# DiceCTF 2021 Reversing
> [TOC]
## Challenge 1: babymix (angr)
> [name=ret2basic]
### Description
Just the right mix of characters will lead you to the flag :)
[babymix](https://github.com/sajjadium/CTFium/raw/master/DiceCTF/2021/reverse/babymix/babymix)
### Recon
```shell
$ file babymix
babymix: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=c7fdc6b7ac4f0465758600fa9062e8f07b1a47b9, for GNU/Linux 3.2.0, not stripped
```
### Pseudocode
```c=1
int __cdecl main(int argc, const char **argv, const char **envp)
{
__int64 v3; // rbp
__int64 v4; // rdx
int result; // eax
__int64 v6; // [rsp-48h] [rbp-48h]
unsigned __int64 v7; // [rsp-10h] [rbp-10h]
__int64 v8; // [rsp-8h] [rbp-8h]
__asm { endbr64 }
v8 = v3;
v7 = __readfsqword(0x28u);
sub_1080(&unk_3008, argv, envp);
sub_10A0("Please enter your admin password: ");
sub_10B0(&v6, 48LL, _bss_start);
if ( (unsigned int)check815546(&v6) )
{
sub_1080("Correct! Wrap password in dice{} for the flag :)", 48LL, v4);
result = 0;
}
else
{
sub_1080("\nIncorrect :(", 48LL, v4);
result = -1;
}
if ( __readfsqword(0x28u) != v7 )
result = sub_1090();
return result;
}
```
### Analysis
Use the [angr template](/@ret2basic-PwnieIsland/angr-Template). Modify parameters as needed.
### Exploit
```python=1
#!/usr/bin/env python3
import angr
import claripy
FLAG_LEN = 22
STDIN_FD = 0
base_addr = 0x100000 # To match addresses to Ghidra
proj = angr.Project("babymix", main_opts={'base_addr': base_addr})
flag_chars = [claripy.BVS('flag_%d' % i, 8) for i in range(FLAG_LEN)]
flag = claripy.Concat( *flag_chars + [claripy.BVV(b'\n')]) # Add \n for scanf() to accept the input
state = proj.factory.full_init_state(
args=['babymix'],
add_options=angr.options.unicorn,
stdin=flag,
)
# Add constraints that all characters are printable
for k in flag_chars:
state.solver.add(k >= ord('!'))
state.solver.add(k <= ord('~'))
simgr = proj.factory.simulation_manager(state)
find_addr = 0x10222c # Correct! Wrap password in dice{} for the flag :)
avoid_addr = 0x10223f # \nIncorrect :(
simgr.explore(find=find_addr, avoid=avoid_addr)
if (len(simgr.found) > 0):
for found in simgr.found:
print(found.posix.dumps(STDIN_FD))
```
#### Flag
```
dice{m1x_it_4ll_t0geth3r!1!}
```
###### tags: `DiceCTF`
Sign in with Wallet
Connect another wallet