Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Solving for wcscmp

See original GitHub issue

Can’t seem to print stdin even after a path with scanf is found. Probably related to #113.

#!/usr/bin/env python2
# -*- coding: utf-8 -*-

# Author: David Manouchehri <manouchehri@protonmail.com>
# Modern Binary Exploitation
# http://security.cs.rpi.edu/courses/binexp-spring2015/

import angr

FIND_ADDR = 0x080484d7 # mov dword [esp], str.Congrats_ ; [0x80485e5:4]=0x676e6f43 LEA str.Congrats_ ; "Congrats!" @ 0x80485e5
AVOID_ADDR = 0x080484eb # mov dword [esp], str.Wrong_ ; [0x80485ef:4]=0x6e6f7257 LEA str.Wrong_ ; "Wrong!" @ 0x80485ef


def main():
    proj = angr.Project('crackme0x00b', load_options={"auto_load_libs": False}) 

    path = proj.factory.path()
    path.state.options.discard("LAZY_SOLVES")


    path_group = proj.factory.path_group(path)
    path_group.explore(find=FIND_ADDR, avoid=AVOID_ADDR) 
    return path_group.found[0].state.posix.dumps(0).split('\0')[0]
    # simuvex.s_errors.SimFileError: no content in file /dev/stdin

def test():
    assert main() == 'w0wgreat'
    """
    [0x080483e0]> px 32 @ obj.pass.1964
    - offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
    0x0804a040  7700 0000 3000 0000 7700 0000 6700 0000  w...0...w...g...
    0x0804a050  7200 0000 6500 0000 6100 0000 7400 0000  r...e...a...t...
    """

if __name__ == '__main__':
    print(main())

"""
[0x080483e0]> pdf @ main
            ;-- main:
╒ (fcn) sym.main 101
│           ; var int arg_4h @ esp+0x4
│           ; var int arg_1ch @ esp+0x1c
│           ; UNKNOWN XREF from 0x080483f8 (entry0)
│           ; DATA XREF from 0x080483f7 (entry0)
│           0x08048494      55             push ebp
│           0x08048495      89e5           mov ebp, esp
│           0x08048497      83e4f0         and esp, 0xfffffff0
│           0x0804849a      83c480         add esp, -0x80
│           ; JMP XREF from 0x080484f7 (sym.main)
│       ┌─> 0x0804849d      b8d0850408     mov eax, str.Enter_password: ; "Enter password: " @ 0x80485d0
│       │   0x080484a2      890424         mov dword [esp], eax
│       │   0x080484a5      e8d6feffff     call sym.imp.printf
│       │   0x080484aa      b8e1850408     mov eax, 0x80485e1
│       │   0x080484af      8d54241c       lea edx, [esp + arg_1ch]    ; 0x1c
│       │   0x080484b3      89542404       mov dword [esp + arg_4h], edx
│       │   0x080484b7      890424         mov dword [esp], eax
│       │   0x080484ba      e811ffffff     call sym.imp.__isoc99_scanf
│       │   0x080484bf      8d44241c       lea eax, [esp + arg_1ch]    ; 0x1c
│       │   0x080484c3      89442404       mov dword [esp + arg_4h], eax
│       │   0x080484c7      c7042440a004.  mov dword [esp], obj.pass.1964 ; [0x804a040:4]=119 LEA obj.pass.1964 ; "w" @ 0x804a040
│       │   0x080484ce      e8bdfeffff     call sym.imp.wcscmp
│       │   0x080484d3      85c0           test eax, eax
│      ┌──< 0x080484d5      7514           jne 0x80484eb
│      ││   0x080484d7      c70424e58504.  mov dword [esp], str.Congrats_ ; [0x80485e5:4]=0x676e6f43 LEA str.Congrats_ ; "Congrats!" @ 0x80485e5
│      ││   0x080484de      e8bdfeffff     call sym.imp.puts
│      ││   0x080484e3      90             nop
│      ││   0x080484e4      b800000000     mov eax, 0
│      ││   0x080484e9      c9             leave
│      ││   0x080484ea      c3             ret
│      └──> 0x080484eb      c70424ef8504.  mov dword [esp], str.Wrong_ ; [0x80485ef:4]=0x6e6f7257 LEA str.Wrong_ ; "Wrong!" @ 0x80485ef
│       │   0x080484f2      e8a9feffff     call sym.imp.puts
╘       └─< 0x080484f7      eba4           jmp 0x804849d

"""

Issue Analytics

State:
Created 7 years ago
Comments:26 (25 by maintainers)

Top GitHub Comments

1reaction

ltfishcommented, May 25, 2016

Should be the same problem as reported here: https://github.com/angr/angr/issues/110

I’ll update this issue when the commit of SimuVEX is merged and released.

0reactions

glen-maccommented, Mar 13, 2017

Was reversing the same binary and had the same issue.

Have latest release on pip of angr, seems this is still an issue.

Top Results From Across the Web

wcscmp() function in C++ with Examples - GeeksforGeeks

The wcscmp() function is used to compares two null terminating wide string and this comparison is done lexicographically. Syntax: int wcscmp( ...

What is wcscmp in C? - Educative.io

Learn the 24 patterns to solve any coding interview question without getting lost ... The wcscmp function in C lexicographically compares two wide...

wcscmp() — Compare Wide-Character Strings - IBM

The wcscmp() function compares two wide-character strings. The wcscmp() function operates on null-ended wchar_t strings; string arguments to this function ...

Why wcscmp() returns True when two strings are different?

The wcscmp() function returns an integer value, not a bool value. If the two strings are equal, it returns the integer value 0....

[Solved] How to compare BSTR with char* - CodeProject

So you must compare with a wide string and use a string compare function: C++. if (0 == wcscmp(var, L"a")) printf("they are equal\n");....