[Writeup][Sharif 2016] Reverse 50 Getit

Download

Hint: “Open and read the flag file!”

OK, Let start
First, I think should check file type
Using file command in Linux

$file getit

And result below

ELF 64-bit LSB  executable, x86-64, version 1 (SYSV), 
dynamically linked (uses shared libs), 
for GNU/Linux 2.6.24, 
BuildID[sha1]=e389cd7a4b9272ba80f85d7eb604176f6106c61e, not stripped

(You can use notepad to check :)) )
OK now I know getit is a ELF 64bit file
Let open it with ida64 and I see that

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v3; // al@4
  int result; // eax@10
  __int64 v5; // rbx@10
  __int64 v6; // [sp+0h] [bp-40h]@0
  int i; // [sp+4h] [bp-3Ch]@7
  FILE *stream; // [sp+8h] [bp-38h]@7
  char filename[8]; // [sp+10h] [bp-30h]@7
  __int64 v10; // [sp+28h] [bp-18h]@1

  v10 = *MK_FP(__FS__, 40LL);
  LODWORD(v6) = 0;
  while ( (signed int)v6 < strlen(s) )
  {
    if ( v6 & 1 )
      v3 = 1;
    else
      v3 = -1;
    *(&t + (signed int)v6 + 10) = s[(signed __int64)(signed int)v6] + v3;
    LODWORD(v6) = v6 + 1;
  }
  strcpy(filename, "/tmp/flag.txt");
  stream = fopen(filename, "w");
  fprintf(stream, "%s\n", 6295840LL, v6);
  for ( i = 0; i < strlen(&t); ++i )
  {
    fseek(stream, p[i], 0);
    fputc(*(&t + p[i]), stream);
    fseek(stream, 0LL, 0);
    fprintf(stream, "%s\n", 6295840LL);
  }
  fclose(stream);
  remove(filename);
  result = 0;
  v5 = *MK_FP(__FS__, 40LL) ^ v10;
  return result;
} 

And I also found:

s = "c61b68366edeb7bdce3c6820314b7498"
t = "SharifCTF{????????????????????????????????}"

Nice!!! I see

strcpy(filename, "/tmp/flag.txt");
stream = fopen(filename, "w");
fprintf(stream, "%s\n", 6295840LL, v6);

Oh, Maybe I will find flag in /tmp/flag.txt file :))))
But,

fclose(stream);
remove(filename);

That means, after write something to flag file prog will delete it :(((
So, Should I set breakpoint before remove function and view flag file?? =))
View code one more time I see:

for ( i = 0; i < strlen(&t); ++i )
  {
    fseek(stream, p[i], 0);
    fputc(*(&t + p[i]), stream);
    fseek(stream, 0LL, 0);
    fprintf(stream, "%s\n", 6295840LL);
  }

Hmmm, this is a loop I see In each time prog seek and write something =))
But after that if seek to begin of fille and write a string *******************************************
Not cool >.< So flag file is useless :p
Now, maybe flag is string t
And I have 2 option:

1. Using linux remote debugger, breakpoint to dump flag in t
2. “Recode” and print t

I choose 2 =)))
Let go!!! Copy code from ida to gedit remove something not used :))))))
And result:

#include <stdio.h>
#include <string.h>
int main()
{
    char s[] = "c61b68366edeb7bdce3c6820314b7498\0";
    char t[] = "SharifCTF{????????????????????????????????}\0";
    char v3; // al@4
    int v5; // rbx@10
    int v6; // [sp+0h] [bp-40h]@0
    int i; // [sp+4h] [bp-3Ch]@7

    v6 = 0;
    while ( v6 < strlen(s) )
    {
        if ( v6 & 1 )
            v3 = 1;
        else
            v3 = -1;
        t[v6 + 10] = s[v6] + v3;
        v6++;
    }
    printf("%s\n", t);
    return 0;
}

Build and run
Result:

SharifCTF{b70c59275fcfa8aebf2d5911223c6589}