We need help activating this product — we’ve lost our license key 🙁
You’re our only hope!
unbreakable-enterprise-product-activation: ./unbreakable_enterprise_product_activation product-key
ubuntu@ip-172-31-15-71:~$ ./unbreakable-enterprise-product-activation test
Product activation failure 255
Opening the executable in Binary Ninja and looking at the main function shows that there’s a lot of calls being made. It appears to be a relatively straightforward program, each call will check a condition to see if our input key is valid.
Out of all these functions, there’s only two important ones: the activation failure and success printfs. To find these, you could either look through all of the functions (since there isn’t that many), or use string XREFs to locate them (which is what I did).
The failure printf function is at
Because we know what function we want to end up in (
0x400830), symbolic execution is the most logical choice to solve the unknown input. angr is one popular framework and works fantastic on these types of problems. Technically you probably could solve this challenge by hand too, but it would take an excessive amount of time.
To install angr, using Docker is my favorite method. (Feel free to use another install method though.)
ubuntu@ip-172-31-15-71:~$ sudo docker pull angr/angr # This will always be the latest build!
ubuntu@ip-172-31-15-71:~$ git clone https://github.com/angr/angr-doc.git # This is just for the examples, you can omit this. I think the docs are included in the Docker image too.. oops.
ubuntu@ip-172-31-15-71:~$ sudo docker run -it -v /home/ubuntu/angr-doc:/angr-doc angr
(angr)angr@8a69340dc95c:~$ python -c 'import angr' && echo 'angr is installed!'
angr is installed!
The full solution script can be found here (which includes inline comments to help explain what each line does). Please actually go to GitHub if you want to use this code, since it might change.
Running the script prints out the solution in a mere 4.5 seconds.
(angr)angr@8a69340dc95c:~$ cd /angr-doc/examples/google2016_unbreakable_0/