Tag: strings

Impossible Password

Are you able to cheat me and get the flag?

$ file impossible_password.bin 
 impossible_password.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ba116ba1912a8c3779ddeb579404e2fdf34b1568, stripped

$ strings impossible_password.bin
 ASCII "SuperSeKretKey"

$ ./impossible_password
 SuperSeKretKey
 [SuperSeKretKey]
 ** 
$ ltrace ./impossible_password.bin 
... ...
strcmp("test", "c5Bo~v4[!#+f}9T+W1]V")                                                                        = 17
+++ exited (status 17) +++
$ ltrace ./impossible_password.bin 
... ...
strcmp("letmein", "7S\\&{UyJ>&+1PB{Ep*4*")                                                                    = 53
+++ exited (status 53) +++
compare with random code??? we need bypass this with r2 patch.

$ cp impossible_password.bin impossible_password
$ r2 -A -w impossible_password 
[0x004006a0]> s main
[0x0040085d]> pdf

[0x0040085d]> s fcn.0040078d
[0x0040078d]> pdf

*** write jmp 0x0040096a, 
[0x0040078d]> s 0x00400966
[0x00400961]> wa jmp 0x0040096a
Written 2 byte(s) (jmp 0x0040096a) = wx eb07

            0x00400966      85c0           test eax, eax
│       ┌─< 0x00400968      750c           jne 0x400976
│       │   0x0040096a      488d45c0       lea rax, [var_40h]
│       │   0x0040096e      4889c7         mov rdi, rax                ; int64_t arg1
│       │   0x00400971      e802000000     call fcn.00400978


        ┌─< 0x00400966      eb02           jmp 0x40096a
│      ┌──< 0x00400968      750c           jne 0x400976
│      │└─> 0x0040096a      488d45c0       lea rax, [var_40h]
│      │    0x0040096e      4889c7         mov rdi, rax                ; int64_t arg1
│      │    0x00400971      e802000000     call fcn.00400978
│      │    ; CODE XREF from main @ 0x400968
│      └──> 0x00400976      c9             leave
└           0x00400977      c3             ret

after patch, run
$ ./impossible_password
* SuperSeKretKey
[SuperSeKretKey]
** letmein
HTB{40b949f92b86b18}
ghidra:
void FUN_0040085d(void)
 {
   int iVar1;
   char *__s2;
   undefined local_48;
   undefined local_47;
   undefined local_46;
   undefined local_45;
   undefined local_44;
   undefined local_43;
   undefined local_42;
   undefined local_41;
   undefined local_40;
   undefined local_3f;
   undefined local_3e;
   undefined local_3d;
   undefined local_3c;
   undefined local_3b;
   undefined local_3a;
   undefined local_39;
   undefined local_38;
   undefined local_37;
   undefined local_36;
   undefined local_35;
   char local_28 [20];
   int local_14;
   char *local_10;
 local_10 = "SuperSeKretKey";
   local_48 = 0x41;
   local_47 = 0x5d;
   local_46 = 0x4b;
   local_45 = 0x72;
   local_44 = 0x3d;
   local_43 = 0x39;
   local_42 = 0x6b;
   local_41 = 0x30;
   local_40 = 0x3d;
   local_3f = 0x30;
   local_3e = 0x6f;
   local_3d = 0x30;
   local_3c = 0x3b;
   local_3b = 0x6b;
   local_3a = 0x31;
   local_39 = 0x3f;
   local_38 = 0x6b;
   local_37 = 0x38;
   local_36 = 0x31;
   local_35 = 0x74;
   printf("* ");
   __isoc99_scanf(&DAT_00400a82,local_28);        //input SuperSeKretKey
   printf("[%s]\n",local_28);
   local_14 = strcmp(local_28,local_10);
   if (local_14 != 0) {
                     /* WARNING: Subroutine does not return /     exit(1);   }   printf("* ");
   __isoc99_scanf(&DAT_00400a82,local_28);
   __s2 = (char *)FUN_0040078d(0x14);            //IF input same as caculated, go next FUN_00400978
   iVar1 = strcmp(local_28,__s2);
   if (iVar1 == 0) {
     FUN_00400978(&local_48);                //
   }
   return;
 }
here only FUN_00400978(&local_48) is matter, as local_48 is 'A',']','K','r','=','9','k','0','=','0','o','0',';','k','1','?','k','8','1','t']

 void FUN_00400978(byte *param_1)
 {
   int local_14;
   byte *local_10;
 local_14 = 0;
   local_10 = param_1;
   while ((*local_10 != 9 && (local_14 < 0x14))) {
     putchar((int)(char)(*local_10 ^ 9));
     local_10 = local_10 + 1;
     local_14 = local_14 + 1;
   }
   putchar(10);
   return;
 }
the python equivalent:
 
 !/usr/bin/env python2
 flag_characters = ['A',']','K','r','=','9','k','0','=','0','o','0',';','k','1','?','k','8','1','t']
 xor_key = 9
 flag = []
 i = 0
 while i < len(flag_characters):
     xored = ord(flag_characters[i]) ^ xor_key
     flag.append(chr(xored))
     i += 1
 flag_string = "".join(flag)
 print("Flag is: {}".format(flag_string))

