roaming in a small space
Impossible Password
Are you able to cheat me and get the flag?
$ file impossible_password.bin
impossible_password.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ba116ba1912a8c3779ddeb579404e2fdf34b1568, stripped
$ strings impossible_password.bin
ASCII "SuperSeKretKey"
$ ./impossible_password
SuperSeKretKey
[SuperSeKretKey]
**
$ ltrace ./impossible_password.bin
... ...
strcmp("test", "c5Bo~v4[!#+f}9T+W1]V") = 17
+++ exited (status 17) +++
$ ltrace ./impossible_password.bin
... ...
strcmp("letmein", "7S\\&{UyJ>&+1PB{Ep*4*") = 53
+++ exited (status 53) +++
compare with random code??? we need bypass this with r2 patch.
$ cp impossible_password.bin impossible_password
$ r2 -A -w impossible_password
[0x004006a0]> s main
[0x0040085d]> pdf
[0x0040085d]> s fcn.0040078d
[0x0040078d]> pdf
*** write jmp 0x0040096a,
[0x0040078d]> s 0x00400966
[0x00400961]> wa jmp 0x0040096a
Written 2 byte(s) (jmp 0x0040096a) = wx eb07
0x00400966 85c0 test eax, eax
│ ┌─< 0x00400968 750c jne 0x400976
│ │ 0x0040096a 488d45c0 lea rax, [var_40h]
│ │ 0x0040096e 4889c7 mov rdi, rax ; int64_t arg1
│ │ 0x00400971 e802000000 call fcn.00400978
┌─< 0x00400966 eb02 jmp 0x40096a
│ ┌──< 0x00400968 750c jne 0x400976
│ │└─> 0x0040096a 488d45c0 lea rax, [var_40h]
│ │ 0x0040096e 4889c7 mov rdi, rax ; int64_t arg1
│ │ 0x00400971 e802000000 call fcn.00400978
│ │ ; CODE XREF from main @ 0x400968
│ └──> 0x00400976 c9 leave
└ 0x00400977 c3 ret
after patch, run
$ ./impossible_password
* SuperSeKretKey
[SuperSeKretKey]
** letmein
HTB{40b949f92b86b18}
ghidra:
void FUN_0040085d(void)
{
int iVar1;
char *__s2;
undefined local_48;
undefined local_47;
undefined local_46;
undefined local_45;
undefined local_44;
undefined local_43;
undefined local_42;
undefined local_41;
undefined local_40;
undefined local_3f;
undefined local_3e;
undefined local_3d;
undefined local_3c;
undefined local_3b;
undefined local_3a;
undefined local_39;
undefined local_38;
undefined local_37;
undefined local_36;
undefined local_35;
char local_28 [20];
int local_14;
char *local_10;
local_10 = "SuperSeKretKey";
local_48 = 0x41;
local_47 = 0x5d;
local_46 = 0x4b;
local_45 = 0x72;
local_44 = 0x3d;
local_43 = 0x39;
local_42 = 0x6b;
local_41 = 0x30;
local_40 = 0x3d;
local_3f = 0x30;
local_3e = 0x6f;
local_3d = 0x30;
local_3c = 0x3b;
local_3b = 0x6b;
local_3a = 0x31;
local_39 = 0x3f;
local_38 = 0x6b;
local_37 = 0x38;
local_36 = 0x31;
local_35 = 0x74;
printf("* ");
__isoc99_scanf(&DAT_00400a82,local_28); //input SuperSeKretKey
printf("[%s]\n",local_28);
local_14 = strcmp(local_28,local_10);
if (local_14 != 0) {
/* WARNING: Subroutine does not return / exit(1); } printf("* ");
__isoc99_scanf(&DAT_00400a82,local_28);
__s2 = (char *)FUN_0040078d(0x14); //IF input same as caculated, go next FUN_00400978
iVar1 = strcmp(local_28,__s2);
if (iVar1 == 0) {
FUN_00400978(&local_48); //
}
return;
}
here only FUN_00400978(&local_48) is matter, as local_48 is 'A',']','K','r','=','9','k','0','=','0','o','0',';','k','1','?','k','8','1','t']
void FUN_00400978(byte *param_1)
{
int local_14;
byte *local_10;
local_14 = 0;
local_10 = param_1;
while ((*local_10 != 9 && (local_14 < 0x14))) {
putchar((int)(char)(*local_10 ^ 9));
local_10 = local_10 + 1;
local_14 = local_14 + 1;
}
putchar(10);
return;
}
the python equivalent:
!/usr/bin/env python2
flag_characters = ['A',']','K','r','=','9','k','0','=','0','o','0',';','k','1','?','k','8','1','t']
xor_key = 9
flag = []
i = 0
while i < len(flag_characters):
xored = ord(flag_characters[i]) ^ xor_key
flag.append(chr(xored))
i += 1
flag_string = "".join(flag)
print("Flag is: {}".format(flag_string))
$python3
>>>flag = ['A',']','K','r','=','9','k','0','=','0','o','0',';','k','1','?','k','8','1','t']
>>>"".join([chr(ord(i) ^ 9) for i in flag])
Baby RE
Show us your basic skills! (P.S. There are 4 ways to solve this, are you willing to try them all?)
