void avoid_me() {

diff --git a/01_angr_avoid/generate.py b/01_angr_avoid/generate.py
@@ -1,5 +1,4 @@
 #!/usr/bin/env pypy
-
 import sys, random, os, tempfile
 from templite import Templite
 

diff --git a/02_angr_find_condition/02_angr_find_condition.c.templite b/02_angr_find_condition/02_angr_find_condition.c.templite
@@ -2,7 +2,7 @@ ${
 import random, os
 random.seed(os.urandom(8))
 
-userdef_charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
+userdef_charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
 userdef = ''.join(random.choice(userdef_charset) for _ in range(8))
 
 def generate_true_statement(variable, value):
@@ -32,7 +32,6 @@ def recursive_if_else(variable, value, depth):
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <sys/ptrace.h>
 
 #define USERDEF "${ userdef }$"
 #define LEN_USERDEF ${ write(len(userdef)) }$
@@ -43,6 +42,15 @@ void print_msg() {
   printf("%s", msg);
 }
 
+int complex_function(int value, int i) {
+#define LAMBDA 31
+  if (!('A' <= value && value <= 'Z')) {
+    printf("Try again.\n");
+    exit(1);
+  }
+  return ((value - 'A' + (LAMBDA * i)) % ('Z' - 'A' + 1)) + 'A';
+}
+
 int main(int argc, char* argv[]) {
   char buffer[20];
   char password[20];
@@ -56,12 +64,12 @@ int main(int argc, char* argv[]) {
 
   strncpy(password, USERDEF, LEN_USERDEF);
 
-  password[0] ^= password[1];
-  password[1] ^= password[0];
-  password[0] ^= password[1];
-
   printf("Enter the password: ");
   scanf("%8s", buffer);
 
+  for (int i=0; i<LEN_USERDEF; ++i) {
+    buffer[i] = complex_function(buffer[i], i+8);
+  }
+
   ${ recursive_if_else('x', 0xDEADBEEF, 8) }$
 }
diff --git a/03_angr_symbolic_registers/03_angr_symbolic_registers.c.templite b/03_angr_symbolic_registers/03_angr_symbolic_registers.c.templite
@@ -10,7 +10,6 @@ def randomly_modify(var):
 
 #include <stdio.h>
 #include <stdlib.h>
-#include <sys/ptrace.h>
 
 register int eax asm("eax");
 register int ebx asm("ebx");

diff --git a/04_angr_symbolic_stack/04_angr_symbolic_stack.c.templite b/04_angr_symbolic_stack/04_angr_symbolic_stack.c.templite
@@ -6,7 +6,6 @@ userdef = [random.randint(0, 0xFFFFFFFF) for i in xrange(4)]
 
 #include <stdio.h>
 #include <stdlib.h>
-#include <sys/ptrace.h>
 #include <stdint.h>
 #include <string.h>
 

diff --git a/05_angr_symbolic_memory/05_angr_symbolic_memory.c.templite b/05_angr_symbolic_memory/05_angr_symbolic_memory.c.templite
@@ -2,14 +2,13 @@ ${
 import random, os
 random.seed(os.urandom(8))
 
-userdef_charset = [chr(i) for i in range(33, 127)]
+userdef_charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
 userdef = repr(''.join(random.choice(userdef_charset) for _ in range(32)))[1:-1].replace('\"', '\\\"')
 }$
 
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <sys/ptrace.h>
 #define USERDEF "${ userdef }$"
 
 char padding0[ ${ padding0 }$ ];
@@ -23,10 +22,12 @@ void print_msg() {
 }
 
 int complex_function(int value, int i) {
-  if (!(33 < value && value < (33+94))) {
-    printf("Try again.\n"); exit(1);
+#define LAMBDA 9
+  if (!('A' <= value && value <= 'Z')) {
+    printf("Try again.\n");
+    exit(1);
   }
-  return (((value - 33 + 17*i) % 94) + 33);
+  return ((value - 'A' + (LAMBDA * i)) % ('Z' - 'A' + 1)) + 'A';
 }
 
 int main(int argc, char* argv[]) {

diff --git a/06_angr_symbolic_heap/06_angr_symbolic_heap.c.templite b/06_angr_symbolic_heap/06_angr_symbolic_heap.c.templite
@@ -1,20 +1,26 @@
 ${
 import random, os
 random.seed(os.urandom(8))
-userdef_charset = [chr(i) for i in range(33, 127)]
-userdef = repr(''.join(random.choice(userdef_charset) for _ in range(32)))[1:-1].replace('\"', '\\\"')
+userdef_charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+userdef0 = ''.join([random.choice(userdef_charset) for _ in range(8)])
+userdef1 = ''.join([random.choice(userdef_charset) for _ in range(8)])
+userdef2 = ''.join([random.choice(userdef_charset) for _ in range(8)])
+userdef3 = ''.join([random.choice(userdef_charset) for _ in range(8)])
 }$
 
