The TUCTF 2019 event is finished. This time I was able to finish all of the RE challenges and I'm so happy to get my first wiped up
I learn so much from this competition since I try a lot of new things to solve the RE challenges and this actually opens my eyes to try harder since there are so many things that I don't know which is good.
For pwn, I only managed to finished 4 from 10 challenges I was stuck with one of the challenges but that's okay I will try it again to finish this leftover challenge and create the write-up ASAP. There are a lot of interesting challenge that I can't wait to solve
The write-up for pwn challenge will be posted in the next post
let's take a look at the source code using ghidra:
The code itself is not too hard to interpret, it only takes the input range from 1-4 and based on the input it will call the predefined functions.
But when we look at each of the function code it always ends up with the same behavior.
it takes this weird string and passed it to the printFlag functions that contain some sort of form of the decoding process.
ok so I think it is pretty clear here what we need to do next, we only need to get the weird string that contains the real flag and passed it to the printFlag in runtime.
let's try to list all of the strings in the program
the first string seems to be interesting it may contain the real flag. Run the binary inside gdb and put a breakpoint before the function called the printFlag functions, you can choose any functions at this time I choose the A function
After setting the breakpoint just run the binary and you will get to the breakpoint all you have to do is just assign the new value to rax register. As you can see the rax value is move to rdi register before calling the printFlag function this is one of the behavior in system call in 64 bit instead using PUSH it will use the register as the placing for the parameter.
hit continue and you will get the flag :)
(This is what happen when you run object file in gdb)
so how do you make the object executable you can use gcc to compile it
Notice that every input we enter will be passed to the checkPassword function and will go under some sort of weird checksum
while ((int)local_10 < passlen) {
if ((byte)(~(param_1[(int)local_10] << 1) ^ 0xaaU) != password[(int)local_10]) {
you only need to pay attention at this two codes, as you can see each of the input characters will be shifted left by one byte, negate it and at the end, it will be XORed with value 0xaa
all we need to do here is just reverse this process to get the flag and to automate all the tasks I used r2pipe library in python.
Don't forget that when the function checkpassword is called our input length is check and need to be length of 44 => 2c characters
with that knowledge, we can create .rr2 file for the input
then we can create this following script:
the reverse function is used to decode the characters by xored the character by 0xaa and you flipped the bit again and last, you need to shift the bit to the right
inside the loop for, there are two section
the first section is to gather the flag and decode it I use "pxj" command to get the value of the register
and then the second section is to just bypass the comparison so we able to get the next characters
run the script and you will get the flag :)
I try to run the core file and try to trace the execution but unfortunately, I don't get any clue about the flag. So I try to list all of the strings inside the program if there is any interesting content.
so after a quick glance, I found this interesting string and as I mentioned I get the source code
If we take a look at the source code we can see that the flag is XORed with 1 so all we have to do is just create a script to do the job.
cool we got the flag :)
I learn so much from this competition since I try a lot of new things to solve the RE challenges and this actually opens my eyes to try harder since there are so many things that I don't know which is good.
For pwn, I only managed to finished 4 from 10 challenges I was stuck with one of the challenges but that's okay I will try it again to finish this leftover challenge and create the write-up ASAP. There are a lot of interesting challenge that I can't wait to solve
The write-up for pwn challenge will be posted in the next post
Faker:
I think you guys already know the purpose of this challenge judging from the name of the binary ^___^. When you run the program it will give you a bunch of fake flag
let's take a look at the source code using ghidra:
The code itself is not too hard to interpret, it only takes the input range from 1-4 and based on the input it will call the predefined functions.
But when we look at each of the function code it always ends up with the same behavior.
let's try to list all of the strings in the program
the first string seems to be interesting it may contain the real flag. Run the binary inside gdb and put a breakpoint before the function called the printFlag functions, you can choose any functions at this time I choose the A function
After setting the breakpoint just run the binary and you will get to the breakpoint all you have to do is just assign the new value to rax register. As you can see the rax value is move to rdi register before calling the printFlag function this is one of the behavior in system call in 64 bit instead using PUSH it will use the register as the placing for the parameter.
hit continue and you will get the flag :)
Object:
this challenge is kinda unique instead giving us another executable file but they gave us an object file. In linux object file only containing code and data of the program without the neccessary library.
(This is what happen when you run object file in gdb)
so how do you make the object executable you can use gcc to compile it
Notice that every input we enter will be passed to the checkPassword function and will go under some sort of weird checksum
while ((int)local_10 < passlen) {
if ((byte)(~(param_1[(int)local_10] << 1) ^ 0xaaU) != password[(int)local_10]) {
you only need to pay attention at this two codes, as you can see each of the input characters will be shifted left by one byte, negate it and at the end, it will be XORed with value 0xaa
all we need to do here is just reverse this process to get the flag and to automate all the tasks I used r2pipe library in python.
Don't forget that when the function checkpassword is called our input length is check and need to be length of 44 => 2c characters
with that knowledge, we can create .rr2 file for the input
then we can create this following script:
the reverse function is used to decode the characters by xored the character by 0xaa and you flipped the bit again and last, you need to shift the bit to the right
inside the loop for, there are two section
the first section is to gather the flag and decode it I use "pxj" command to get the value of the register
and then the second section is to just bypass the comparison so we able to get the next characters
run the script and you will get the flag :)
CORE:
so in this challenge, we got two files first is the source code and core file. The core file is just a file that generated by the file if segmentation fault occurI try to run the core file and try to trace the execution but unfortunately, I don't get any clue about the flag. So I try to list all of the strings inside the program if there is any interesting content.
so after a quick glance, I found this interesting string and as I mentioned I get the source code
If we take a look at the source code we can see that the flag is XORed with 1 so all we have to do is just create a script to do the job.
cool we got the flag :)
hi, i don't know how to dump file core elf ?, please respond to me soon, thank you !!!
ReplyDeletehi the dump file is include along the challenge
Deleteand my gmail: none.execuable123@gmail.com
ReplyDelete