Link: https://wargame.whitehat.vn/Challenges/DetailContest/141
Points: 100
Category: RE

Description

http://material.wargame.whitehat.vn/contests/11/re1_d3309936b177b41dada3796c4c3acadf.zip

tl;dr

see below

Solving the task

When executed the program asks for input. It seems that regardless of what is being provided the answer is always “wrong“.

Simplified reversed C code for the program’s main function looks like the following:

The program consists of two processes. The parent prints replies based on the child’s response. Both processes are (at least theoretically) protected against ptrace. It could be possible to still debug both, but in this case it won’t be necessary.

It can clearly be seen that the only answer that is not “wrong” is being printed when the child process responds with a nonzero integer.

On the other hand, the child process calls either responseFalse or responseTrue functions, which in turn respond to the parent with "0" and "1" respectively.

By looking at the following code:

it can be seen that the only path that results in a correct response is if the input:

  • is exactly 42 characters long string,
  • begins with "{5 xxxxxx 1",
  • ends with "4 xxxxxx d}",
  • the result of confuseKey is nonzero
  • and after being processed by confuseKey it is equal to "{da xxxxxxxxxxxx CENSORED xxxxxxxxxxxx 8c}".

Simplified reversed C code for the confuseKey function looks like the following:

This function:

  • as the first argument always takes a pointer to the buffer where the user’s input is being stored,
  • as the second argument takes the buffers length, which in turn always is 42,
  • allocates 4 buffers and initialises them with zeros,
  • mangles the buffer, where the user’s input is being stored.

By looking at the following code:

it can be seen that the mangling is actually:

  • stripping '{' and '}',
  • splitting into 4 substrings of equal (exactly 10) length,
  • merging the strings in the following order: third, fourth, first, second,
  • adding leading and trailing '{' and '}'.

The solution

The program

Tagged with:

Leave a Reply