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <sys/ptrace.h>
-#define USERDEF "${ userdef }$"
+#define USERDEF0 "${ userdef0 }$"
+#define USERDEF1 "${ userdef1 }$"
+#define USERDEF2 "${ userdef2 }$"
+#define USERDEF3 "${ userdef3 }$"
 
-char padding2[${ padding2 }$];
-char* padding0;
-char* buffer;
-char* padding1;
+char padding2[${ padding }$];
+char* buffer0;
+char* buffer1;
+char* buffer2;
+char* buffer3;
 
 char msg[] = "${ description }$";
 
@@ -23,34 +29,44 @@ void print_msg() {
 }
 
 int complex_function(int value, int i) {
-  if (!(33 < value && value < (33+94))) {
-    printf("Try again.\n"); exit(1);
+#define LAMBDA 13
+  if (!('A' <= value && value <= 'Z')) {
+    printf("Try again.\n");
+    exit(1);
   }
-  return (((value - 33 + 19*i) % 94) + 33);
+  return ((value - 'A' + (LAMBDA * i)) % ('Z' - 'A' + 1)) + 'A';
 }
 
 int main(int argc, char* argv[]) {
-  padding0 = malloc(${ write(random.randint(0, 2**26)) }$);
-  buffer = malloc(33);
-  padding1 = malloc(${ write(random.randint(0, 2**26)) }$);
+  buffer0 = malloc(9);
+  buffer1 = malloc(9);
+  buffer2 = malloc(9);
+  buffer3 = malloc(9);
 
-  memset(buffer, 0, 33);
+  memset(buffer0, 0, 9);
+  memset(buffer1, 0, 9);
+  memset(buffer2, 0, 9);
+  memset(buffer3, 0, 9);
 
   print_msg();
   printf("Enter the password: ");
-  scanf("%8s %8s %8s %8s", buffer, &buffer[8], &buffer[16], &buffer[24]);
+  scanf("%8s %8s %8s %8s", buffer0, buffer1, buffer2, buffer3);
 
   for (int i=0; i<32; ++i) {
     buffer[i] = complex_function(buffer[i], i);
   }
 
-  if (strncmp(buffer, USERDEF, 32)) {
+  if (strncmp(buffer0, USERDEF0, 8)
+   || strncmp(buffer1, USERDEF1, 8)
+   || strncmp(buffer2, USERDEF2, 8)
+   || strncmp(buffer3, USERDEF3, 8)) {
     printf("Try again.\n");
   } else {
     printf("Good Job.\n");
   }
 
-  free(padding1);
-  free(buffer);
-  free(padding0);
+  free(buffer0);
+  free(buffer1);
+  free(buffer2);
+  free(buffer3);
 }
diff --git a/06_angr_symbolic_heap/generate.py b/06_angr_symbolic_heap/generate.py
@@ -17,7 +17,7 @@ def generate(argv):
   with open(os.path.join(os.path.dirname(os.path.realpath(__file__)), 'description.txt'), 'r') as desc_file:
     description = desc_file.read().encode('string_escape').replace('\"', '\\\"')
 
-  padding2 = random.randint(0, 2**26)
+  padding = random.randint(0, 2**26)
 
   template = open(os.path.join(os.path.dirname(os.path.realpath(__file__)), '06_angr_symbolic_heap.c.templite'), 'r').read()
   c_code = Templite(template).render(description=description, padding2=padding2)

diff --git a/07_angr_symbolic_file/07_angr_symbolic_file.c.templite b/07_angr_symbolic_file/07_angr_symbolic_file.c.templite
@@ -1,15 +1,14 @@
 ${
 import random, os
 random.seed(os.urandom(8))
-userdef_charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
+userdef_charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
 userdef0 = ''.join(random.choice(userdef_charset) for _ in range(8))
 }$
 
 #include <stdio.h>
 #include <unistd.h>
 #include <stdlib.h>
 #include <string.h>
-#include <sys/ptrace.h>
 #define USERDEF0 "${ userdef0 }$"
 #define USERDEF1 "${ userdef1 }$.txt"
 #define FILESIZE 64
@@ -24,10 +23,12 @@ void print_msg() {
 }
 
 int complex_function(int value, int i) {
-  if (!(33 < value && value < (33+94))) {
-    printf("Try again.\n"); exit(1);
+#define LAMBDA 17
+  if (!('A' <= value && value <= 'Z')) {
+    printf("Try again.\n");
+    exit(1);
   }
-  return (((value - 33 + 23*i) % 94) + 33);
+  return ((value - 'A' + (LAMBDA * i)) % ('Z' - 'A' + 1)) + 'A';
 }
 
 void write_string_to_file(char* buffer, int length) {

diff --git a/07_angr_symbolic_file/generate.py b/07_angr_symbolic_file/generate.py
@@ -17,7 +17,7 @@ def generate(argv):
   with open(os.path.join(os.path.dirname(os.path.realpath(__file__)), 'description.txt'), 'r') as desc_file:
     description = desc_file.read().encode('string_escape').replace('\"', '\\\"')
 
