Challenge Description
1
2
3
4
5
6
7
This is the third in a series of introductory Reversing Challenges; Reyjkavik, Riyadh and Rangoon.
These are designed for people new to Reversing. A little gdb, C and Assembler knowledge should be enough to solve this challenge.
Good Luck!
Note that once you solve the challenge, you can use the flag to decrypt the source file used to create the challenge if you are interested in seeing the original C program.
The LiveOverflow channel on YouTube has some great tutorials on reversing, this video has almost everything you need to solve this challenge: https://www.youtube.com/watch?v=VroEiMOJPm8
SOLUTION
Analysed using Cutter
- Load The Binary in Cutter
While Analysing the program we can see that
the input String data has been structured as
1
./Rangoon <puVar4>
In In Cutter’s main Decompiled code block
1
puVar4 = (uint8_t *)argv[1]; # String Input
2 . Debug the program with Random buffer length
For this case we are using AAA
3 . Pass the String Length Check and Starting String Identification
Pass if len(puVar4) >= len(puVar13)
which means that the buffer string should start with CTFlearn{
and must have a the buffer string length must be equals or greater than CTFlearn{
to pass the length check
1
2
puVar13 = (uint8_t *)"CTFlearn{";
bVar14 = *puVar11 < *puVar13;
4 . Pass the Check for endian character
Check if the supplied buffer string has 0x7d or } at the end.
1
2
iVar9 = strlen(puVar4);
if (puVar4[iVar9 + -1] == 0x7d)
5 . Getting character from Particular Index of the suplied Buffer String
Get the character from mentioned string
Here character from Index 17 is stored in uVar2
and character from Index 22 is stored in uVar3
for further checks later on
1
2
uVar2 = puVar4[0x11]; # puVar4[17]
uVar3 = puVar4[0x16]; # puVar4[22]
6 . Pass the Comparison checks for uVar2 and uVar3 with 0x5f or _
If puVar4[17]=puVar4[22]=0x5f then
character comparison check will Pass
1
2
3
4
5
6
iVar7 = __stpcpy_chk(uVar10 + 0x55bdbf8310e8,
*(undefined8 *)(iVar5 + (uint64_t)((uVar2 == 0x5f) + 2) * 8),
(int64_t)puVar12 - (uVar10 + 0x55bdbf8310e8));
iVar7 = __stpcpy_chk(iVar7 + 1, *(undefined8 *)(iVar5 + ((uint64_t)(uVar3 == 0x5f) * 5 + 3) * 8),
(int64_t)r9 - iVar7);
Which means that the buffer string can now be structured as
CTFlearn{<part1>_<part2>_<part3>}
where <part1> , <part2> and <part3> are string to be put to generate the FLAG
7 . Pass BUFFER STRING Length Check
BUFFER STRING length check will pass if len(puVar4) == 28
which means the FLAG length is 28
1
2
iVar9 = strlen(puVar4);
iVar8 = __stpcpy_chk(iVar7 + 1, *(undefined8 *)(iVar5 + ((uint64_t)(iVar8 == 0x1c) * 3 + 9) * 8), 0x557d5494b1df - iVar7);
8 . Suppling structured BUFFER STRING to get the FLAG
From the Above Discussion we can structure a BUFFER STRING
to Pass in debugging process can be
CTFlearn{AAAAAAAA_AAAA_AAAA}
9 . Getting the FLAG in the Register
Set A Breakpoint at strcmp
1
argc = strcmp(puVar4, rbp);
Suppling the Above string can get our FLAG in rdp register in HexDump
FLAG : CTFlearn{Princess_Maha_Devi}
This is how, I solved this challenge.
Thankyou, for reading my writeup :)
Hope, I would see you in my next writeup.
Support Me if you want to.