Thứ Ba, 7 tháng 2, 2017

[AlexCTF 2017][Writeup][RE2: C++ is awesomed]

Untitled Document.md

[AlexCTF 2017][Write up][RE2: C++ is awesomed]

Download here

Check file type using file command

re2; ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, stripped

So this is a ELF 64-bit file. Let open ida64 and load it

This is pseudo code

if ( a1 != 2 )
  {
    v2 = *(_QWORD *)a2;
    LODWORD(v3) = std::operator<<<std::char_traits<char>>(6299968LL, 4198153LL);
    LODWORD(v4) = std::operator<<<std::char_traits<char>>(v3, v2);
    std::operator<<<std::char_traits<char>>(v4, 4198161LL);
    exit(0);
  }

a1 is number of parameter. So if number of parameter != 2 program will terminate
Next:

std::allocator<char>::allocator(&v11);
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(&v10, *(_QWORD *)(a2 + 8), &v11);
std::allocator<char>::~allocator(&v11);
v13 = 0;

that code read string from keyboard to v10
And

  v13 = 0;
  LODWORD(v5) = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::begin(&v10);
  for ( i = v5; ; sub_400D7A((__int64)&i) )
  {
    LODWORD(v6) = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::end(&v10);
    v12 = v6;
    if ( !(unsigned __int8)sub_400D3D(&i, &v12) )
      break;
    v7 = sub_400D9A((__int64)&i);
    if ( *(_BYTE *)v7 != off_6020A0[dword_6020C0[v13]] )
      sub_400B56();
    ++v13;
  }

It compare each character in v10 and off_6020A0[dword_6020C0[v13]]
so maybe flag is off_6020A0[dword_6020C0[v13]] with v13 is len of flag

I find off_6020A0 is a string L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{FL4G}_W0nt_b3_3X4ctly_th4t_345y_t0_c4ptur3_H0wev3r_1T_w1ll_b3_C00l_1F_Y0u_g0t_1t
And dword_6020C0 is an array

0x24,0x5,0x36,0x65,0x7,0x27,0x26,0x2D,0x1,0x3,0x0,0x0D,0x56,0x1,0x3,0x65,0x3,0x2D,0x16,0x2,0x15,0x3,0x65,0x0,0x29,0x44,0x44,0x1,0x44,0x2B

And here is code to get flag

#include <stdio.h>

int main()
{
    char *strsample = "L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{FL4G}_W0nt_b3_3X4ctly_th4t_345y_t0_c4ptur3_H0wev3r_1T_w1ll_b3_C00l_1F_Y0u_g0t_1t";
    int data[] = {0x24,0x5,0x36,0x65,0x7,0x27,0x26,0x2D,0x1,0x3,0x0,0x0D,0x56,0x1,0x3,0x65,0x3,0x2D,0x16,0x2,0x15,0x3,0x65,0x0,0x29,0x44,0x44,0x1,0x44,0x2B};
    for (int i = 0; i < sizeof(data)/sizeof(int); i++)
        printf("%c", strsample[data[i]]);
    return 0;
}

Flag is ALEXCTF{W3_L0v3_C_W1th_CL45535}

vào lúc
Nhãn: , , ,

Không có nhận xét nào:

Đăng nhận xét

Đăng ký: Đăng Nhận xét (Atom)

[Alex CTF 2017][Writeup][CR3: What is this encryption?]

alex_ctf_2017_writeup_cr3.md [Alex CTF 2017][Writeup][CR3: What is this encryption?] Sloved this problem when contest ended Hint Fady a...