Tuesday, March 4, 2014

DEFKTHON CTF 2014 - Segmentation Fault - Rev 200 Write-up

We are back with another reversing challenge, you can get the binary from here.
When we dissamble it we see that it is starting a child process with piping its stdin/out and writing some key in the child proccess to the pipe:
and the it is doing some operations with this key code -don't forget the key is a string so they are all chars not a number!.

This is the dissamble result of the lol function -which is doing something with the key :D.
.text:080485F4                 push    ebp
.text:080485F5                 mov     ebp, esp
.text:080485F7                 sub     esp, 28h
.text:080485FA                 mov     eax, [ebp+arg_0]
.text:080485FD                 add     eax, 1
.text:08048600                 movzx   eax, byte ptr [eax]
.text:08048603                 mov     edx, eax
.text:08048605                 mov     eax, [ebp+arg_0]
.text:08048608                 add     eax, 1
.text:0804860B                 movzx   eax, byte ptr [eax]
.text:0804860E                 lea     eax, [edx+eax]
.text:08048611                 mov     [ebp+var_13], al
.text:08048614                 mov     eax, [ebp+arg_0]
.text:08048617                 add     eax, 4
.text:0804861A                 movzx   eax, byte ptr [eax]
.text:0804861D                 mov     edx, eax
.text:0804861F                 mov     eax, [ebp+arg_0]
.text:08048622                 add     eax, 5
.text:08048625                 movzx   eax, byte ptr [eax]
.text:08048628                 lea     eax, [edx+eax]
The same thing keeps going you can get the full function from here.
Let's see what this code is doing:
the first 3 instructions are function prologue -so we can skip them,
after that it is getting the parameter passed to it into eax and making it point to 2nd byte and then putting the byte at that point -strings 2nd char- into the edx doing the same thing again and loading it into eax and then summing them and storing them. It used the indexes 1,1 for the first char. Then it is repating the process for 4th and 5th indexes and so on. All indexes are:
1 1
4 5
8 9
12 12
18 17
10 21
9 25
So we can see from how the function was called, the new string calculated should lead us to the flag!
There is the python script we have written to get the flag:

1 comment :

  1. Luckily, a lot of the cartoons that slot developers use as a theme are exhibits which children wouldn't be as familiar with. 1xbet A successful cartoon slot will present players with the right amount|the correct quantity|the correct amount} of nostalgia and humour while nonetheless being loyal to the property which it's based on. Club machines will actually block the jackpot if there aren't sufficient coins within the machine to pay it out. A machine with full payout tubes diverts all incoming coins to the cash field. This identified as} "backing." Every coin that goes again to the cash field is pure profit. The odds of getting that 250-dollar jackpot is 0% except the machine is backing.