finish 6.2.4

src/writeup/6.2.4_re_csawctf2015_wyvern/exp_pin.py

@@ -0,0 +1,24 @@
+import os
+
+def get_count(flag):
+    cmd = "echo " + "\"" + flag + "\"" + " | ../../../pin -t obj-intel64/wyvern.so -o inscount.out -- ~/wyvern "
+    os.system(cmd)
+    with open("inscount.out") as f:
+        count = int(f.read().split(" ")[1])
+    return count
+
+charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-+*'"
+
+flag = list("A" * 28)
+count = 0
+for i in range(28):
+    for c in charset:
+        flag[i] = c
+        # print("".join(flag))
+        count = get_count("".join(flag))
+        # print(count)
+        if count == i+2:
+            break
+    if count == 29:
+        break;
+print("".join(flag))

src/writeup/6.2.4_re_csawctf2015_wyvern/exp_re.py

@@ -0,0 +1,12 @@
+array = [0x64,  0xd6,  0x10a, 0x171, 0x1a1, 0x20f, 0x26e,
+         0x2dd, 0x34f, 0x3ae, 0x41e, 0x452, 0x4c6, 0x538,
+         0x5a1, 0x604, 0x635, 0x696, 0x704, 0x763, 0x7cc,
+         0x840, 0x875, 0x8d4, 0x920, 0x96c, 0x9c2, 0xa0f]
+
+flag = ""
+base = 0
+for num in array:
+    flag += chr(num - base)
+    base = num
+
+print flag

src/writeup/6.2.4_re_csawctf2015_wyvern/wyvern.cpp

@@ -0,0 +1,70 @@
+#include <iostream>
+#include <fstream>
+#include "pin.H"
+
+ofstream OutFile;
+
+// The running count of instructions is kept here
+// make it static to help the compiler optimize docount
+static UINT64 icount = 0;
+
+// This function is called before every instruction is executed
+VOID docount(void *ip) {
+    if ((long int)ip == 0x00402a7f) icount++;   // 0x00402a7f cmp eax, ecx
+    if ((long int)ip == 0x0040e2af) icount++;   // 0x0040e2a2 jne 0x0040e2af
+}
+
+// Pin calls this function every time a new instruction is encountered
+VOID Instruction(INS ins, VOID *v)
+{
+    // Insert a call to docount before every instruction, no arguments are passed
+    INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)docount, IARG_INST_PTR, IARG_END);  // IARG_INST_PTR: Type: ADDRINT. The address of the instrumented instruction.
+}
+
+KNOB<string> KnobOutputFile(KNOB_MODE_WRITEONCE, "pintool",
+    "o", "inscount.out", "specify output file name");
+
+// This function is called when the application exits
+VOID Fini(INT32 code, VOID *v)
+{
+    // Write to a file since cout and cerr maybe closed by the application
+    OutFile.setf(ios::showbase);
+    OutFile << "Count " << icount << endl;
+    OutFile.close();
+}
+
+/* ===================================================================== */
+/* Print Help Message                                                    */
+/* ===================================================================== */
+
+INT32 Usage()
+{
+    cerr << "This tool counts the number of dynamic instructions executed" << endl;
+    cerr << endl << KNOB_BASE::StringKnobSummary() << endl;
+    return -1;
+}
+
+/* ===================================================================== */
+/* Main                                                                  */
+/* ===================================================================== */
+/*   argc, argv are the entire command line: pin -t <toolname> -- ...    */
+/* ===================================================================== */
+
+int main(int argc, char * argv[])
+{
+    // Initialize pin
+    if (PIN_Init(argc, argv)) return Usage();
+
+    OutFile.open(KnobOutputFile.Value().c_str());
+
+    // Register Instruction to be called to instrument instructions
+    INS_AddInstrumentFunction(Instruction, 0);
+
+    // Register Fini to be called when the application exits
+    PIN_AddFiniFunction(Fini, 0);
+
+    // Start the program, never returns
+    PIN_StartProgram();
+
+    return 0;
+}