💾 Archived View for 0x80.org › gemlog › 2015-10-05-dctf-r300.gmi captured on 2022-04-28 at 17:40:48. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-12-03)

-=-=-=-=-=-=-

dctf r300

This challenge asks for username and password, we need to get the username for 'Administrator'. The binary has code that does not allow you to do that. Let's find it and patch it first.

This is the first one, it checks if we have 'A' and quits. 

[0x004016be]> pdb
| 0x004016be   mov rax, qword [rbp-local_5]
| 0x004016c2   add rax, 4
| 0x004016c6   mov edx, 0x41
| 0x004016cb   mov rcx, rax
| 0x004016ce   call sym.strchr
| 0x004016d3   test rax, rax
| 0x004016d6   je 0x4016e2

we patch the je to jmp. Another one is found in get_product, it has the following psudeo-code 

int64 get_product(..._BYTE *str...) {
  int i,z = 1,j = 1;
  for ( i = 0; str[i] && str[i] != 65; ++i ) // here
  {
    z *= str[i];
    if ( z > 0x7FFF )
    {
      z = str[i] + z % 0x7FFF;
      ++j;
    }
    if ( str[i] == 65 ) // here
      return 1337LL;    // here
  }
  password_length = j;
  return z * j;
}

We remove the ones mentioned above. We change the jump in 401B44 from jnz to jmp. Also change the jump in 401B18 from jnz to jmp. Now we can continue. 

| 0x00401705   call sym.strlen
| 0x0040170a   mov rdx, rax
| 0x0040170d   lea rax, [rip + 0x7310]
| 0x00401714   mov eax, dword [rax]
| 0x00401716   mov eax, eax
| 0x00401718   cmp rdx, rax
| 0x0040171b   jne 0x401737
| 0x0040171d   call sym.set_bit_field
| 0x00401722   mov rax, qword [rbp-local_5]
| 0x00401726   mov eax, dword [rax]
| 0x00401728   mov ecx, eax
| 0x0040172a   call sym.first_prime
| 0x0040172f   mov edx, eax
| 0x00401731   mov rax, qword [rbp-local_5]
| 0x00401735   mov dword [rax], edx

Here we know we need to reach the two calls set_bit_field, and first_prime, and to do so wee need a password of length 12 bytes. To know the password we set a break point at all the comparisions in cbc_check_password. 

[0x00401ba0]> s sym.cbc_password_check 
[0x00401ba0]> pdf ~cmp al
| 0x00401c88   cmp al, byte [rbp+arg_4]
| 0x00401cd0   cmp al, byte [rbp+arg_4]
| 0x00401d18   cmp al, byte [rbp+arg_4]
| 0x00401d60   cmp al, byte [rbp+arg_4]
| 0x00401da1   cmp al, byte [rbp+arg_4]

everytime we break we know a character, the password is #y1y3#y1y3## 

Welcome to LBS checker
Do you want to check your USER:PASS pair? (Y = yes / N = no)
Y
Enter username:
Administrator
Enter password:
#y1y3#y1y3##

Valid combination!

Good bye!