Challenge Description
1
2
3
4
5
This is the 4th in a series of Beginner Reversing Challenges. If you are new to Reversing, you may want to solve Reykjavik, then Riyadh then Rangoon before solving this challenge. This is a 20 point challenge and is different in two ways from the previous 10 point challenges. Once you get into gdb, b *main+offset is your friend! Good Luck!
Once you solve the challenge you can use the flag to decrypt the souces.zip.enc file provided, if you are interested in seeing the source programs used to create the challenge.
The readme file includes some online resources if you are new to Reversing and Assembler.
SOLUTION
Analysed using Cutter
1 . Analyse the binary with cutter at first
2 . Bypassing Execution time check [ Basic protection to exit if the binary is being debugged/analysed]
Here it checks if the time difference
rax - rbp < 2
during normal execution it will work, as the reading instructions in assembly by the system
does takes micro seconds to processJust modify the compare value in
0x55f87cf64111
from 2 to greater value such as 50 or 60
and it will pass the time check
1
2
0x55f87cf6410e sub rax, rbp
==> 0x55f87cf64111 cmp rax, 0x2 ; 2
3 . Passing [String Length Check]
- Creating a breakpoint at the value assignment in
uVar3=msg5[0]
can does get us the length of the supplied BUFFER STRING
1
uVar3 = (uint32_t)(uint8_t)msg5;
Where during executing
rdx
stores value0x21
which is 33
andr8
stores the value of length of the supplied BUFFER STRINGlen(<arg1>)
From here we can say that the total length of the Flag is 33
So we can ReRun the program with BUFFER STRING as'A'*33
Here
uVar1
is the length of the supplied BUFFER STRING
1
2
3
if (uVar3 != uVar1) {
return 0;
}
1
==> 0x55f87cf653a9 cmp rdx, r8
4 . Passing Alphabet checks For supplied BUFFER STRING
Here is the C code that has been analysed by cutter for alphabet check
Heremsg5
contain our FLAG
uVar3
get the first Hex-Code frommsg5
or we can sayuVar3 = msg5[0]
Here the loop runs until
uVar2<33
whereuVar2
is assigned 0 at the begining
or we can say that here i in for loop is considered as uVar2
undefined8 CheckMsg(char const*)(int64_t arg1)
{
int64_t iVar2;
uint32_t uVar3;
uVar3 = (uint32_t)(uint8_t)msg5;
if (uVar3 != 0) {
iVar2 = 0;
do {
if (*(uint8_t *)(iVar2 + 0x55e604e7a0e2) != (*(uint8_t *)(arg1 + iVar2) ^ *(uint8_t *)0x55e604e7a0e1)) {
return 0;
}
iVar2 = iVar2 + 1;
} while ((int32_t)iVar2 < (int32_t)uVar3);
}
return 1;
}
Logic check
1
2
3
if (msg5[i + 2] != (byte)(param_1[i] ^ msg5[1])) {
return 0;
}
- Here we can see that
*(uint8_t *)0x55e604e7a0e1
is a static variable.
On checking the Hexdump we can see that*(uint8_t *)0x55e604e7a0e1 = 0x7e
On checking0x55e604e7a0e1
variable we can clearly see the35
Hex Codes in Hexdump
which are21 7e 3d 2a 38 12 1b 1f 0c 10 05 2c 0b 16 0c 18 1b 0d 0a 0d 0e 17 1b 12 1b 21 38 1b 0d 0a 17 08 1f 12 03
Reversing the Logic check
Here
param_1
is the supplied BUFFER STRING
andmsg5[i+2]^msg5[1]
is xored together to get the value ofparam_1[i]
param_1[i] = msg5[i+2]^msg5[1]
Thus a simple Python program can be used to get the FLAG
By reversing the logic check Frommsg5
Hex Codes.
1
2
3
4
5
6
7
param_1 = ''
msg5 = [0x21, 0x7e, 0x3d, 0x2a, 0x38, 0x12, 0x1b, 0x1f, 0x0c, 0x10, 0x05, 0x2c, 0x0b, 0x16, 0x0c, 0x18, 0x1b, 0x0d, 0x0a, 0x0d, 0x0e, 0x17, 0x1b, 0x12, 0x1b, 0x21, 0x38, 0x1b, 0x0d, 0x0a, 0x17, 0x08, 0x1f, 0x12, 0x03]
for i in range(msg5[0]):
param_1+=chr(msg5[1]^msg5[i+2])
print('FLAG : ', param_1)
CTFlearn{Ruhrfestspiele_Festival}
This is how, I solved this challenge.
Thankyou, for reading my writeup :)
Hope, I would see you in my next writeup.
Support Me if you want to.