Very similar challenge to one from teaser, roll some dices and win. Of course you have to roll 3 1 3 3 7 ;]
All rolls look alike:
8048ebb: e8 50 fc ff ff call 8048b10
8048ec0: 89 c1 mov ecx,eax
8048ec2: ba ab aa aa 2a mov edx,0x2aaaaaab
8048ec7: 89 c8 mov eax,ecx
8048ec9: f7 ea imul edx
8048ecb: 89 c8 mov eax,ecx
8048ecd: c1 f8 1f sar eax,0x1f
8048ed0: 29 c2 sub edx,eax
8048ed2: 89 d0 mov eax,edx
8048ed4: 01 c0 add eax,eax
8048ed6: 01 d0 add eax,edx
8048ed8: 01 c0 add eax,eax
8048eda: 89 ca mov edx,ecx
8048edc: 29 c2 sub edx,eax
8048ede: 8d 42 01 lea eax,[edx+0x1]
8048ee1: 89 44 24 50 mov DWORD PTR [esp+0x50],eax
8048ee5: 83 7c 24 50 01 cmp DWORD PTR [esp+0x50],0x1
mov DWORD PTR [esp+0x50],eax--- bin100.gdb --- b *0x8048ee1 b *0x80490ee b *0x80492fc b *0x80494ff b *0x8049744 commands 1 set $eax=3 c end commands 2 set $eax=1 c end commands 3 set $eax=3 c end commands 4 set $eax=3 c end commands 5 set $eax=7 c end run quit --- end ---Fire it up: gdb -q -nx -x bin100.gdb bin100 press some enters aaand...
[*] You rolled a seven, with a six sided dice! How awesome are you?!
[*] You rolled 3-1-3-3-7, what does that make you? ELEET! \o/
[*] Nice job, here is the flag: ebCTF{9a9689dbd47a1fd3fc0bf17d60edf545}
bin200 - 'No comment...'
Throw it in IDA, look around. Google for RunPerl or -p2x-exe/debug to find out its a perl script compiled
with perl2exe - you can find a decoder here - then run it:
$ python2 per2exe-dec.py ebCTF_BIN200.exe
p2x_stub.lib
p2x_header.pm
p2x_info.pm
_main.pl
P2XDLL/p2x5123.dl
$ cat _main.pl
#!/usr/bin/perl
print "\n[*] ebCTF BIN 200\n".
" No comment...\n\n";
$secret = "Sup3RSeCr3tStuFf!";
print "[*] What is the secret? ";
$answer = ;
chomp($answer);
if ($answer eq $secret) {
print "\n[*] Yes, that is correct! However that was not the goal of this challenge.\n".
" Did you know that compiled code does not contain any comments?\n";
} else {
print "\n[*] Isn't that cute...but it is WRONG!.\n";
