Tuesday, March 4, 2014

DEFKTHON CTF 2014 - Segmentation Fault - Rev 200 Write-up

We are back with another reversing challenge, you can get the binary from here.
When we dissamble it we see that it is starting a child process with piping its stdin/out and writing some key in the child proccess to the pipe:
and the it is doing some operations with this key code -don't forget the key is a string so they are all chars not a number!.

This is the dissamble result of the lol function -which is doing something with the key :D.
.text:080485F4                 push    ebp
.text:080485F5                 mov     ebp, esp
.text:080485F7                 sub     esp, 28h
.text:080485FA                 mov     eax, [ebp+arg_0]
.text:080485FD                 add     eax, 1
.text:08048600                 movzx   eax, byte ptr [eax]
.text:08048603                 mov     edx, eax
.text:08048605                 mov     eax, [ebp+arg_0]
.text:08048608                 add     eax, 1
.text:0804860B                 movzx   eax, byte ptr [eax]
.text:0804860E                 lea     eax, [edx+eax]
.text:08048611                 mov     [ebp+var_13], al
.text:08048614                 mov     eax, [ebp+arg_0]
.text:08048617                 add     eax, 4
.text:0804861A                 movzx   eax, byte ptr [eax]
.text:0804861D                 mov     edx, eax
.text:0804861F                 mov     eax, [ebp+arg_0]
.text:08048622                 add     eax, 5
.text:08048625                 movzx   eax, byte ptr [eax]
.text:08048628                 lea     eax, [edx+eax]
The same thing keeps going you can get the full function from here.
Let's see what this code is doing:
the first 3 instructions are function prologue -so we can skip them,
after that it is getting the parameter passed to it into eax and making it point to 2nd byte and then putting the byte at that point -strings 2nd char- into the edx doing the same thing again and loading it into eax and then summing them and storing them. It used the indexes 1,1 for the first char. Then it is repating the process for 4th and 5th indexes and so on. All indexes are:
1 1
4 5
8 9
12 12
18 17
10 21
9 25
So we can see from how the function was called, the new string calculated should lead us to the flag!
There is the python script we have written to get the flag:
http://www.codesend.com/view/e1f2c4ce70ddbdf0a3f7bdf06e89be6e/

No comments:

Post a Comment