-  userdef_charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
+  userdef_charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
   userdef1 = ''.join(random.choice(userdef_charset) for _ in range(8))
   template = open(os.path.join(os.path.dirname(os.path.realpath(__file__)), '07_angr_symbolic_file.c.templite'), 'r').read()
   c_code = Templite(template).render(description=description, userdef1=userdef1)

diff --git a/08_angr_constraints/08_angr_constraints.c.templite b/08_angr_constraints/08_angr_constraints.c.templite
@@ -6,7 +6,6 @@ import random, os
 #include <stdlib.h>
 #include <string.h>
 #include <stdint.h>
-#include <sys/ptrace.h>
 
 #define USERDEF0 "${ userdef0 }$"
 #define USERDEF1 "${ userdef1 }$"

diff --git a/09_angr_hooks/09_angr_hooks.c.templite b/09_angr_hooks/09_angr_hooks.c.templite
@@ -1,15 +1,14 @@
 ${
 import random, os
 random.seed(os.urandom(8))
-userdef_charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
+userdef_charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
 userdef = [''.join(random.choice(userdef_charset) for _ in range(8)) for _ in range(4)]
 }$
 
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <stdint.h>
-#include <sys/ptrace.h>
 
 #define USERDEF0 "${ userdef[0] }$"
 #define USERDEF1 "${ userdef[1] }$"
@@ -27,10 +26,12 @@ void print_msg() {
 }
 
 int complex_function(int value, int i) {
-  if (!(33 < value && value < (33+94))) {
-    printf("Try again.\n"); exit(1);
+#define LAMBDA 23
+  if (!('A' <= value && value <= 'Z')) {
+    printf("Try again.\n");
+    exit(1);
   }
-  return (((value - 33 + 31*i) % 94) + 33);
+  return ((value - 'A' + (LAMBDA * i)) % ('Z' - 'A' + 1)) + 'A';
 }
 
 int main(int argc, char* argv[]) {

diff --git a/10_angr_sim_procedures/10_angr_sim_procedures.c.templite b/10_angr_sim_procedures/10_angr_sim_procedures.c.templite
@@ -1,7 +1,7 @@
 ${
 import random, os
 random.seed(os.urandom(16))
-userdef_charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
+userdef_charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
 userdef = [''.join(random.choice(userdef_charset) for _ in range(8)) for _ in range(4)]
 def generate_true_statement(variable, value):
   random_int = random.randint(0, 0xFFFFFFFF)
@@ -31,7 +31,6 @@ def recursive_if_else(variable, value, end_statement, depth):
 #include <stdlib.h>
 #include <string.h>
 #include <stdint.h>
-#include <sys/ptrace.h>
 
 #define USERDEF0 "${ userdef[0] }$"
 #define USERDEF1 "${ userdef[1] }$"
@@ -52,10 +51,12 @@ void print_msg() {
 }
 
 int complex_function(int value, int i) {
-  if (!(33 < value && value < (33+94))) {
-    printf("Try again.\n"); exit(1);
+#define LAMBDA 29
+  if (!('A' <= value && value <= 'Z')) {
+    printf("Try again.\n");
+    exit(1);
   }
-  return (((value - 33 + 7*i) % 94) + 33);
+  return ((value - 'A' + (LAMBDA * i)) % ('Z' - 'A' + 1)) + 'A';
 }
 
 int main(int argc, char* argv[]) {

diff --git a/11_angr_locate_vulnerable/11_angr_locate_vulnerable.c.templite b/11_angr_locate_vulnerable/11_angr_locate_vulnerable.c.templite
@@ -3,7 +3,7 @@ import random, os
 random.seed(os.urandom(16))
 
 def generate_str_int():
-  userdef_charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
+  userdef_charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
   result = 0
   for i, c in enumerate([random.choice(userdef_charset) for _ in xrange(4)]):
     result |= ord(c) << (i * 8)
@@ -23,7 +23,6 @@ def expanded_switch_statement(variable, miss_statement, hit_statement, samples):
 #include <string.h>
 #include <stdint.h>
 #include <signal.h>
-#include <sys/ptrace.h>
 
 char msg[] = "${ description }$";
 char strcpy_buffer[8 + 4];
@@ -57,6 +56,8 @@ int main(int argc, char* argv[]) {
   printf("Enter the password: ");
   scanf("%u %32s", &key, user_buffer);
 
+  /* todo: add complex function */
+
   ${
   hit_statement = """
   strcpy(strcpy_buffer, user_buffer);