Are you able to cheat me and get the flag?
$ file impossible_password.bin
impossible_password.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ba116ba1912a8c3779ddeb579404e2fdf34b1568, stripped
$ strings impossible_password.bin
ASCII "SuperSeKretKey"
$ ./impossible_password
SuperSeKretKey
[SuperSeKretKey]
**
$ ltrace ./impossible_password.bin
... ...
strcmp("test", "c5Bo~v4[!#+f}9T+W1]V") = 17
+++ exited (status 17) +++
$ ltrace ./impossible_password.bin
... ...
strcmp("letmein", "7S\\&{UyJ>&+1PB{Ep*4*") = 53
+++ exited (status 53) +++
compare with random code??? we need bypass this with r2 patch.
$ cp impossible_password.bin impossible_password
$ r2 -A -w impossible_password
[0x004006a0]> s main
[0x0040085d]> pdf
[0x0040085d]> s fcn.0040078d
[0x0040078d]> pdf
*** write jmp 0x0040096a,
[0x0040078d]> s 0x00400966
[0x00400961]> wa jmp 0x0040096a
Written 2 byte(s) (jmp 0x0040096a) = wx eb07
0x00400966 85c0 test eax, eax
│ ┌─< 0x00400968 750c jne 0x400976
│ │ 0x0040096a 488d45c0 lea rax, [var_40h]
│ │ 0x0040096e 4889c7 mov rdi, rax ; int64_t arg1
│ │ 0x00400971 e802000000 call fcn.00400978
┌─< 0x00400966 eb02 jmp 0x40096a
│ ┌──< 0x00400968 750c jne 0x400976
│ │└─> 0x0040096a 488d45c0 lea rax, [var_40h]
│ │ 0x0040096e 4889c7 mov rdi, rax ; int64_t arg1
│ │ 0x00400971 e802000000 call fcn.00400978
│ │ ; CODE XREF from main @ 0x400968
│ └──> 0x00400976 c9 leave
└ 0x00400977 c3 ret
after patch, run
$ ./impossible_password
* SuperSeKretKey
[SuperSeKretKey]
** letmein
HTB{40b949f92b86b18}
ghidra:
void FUN_0040085d(void)
{
int iVar1;
char *__s2;
undefined local_48;
undefined local_47;
undefined local_46;
undefined local_45;
undefined local_44;
undefined local_43;
undefined local_42;
undefined local_41;
undefined local_40;
undefined local_3f;
undefined local_3e;
undefined local_3d;
undefined local_3c;
undefined local_3b;
undefined local_3a;
undefined local_39;
undefined local_38;
undefined local_37;
undefined local_36;
undefined local_35;
char local_28 [20];
int local_14;
char *local_10;
local_10 = "SuperSeKretKey";
local_48 = 0x41;
local_47 = 0x5d;
local_46 = 0x4b;
local_45 = 0x72;
local_44 = 0x3d;
local_43 = 0x39;
local_42 = 0x6b;
local_41 = 0x30;
local_40 = 0x3d;
local_3f = 0x30;
local_3e = 0x6f;
local_3d = 0x30;
local_3c = 0x3b;
local_3b = 0x6b;
local_3a = 0x31;
local_39 = 0x3f;
local_38 = 0x6b;
local_37 = 0x38;
local_36 = 0x31;
local_35 = 0x74;
printf("* ");
__isoc99_scanf(&DAT_00400a82,local_28); //input SuperSeKretKey
printf("[%s]\n",local_28);
local_14 = strcmp(local_28,local_10);
if (local_14 != 0) {
/* WARNING: Subroutine does not return / exit(1); } printf("* ");
__isoc99_scanf(&DAT_00400a82,local_28);
__s2 = (char *)FUN_0040078d(0x14); //IF input same as caculated, go next FUN_00400978
iVar1 = strcmp(local_28,__s2);
if (iVar1 == 0) {
FUN_00400978(&local_48); //
}
return;
}
here only FUN_00400978(&local_48) is matter, as local_48 is 'A',']','K','r','=','9','k','0','=','0','o','0',';','k','1','?','k','8','1','t']
void FUN_00400978(byte *param_1)
{
int local_14;
byte *local_10;
local_14 = 0;
local_10 = param_1;
while ((*local_10 != 9 && (local_14 < 0x14))) {
putchar((int)(char)(*local_10 ^ 9));
local_10 = local_10 + 1;
local_14 = local_14 + 1;
}
putchar(10);
return;
}
the python equivalent:
!/usr/bin/env python2
flag_characters = ['A',']','K','r','=','9','k','0','=','0','o','0',';','k','1','?','k','8','1','t']
xor_key = 9
flag = []
i = 0
while i < len(flag_characters):
xored = ord(flag_characters[i]) ^ xor_key
flag.append(chr(xored))
i += 1
flag_string = "".join(flag)
print("Flag is: {}".format(flag_string))
$python3
>>>flag = ['A',']','K','r','=','9','k','0','=','0','o','0',';','k','1','?','k','8','1','t']
>>>"".join([chr(ord(i) ^ 9) for i in flag])