kali@kali:~/0.htb/challenges/Reversing/Baby_RE$ file baby
baby: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=25adc53b89f781335a27bf1b81f5c4cb74581022, for GNU/Linux 3.2.0, not stripped
kali@kali:~/0.htb/challenges/Reversing/Baby_RE$ ./baby
Insert key:
HTB{B4BY_R3V_TH4TS_EZ}
Try again later.
kali@kali:~/0.htb/challenges/Reversing/Baby_RE$ strings baby
HTB{B4BYH
R3V_TH4H TS_Ef []A\A]A^A
Dont run strings
on this challenge, that is not the way!!!!
Insert key:
abcde122313
Try again later.
kali@kali:~/0.htb/challenges/Reversing/Baby_RE$ ./baby
Insert key:
abcde122313
HTB{B4BY_R3V_TH4TS_EZ}
ghidra
undefined8 main(void)
{
int iVar1;
undefined8 local_48;
undefined8 local_40;
undefined4 local_38;
undefined2 local_34;
char local_28 [24];
char *local_10;
local_10 = "Dont run `strings` on this challenge, that is not the way!!!!";
puts("Insert key: ");
fgets(local_28,0x14,stdin);
iVar1 = strcmp(local_28,"abcde122313\n");
if (iVar1 == 0) {
local_48 = 0x594234427b425448;
local_40 = 0x3448545f5633525f;
local_38 = 0x455f5354;
local_34 = 0x7d5a;
puts((char *)&local_48);
}
else {
puts("Try again later.");
}
return 0;
}
kali@kali:~/0.htb/challenges/Reversing/Baby_RE$ unhex 594234427b425448
YB4B{BTHkali@kali:~/0.htb/challenges/Reversing/Baby_RE$ unhex 3448545f5633525f
4HT_V3R_kali@kali:~/0.htb/challenges/Reversing/Baby_RE$ unhex 455f5354
E_STkali@kali:~/0.htb/challenges/Reversing/Baby_RE$ unhex 7d5a
}Zkali@kali:~/0.htb/challenges/Reversing/Baby_RE$
}E_ST4HT_V3R_YB4B{BTH
gdb ida radare2 r2:
ida
mov rax, 594234427B425448h
mov rdx, 3448545F5633525Fh
mov qword ptr [rbp+var_40], rax
mov [rbp+var_38], rdx
mov [rbp+var_30], 455F5354h
mov [rbp+var_2C], 7D5Ah
lea rax, [rbp+var_40]
mov rdi, rax ; s
call _puts
jmp short loc_11E6
gdb
0x00000000000011a3 <+78>: movabs rax,0x594234427b425448
0x00000000000011ad <+88>: movabs rdx,0x3448545f5633525f
0x00000000000011b7 <+98>: mov QWORD PTR [rbp-0x40],rax
0x00000000000011bb <+102>: mov QWORD PTR [rbp-0x38],rdx
0x00000000000011bf <+106>: mov DWORD PTR [rbp-0x30],0x455f5354
0x00000000000011c6 <+113>: mov WORD PTR [rbp-0x2c],0x7d5a
0x00000000000011cc <+119>: lea rax,[rbp-0x40]
0x00000000000011d0 <+123>: mov rdi,rax
0x00000000000011d3 <+126>: call 0x1030 <puts@plt>
0x00000000000011d8 <+131>: jmp 0x11e6 <main+145>
0x00000000000011da <+133>: lea rdi,[rip+0xe7f] # 0x2060
0x00000000000011e1 <+140>: call 0x1030 <puts@plt>
0x00000000000011e6 <+145>: mov eax,0x0
r2/cutter
0x000011a3 48b84854427b. movabs rax, 0x594234427b425448 ; 'HTB{B4BY'
│ │ 0x000011ad 48ba5f523356. movabs rdx, 0x3448545f5633525f ; '_R3V_TH4'
│ │ 0x000011b7 488945c0 mov qword [s], rax
│ │ 0x000011bb 488955c8 mov qword [var_38h], rdx
│ │ 0x000011bf c745d054535f. mov dword [var_30h], 0x455f5354 ; 'TS_E'
│ │ 0x000011c6 66c745d45a7d mov word [var_2ch], 0x7d5a ; 'Z}'
│ │ 0x000011cc 488d45c0 lea rax, [s]
│ │ 0x000011d0 4889c7 mov rdi, rax ; const char *s
│ │ 0x000011d3 e858feffff call sym.imp.puts ; int puts(const char *s)
│ ┌──< 0x000011d8 eb0c jmp 0x11e6