This re challenge was pretty simple.
First of all I saw the following pseudo code of the binary file.
We can easily understand what is going on in the program by looking at the code.
We have to reach the CorrectPass function by giving the correct input i.e the flag.
I was particularly interested in the second if statement inside the for loop.
So I put a breakpoint at that statement in GDB.
So the rdx and rdi values are being compared. After each true comparison we will get the char of the next comparison. So just make sure that you change your input according to the register values after each iteration.
Finally I found the flag to be:
First of all I saw the following pseudo code of the binary file.
We can easily understand what is going on in the program by looking at the code.
We have to reach the CorrectPass function by giving the correct input i.e the flag.
I was particularly interested in the second if statement inside the for loop.
So I put a breakpoint at that statement in GDB.
So the rdx and rdi values are being compared. After each true comparison we will get the char of the next comparison. So just make sure that you change your input according to the register values after each iteration.
Finally I found the flag to be:
Hello. Which decompiler did you use to get this pseudo code? The one that I used gave me a worse result.
ReplyDeleteHi! I have used IDA pro to decompile it. I have also renamed the functions to make it a little more understandable.
DeleteYes, I understood about renaming, but even structure is much better here. The one I used gave me something looking like this (part inside while):
Deletewhile (rax5 = length(reinterpret_cast(rbp1) - 80), reinterpret_cast(static_cast(v4)) < rax5) {
rax6 = length(reinterpret_cast(rbp1) - 32);
if (reinterpret_cast(static_cast(v4)) >= rax6) {
wrongPass();
}
v7 = *reinterpret_cast(reinterpret_cast(rbp1) + v4 - 32);
__asm__("cdq ");
v8 = *reinterpret_cast(reinterpret_cast(rbp1) + v4 % 7 - 40);
edx9 = reinterpret_cast(static_cast(v7)) ^ reinterpret_cast(static_cast(v8));
if (static_cast(*reinterpret_cast(reinterpret_cast(rbp1) + v4 - 80)) != static_cast(*reinterpret_cast(&edx9))) {
wrongPass();
}
Much less comprehensible.
Thank you for the answer.
oh, this does not look good.
DeleteBy the way which decompiler were you using?
Yes, that was quite hard to read :)
DeleteI used Snowman http://derevenets.com/
what command you use when in gdb ? can your explain the detail when use gdb
ReplyDeleteOk. I'll try to explain it.
DeleteFirst of all put a breakpoint at address 0x40078c. Then run it and give your input. Note that string length must be greater than 16. When you hit the breakpoint, note down the character in rdi(it will be 'R'). Then again run the program. Now again give the input but this time make sure that the first letter of the string be 'R'. Now again when you hit the both rdi and rdx will be having the same value. So now the loop will continue and reach the second iteration. Again when you hit the breakpoint, see the value in rdi(it wil be 'C'). Change your input accordingly. Now the input will start with 'RC'. Now continue to the next iteration. Then repeat the same process again and again till you get the complete flag.
I hope now you get it.
Hello can i got your email i want ask more about ctf.
ReplyDeleteYeah...sure
ReplyDeleteYou can contact me at: iamakshayajayan@gmail.com