}
# W e l l , w e l l, i t s e e m s t h e r e a c t u a l l y i s a c o m m e n t . . .
#
# .----------------. .----------------. .----------------. .----------------.
#| .--------------. | .--------------. | .--------------. | .--------------. |
#| | _________ | | | ______ | | | ______ | | | _________ | |
#| | |_ ___ | | | | |_ _ \ | | | .' ___ | | | | | _ _ | | |
#| | | |_ \_| | | | | |_) | | | | / .' \_| | | | |_/ | | \_| | |
#| | | _| _ | | | | __'. | | | | | | | | | | | |
#| | _| |___/ | | | | _| |__) | | | | \ `.___.'\ | | | _| |_ | |
#| | |_________| | | | |_______/ | | | `._____.' | | | |_____| | |
#| | | | | | | | | | | | |
#| '--------------' | '--------------' | '--------------' | '--------------' |
# '----------------' '----------------' '----------------' '----------------'
# .----------------. .----------------. .----------------. .----------------.
#| .--------------. | .--------------. | .--------------. | .--------------. |
#| | _________ | | | __ | | | _________ | | | ________ | |
#| | |_ ___ | | | | .' _/ | | | |_ ___ | | | | |_ ___ `. | |
#| | | |_ \_| | | | | | | | | | |_ \_| | | | | | `. \ | |
#| | | _| | | | < < | | | | _| _ | | | | | | | | |
#| | _| |_ | | | | |_ | | | _| |___/ | | | | _| |___.' / | |
#| | |_____| | | | `.__\ | | | |_________| | | | |________.' | |
#| | | | | | | | | | | | |
#| '--------------' | '--------------' | '--------------' | '--------------' |
# '----------------' '----------------' '----------------' '----------------'
# .----------------. .----------------. .----------------. .----------------.
#| .--------------. | .--------------. | .--------------. | .--------------. |
#| | ______ | | | ________ | | | ______ | | | ____ | |
#| | |_ _ \ | | | |_ ___ `. | | | |_ _ \ | | | .' '. | |
#| | | |_) | | | | | | `. \ | | | | |_) | | | | | .--. | | |
#| | | __'. | | | | | | | | | | | __'. | | | | | | | | |
#| | _| |__) | | | | _| |___.' / | | | _| |__) | | | | | `--' | | |
#| | |_______/ | | | |________.' | | | |_______/ | | | '.____.' | |
#| | | | | | | | | | | | |
#| '--------------' | '--------------' | '--------------' | '--------------' |
# '----------------' '----------------' '----------------' '----------------'
# .----------------. .----------------. .----------------. .----------------.
#| .--------------. | .--------------. | .--------------. | .--------------. |
#| | ______ | | | ______ | | | _______ | | | ______ | |
#| | / ____ `. | | | .' ___ | | | | | ___ | | | | .' ____ '. | |
#| | `' __) | | | | / .' \_| | | | |_/ / / | | | | (____) | | |
#| | _ |__ '. | | | | | | | | / / | | | '_.____. | | |
#| | | \____) | | | | \ `.___.'\ | | | / / | | | | \____| | | |
#| | \______.' | | | `._____.' | | | /_/ | | | \______,' | |
#| | | | | | | | | | | | |
#| '--------------' | '--------------' | '--------------' | '--------------' |
# '----------------' '----------------' '----------------' '----------------'
# .----------------. .----------------. .----------------. .----------------.
#| .--------------. | .--------------. | .--------------. | .--------------. |
#| | ______ | | | ____ | | | _________ | | | __ | |
#| | .' ____ '. | | | .' __ '. | | | |_ ___ | | | | / \ | |
#| | | (____) | | | | | (__) | | | | | |_ \_| | | | / /\ \ | |
#| | '_.____. | | | | .`____'. | | | | _| | | | / ____ \ | |
#| | | \____| | | | | | (____) | | | | _| |_ | | | _/ / \ \_ | |
#| | \______,' | | | `.______.' | | | |_____| | | ||____| |____|| |
#| | | | | | | | | | | | |
#| '--------------' | '--------------' | '--------------' | '--------------' |
# '----------------' '----------------' '----------------' '----------------'
# .----------------. .----------------. .----------------. .----------------.
#| .--------------. | .--------------. | .--------------. | .--------------. |
#| | _______ | | | _______ | | | __ | | | ______ | |
#| | | ___ | | | | | _____| | | | / | | | | |_ _ \ | |
#| | |_/ / / | | | | |____ | | | `| | | | | | |_) | | |
#| | / / | | | '_.____''. | | | | | | | | | __'. | |
#| | / / | | | | \____) | | | | _| |_ | | | _| |__) | | |
