Sunday, 7 February 2016

CTF Writeup - Sharif University CTF 2016 - dMd (RE 50)


  • Name - dMd
  • Category - Reverse Engineering
  • Points - 50
  • Description - Flag is : The valid input
  • Binary - Download here

Running the 64-bit ELF:

root@kali: ~/Desktop
root@kali:~/Desktop# ./dMd Enter the valid key! testing123 Invalid Key! :( root@kali:~/Desktop#

Nothing complicated. We need to find the correct key. Loading it in IDA, we're greeting with a long list of checks, one for each byte of a string. An excerpt for bytes 4 to 7 is shown below:



To make things easier, the pseudo code looks like this:

v44 = *MK_FP(__FS__, 40LL);
std::operator<<<std::char_traits<char>>(6308448LL, 4204712LL, envp);
std::operator>><char,std::char_traits<char>>(6308160LL, &v43);
std::allocator<char>::allocator(&v39);
std::string::string(&v40, &v43, &v39);
md5(&v41, &v40);
v42 = std::string::c_str((std::string *)&v41);
std::string::~string((std::string *)&v41);
std::string::~string((std::string *)&v40);
std::allocator<char>::~allocator(&v39);
if ( *(_BYTE *)v42 != 55
  || *(_BYTE *)(v42 + 1) != 56
  || *(_BYTE *)(v42 + 2) != 48
  || *(_BYTE *)(v42 + 3) != 52
  || *(_BYTE *)(v42 + 4) != 51
  || *(_BYTE *)(v42 + 5) != 56
  || *(_BYTE *)(v42 + 6) != 100
  || *(_BYTE *)(v42 + 7) != 53
  || *(_BYTE *)(v42 + 8) != 98
  || *(_BYTE *)(v42 + 9) != 54
  || *(_BYTE *)(v42 + 10) != 101
  || *(_BYTE *)(v42 + 11) != 50
  || *(_BYTE *)(v42 + 12) != 57
  || *(_BYTE *)(v42 + 13) != 100
  || *(_BYTE *)(v42 + 14) != 98
  || *(_BYTE *)(v42 + 15) != 48
  || *(_BYTE *)(v42 + 16) != 56
  || *(_BYTE *)(v42 + 17) != 57
  || *(_BYTE *)(v42 + 18) != 56
  || *(_BYTE *)(v42 + 19) != 98
  || *(_BYTE *)(v42 + 20) != 99
  || *(_BYTE *)(v42 + 21) != 52
  || *(_BYTE *)(v42 + 22) != 102
  || *(_BYTE *)(v42 + 23) != 48
  || *(_BYTE *)(v42 + 24) != 50
  || *(_BYTE *)(v42 + 25) != 50
  || *(_BYTE *)(v42 + 26) != 53
  || *(_BYTE *)(v42 + 27) != 57
  || *(_BYTE *)(v42 + 28) != 51
  || *(_BYTE *)(v42 + 29) != 53
  || *(_BYTE *)(v42 + 30) != 99
  || *(_BYTE *)(v42 + 31) != 48 )


An md5 hash of our input (line 6) is computed and evaluated byte by byte. Converting decimal to ASCII we get: 780438d5b6e29db0898bc4f0225935c0. Using hashkiller, we get md5(md5("grape")). We only need one md5 so the input must be md5("grape"): b781cbb29054db12f88f08c6e161c199

root@kali: ~/Desktop
root@kali:~/Desktop# ./dMd Enter the valid key! b781cbb29054db12f88f08c6e161c199 The key is valid :) root@kali:~/Desktop#

No comments:

Post a comment