01 Feb 2016 @ 7:37 PM 

Again x64 ELF. This one was the last RE challenge I solved in HackIM, because I didn’t see the srand in .ctor 🙁 initially.
The code is pretty clear, there were few obfuscation though (v18 = v19 + v18 – 409176519 + 409176519;)

decSeed is fixed, which will produce consistent random numbers.
There are 3 interesting functions in the code, two of them generates a number as output and the other one is a check. Once the check is successful, the user entered number is MD5ed and compared to a hardcoded hash value “15b74b4db57d0afdfe98eb5dbc3b542b”

Again we are back to bruteforcing. (Actually we don’t need to bruteforce, the Gen1()/Func() will spit out the correct code)

int Func(int a)
{
	int temp = 1;
	int result = 0;
	while (temp)
	{
		if (a & (~temp ^ a))
		{
			result = ~(~temp | ~a);
		}
		temp *= 2;
		if (temp > a)
			break;
	}
	return result;
}

int Func2(int a)
{
	int result = 0;
	while (a)
	{
		a = ~(~(a - 1) | ~a);
		result++;
	}
	return result;
}
int Func3(int a1, int a2)
{
	if (a1&&a2)
	{
		int v4 = a1 & (Func(a1) ^ a1);
		int v5 = Func(a1);
		int v8 = (2 * v5 ^ v4 | 2 * v5 & v4) == a2 + a1;
		return v8;
	}
	return 0;
}
int Brute()
{
	int rnum;
	int inp, size, temp, count;
	char str[128] = { 0 };
	MD5 md;
	rnum = 0x327B23C6;
	int end = 0x0;
	count = 0;
	temp = Func(rnum);
	size = (1 << Func2(rnum)) - 1;
	md.Init();

	inp = 1;
	while (inp < 0x7fffffff && count != rnum)
	{
		if (Func3(size, inp))		
		{
			sprintf(str, "%d", inp);
			printf("%s\n", str);
			//printf("==>%d\n", Func(size) == inp);
			size += inp;
			md.Update((unsigned char*)str, strlen(str));
			while (~(~temp | ~size))
			{
				count = temp ^ count | temp & count;
				size &= temp ^ size;
				temp = Func(rnum & (count ^ rnum));
			}
			inp = 0;
		}
		inp++;
	}
	md.Final();
	if (strcmp(md.digestChars, "15b74b4db57d0afdfe98eb5dbc3b542b") == 0)
	{
		printf("\nSuccess: %d\n\n", rnum);
	}

	return 0;
}

Code will spit up valid inputs, which will give us the flag. Input is too long to type into console, so wrote a bit of python to automate. You should have also seen that there are two sleep() calls which we need to patch/LD_PRELOAD. I patched out those sleeps.
import sys
import subprocess

arr = [32768, 65536, 131072, 262144, 524288, 1048576, 2097152, 4194304, 8388608, 16777216, 33554432, 67108864, 134217728, 268435456, 16384, 32768, 65536, 131072, 262144, 524288, 1048576, 2097152, 4194304, 8388608, 16777216, 33554432, 67108864, 134217728, 8192, 16384, 32768, 65536, 131072, 262144, 524288, 1048576, 2097152, 4194304, 8388608, 16777216, 4096, 8192, 16384, 32768, 65536, 131072, 262144, 524288, 1048576, 2097152, 2048, 4096, 8192, 16384, 32768, 65536, 131072, 262144, 524288, 1048576, 1024, 2048, 4096, 8192, 16384, 32768, 65536, 131072, 262144, 524288, 512, 1024, 2048, 4096, 8192, 16384, 32768, 65536, 131072, 262144, 256, 512, 1024, 2048, 4096, 8192, 16384, 32768, 65536, 128, 256, 512, 1024, 2048, 4096, 8192, 16384, 32768, 64, 128, 256, 512, 1024, 2048, 4096, 32, 64, 128, 256, 16, 32, 64, 128, 8, 16, 32, 64, 4, 8, 16, 32, 2, 1]


p = subprocess.Popen("./patched", stdin=subprocess.PIPE)
for i in arr:
	p.stdin.write(str(i) + '\n')
p.stdin.close()
ret = p.wait()


dan@ubuntu:~/nullc$ python ./pssolve.py
I will generate some random numbers.
If you can give me those numbers, you will be $$rewarded$$
hmm..thinking...OK. I am Ready. Enter Numbers.
Good Job!!
Wait till I fetch your reward...OK. Here it is
The flag is:nullcon{50_5tup1d_ch4113ng3_f0r_e1i73er_71k3-y0u}

Posted By: Dan
Last Edit: 01 Feb 2016 @ 07:37 PM

EmailPermalink
Tags
Categories: CTF, HackIM2016


 

Responses to this post » (None)

 
Post a Comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>


 Last 50 Posts
Change Theme...
  • Users » 1
  • Posts/Pages » 19
  • Comments » 41
Change Theme...
  • VoidVoid « Default
  • LifeLife
  • EarthEarth
  • WindWind
  • WaterWater
  • FireFire
  • LightLight

About



    No Child Pages.