$python3
>>>flag = ['A',']','K','r','=','9','k','0','=','0','o','0',';','k','1','?','k','8','1','t']
>>>"".join([chr(ord(i) ^ 9) for i in flag])                 




Baby RE

Show us your basic skills! (P.S. There are 4 ways to solve this, are you willing to try them all?)

kali@kali:~/0.htb/challenges/Reversing/Baby_RE$ file baby
 baby: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=25adc53b89f781335a27bf1b81f5c4cb74581022, for GNU/Linux 3.2.0, not stripped
 kali@kali:~/0.htb/challenges/Reversing/Baby_RE$ ./baby
 Insert key: 
 HTB{B4BY_R3V_TH4TS_EZ}
 Try again later.
 kali@kali:~/0.htb/challenges/Reversing/Baby_RE$ strings baby
 HTB{B4BYH
 R3V_TH4H TS_Ef []A\A]A^A
 Dont run strings on this challenge, that is not the way!!!!
 Insert key: 
 abcde122313
 Try again later.
 kali@kali:~/0.htb/challenges/Reversing/Baby_RE$ ./baby 
 Insert key: 
 abcde122313
 HTB{B4BY_R3V_TH4TS_EZ}

ghidra
undefined8 main(void)

{
  int iVar1;
  undefined8 local_48;
  undefined8 local_40;
  undefined4 local_38;
  undefined2 local_34;
  char local_28 [24];
  char *local_10;
  
  local_10 = "Dont run `strings` on this challenge, that is not the way!!!!";
  puts("Insert key: ");
  fgets(local_28,0x14,stdin);
  iVar1 = strcmp(local_28,"abcde122313\n");
  if (iVar1 == 0) {
    local_48 = 0x594234427b425448;
    local_40 = 0x3448545f5633525f;
    local_38 = 0x455f5354;
    local_34 = 0x7d5a;
    puts((char *)&local_48);
  }
  else {
    puts("Try again later.");
  }
  return 0;
}

kali@kali:~/0.htb/challenges/Reversing/Baby_RE$ unhex 594234427b425448
YB4B{BTHkali@kali:~/0.htb/challenges/Reversing/Baby_RE$ unhex 3448545f5633525f
4HT_V3R_kali@kali:~/0.htb/challenges/Reversing/Baby_RE$ unhex 455f5354
E_STkali@kali:~/0.htb/challenges/Reversing/Baby_RE$ unhex 7d5a
}Zkali@kali:~/0.htb/challenges/Reversing/Baby_RE$ 

}E_ST4HT_V3R_YB4B{BTH

gdb ida radare2 r2:
ida
mov     rax, 594234427B425448h
mov     rdx, 3448545F5633525Fh
mov     qword ptr [rbp+var_40], rax
mov     [rbp+var_38], rdx
mov     [rbp+var_30], 455F5354h
mov     [rbp+var_2C], 7D5Ah
lea     rax, [rbp+var_40]
mov     rdi, rax        ; s
call    _puts
jmp     short loc_11E6

gdb

   0x00000000000011a3 <+78>:    movabs rax,0x594234427b425448
   0x00000000000011ad <+88>:    movabs rdx,0x3448545f5633525f
   0x00000000000011b7 <+98>:    mov    QWORD PTR [rbp-0x40],rax
   0x00000000000011bb <+102>:   mov    QWORD PTR [rbp-0x38],rdx
   0x00000000000011bf <+106>:   mov    DWORD PTR [rbp-0x30],0x455f5354
   0x00000000000011c6 <+113>:   mov    WORD PTR [rbp-0x2c],0x7d5a
   0x00000000000011cc <+119>:   lea    rax,[rbp-0x40]
   0x00000000000011d0 <+123>:   mov    rdi,rax
   0x00000000000011d3 <+126>:   call   0x1030 <puts@plt>
   0x00000000000011d8 <+131>:   jmp    0x11e6 <main+145>
   0x00000000000011da <+133>:   lea    rdi,[rip+0xe7f]        # 0x2060
   0x00000000000011e1 <+140>:   call   0x1030 <puts@plt>
   0x00000000000011e6 <+145>:   mov    eax,0x0

r2/cutter
            0x000011a3      48b84854427b.  movabs rax, 0x594234427b425448 ; 'HTB{B4BY'
│       │   0x000011ad      48ba5f523356.  movabs rdx, 0x3448545f5633525f ; '_R3V_TH4'
│       │   0x000011b7      488945c0       mov qword [s], rax
│       │   0x000011bb      488955c8       mov qword [var_38h], rdx
│       │   0x000011bf      c745d054535f.  mov dword [var_30h], 0x455f5354 ; 'TS_E'
│       │   0x000011c6      66c745d45a7d   mov word [var_2ch], 0x7d5a  ; 'Z}'
│       │   0x000011cc      488d45c0       lea rax, [s]
│       │   0x000011d0      4889c7         mov rdi, rax                ; const char *s
│       │   0x000011d3      e858feffff     call sym.imp.puts           ; int puts(const char *s)
│      ┌──< 0x000011d8      eb0c           jmp 0x11e6

Navigation