#| | /_/ | | | \______.' | | | |_____| | | | |_______/ | |
#| | | | | | | | | | | | |
#| '--------------' | '--------------' | '--------------' | '--------------' |
# '----------------' '----------------' '----------------' '----------------'
# .----------------. .----------------. .----------------. .----------------.
#| .--------------. | .--------------. | .--------------. | .--------------. |
#| | _________ | | | _____ | | | __ | | | ________ | |
#| | |_ ___ | | | | / ___ `. | | | / | | | | |_ ___ `. | |
#| | | |_ \_| | | | |_/___) | | | | `| | | | | | | `. \ | |
#| | | _| _ | | | .'____.' | | | | | | | | | | | | | |
#| | _| |___/ | | | | / /____ | | | _| |_ | | | _| |___.' / | |
#| | |_________| | | | |_______| | | | |_____| | | | |________.' | |
#| | | | | | | | | | | | |
#| '--------------' | '--------------' | '--------------' | '--------------' |
# '----------------' '----------------' '----------------' '----------------'
# .----------------. .----------------. .----------------. .----------------.
#| .--------------. | .--------------. | .--------------. | .--------------. |
#| | __ | | | ______ | | | ______ | | | _ _ | |
#| | / | | | | / ____ `. | | | .' ____ \ | | | | | | | | |
#| | `| | | | | `' __) | | | | | |____\_| | | | | |__| |_ | |
#| | | | | | | _ |__ '. | | | | '____`'. | | | |____ _| | |
#| | _| |_ | | | | \____) | | | | | (____) | | | | _| |_ | |
#| | |_____| | | | \______.' | | | '.______.' | | | |_____| | |
#| | | | | | | | | | | | |
#| '--------------' | '--------------' | '--------------' | '--------------' |
# '----------------' '----------------' '----------------' '----------------'
# .----------------. .----------------. .----------------. .----------------.
#| .--------------. | .--------------. | .--------------. | .--------------. |
#| | __ | | | _______ | | | ____ | | | ______ | |
#| | / \ | | | | _____| | | | .' __ '. | | | .' ____ \ | |
#| | / /\ \ | | | | |____ | | | | (__) | | | | | |____\_| | |
#| | / ____ \ | | | '_.____''. | | | .`____'. | | | | '____`'. | |
#| | _/ / \ \_ | | | | \____) | | | | | (____) | | | | | (____) | | |
#| ||____| |____|| | | \______.' | | | `.______.' | | | '.______.' | |
#| | | | | | | | | | | | |
#| '--------------' | '--------------' | '--------------' | '--------------' |
# '----------------' '----------------' '----------------' '----------------'
# .----------------. .----------------. .----------------.
#| .--------------. | .--------------. | .--------------. |
#| | ____ | | | ____ | | | __ | |
#| | .' '. | | | .' '. | | | \_ `. | |
#| | | .--. | | | | | .--. | | | | | | | |
#| | | | | | | | | | | | | | | | > > | |
#| | | `--' | | | | | `--' | | | | _| | | |
#| | '.____.' | | | '.____.' | | | /__.' | |
#| | | | | | | | | |
#| '--------------' | '--------------' | '--------------' |
# '----------------' '----------------' '----------------'
bin300 - Crack the password'
Quick look at disassembly reveals it's a binary that loads obfuscated lua script and executes it via luaL_loadbuffer. We can just break there and read the script:
--- moon.gdb ---
b luaL_loadbuffer
set print elements 0
commands 1
call printf("%s\n",$rsi)
end
run
quit
--- end ---
$ gdb -q -nx -x moon.gdb moon
Reading symbols from /tmp/moon...(no debugging symbols found)...done.
Breakpoint 1 at 0x411110
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7ffff7ffa000
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
Breakpoint 1, 0x0000000000411110 in luaL_loadbuffer ()
p = 54111037
g = 56321
io.write("Enter your password: ")
io.flush()
password=io.read()
if string.len(password) ~= 32 then
print("Wrong!")
return 0
end
v = g
alpha = "0123456789abcdef"
for loop =1,32 do
v = v * g
v = v % p
r = v % 16
good = string.sub(alpha,r+1,r+1)
if good ~= string.sub(password,loop,loop) then
print("Wrong!")
return 0
end
end
print("Well done, the flag is: ebCTF{"..password.."}")
-- f02233aca4839124ee6ffa766883c47e
$1 = 488
A debugging session is active.
Inferior 1 [process 2096] will be killed.
Quit anyway? (y or n) [answered Y; input not from terminal]
No comments:
Post a Comment