LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

@housu_jp

setodaNote CTF Passcode2 Writeup Using Ghidra

Posted at

setodaNote CTF Rev問題の4問目
image.png

まずは,strings から。
image.png
Invalid passcode. Too short.とか発見
image.png
関数は,FUN_00101175

undefined8 FUN_00101175(void)

{
  int iVar1;
  undefined8 uVar2;
  size_t sVar3;
  byte local_124 [4];
  undefined local_120;
  undefined local_11f;
  undefined local_11e;
  undefined local_11d;
  undefined local_11c;
  undefined local_11b;
  undefined local_11a;
  undefined local_119;
  undefined8 local_118;
  undefined8 local_110;
  undefined8 local_108;
  undefined8 local_100;
  undefined8 local_f8;
  undefined8 local_f0;
  undefined8 local_e8;
  undefined8 local_e0;
  undefined8 local_d8;
  undefined8 local_d0;
  undefined8 local_c8;
  undefined8 local_c0;
  undefined8 local_b8;
  undefined8 local_b0;
  undefined8 local_a8;
  undefined8 local_a0;
  undefined8 local_98;
  undefined8 local_90;
  undefined8 local_88;
  undefined8 local_80;
  undefined8 local_78;
  undefined8 local_70;
  undefined8 local_68;
  undefined8 local_60;
  undefined8 local_58;
  undefined8 local_50;
  undefined8 local_48;
  undefined8 local_40;
  undefined8 local_38;
  undefined8 local_30;
  undefined8 local_28;
  undefined8 local_20;
  ulong local_10;
  
  local_118 = 0;
  local_110 = 0;
  local_108 = 0;
  local_100 = 0;
  local_f8 = 0;
  local_f0 = 0;
  local_e8 = 0;
  local_e0 = 0;
  local_d8 = 0;
  local_d0 = 0;
  local_c8 = 0;
  local_c0 = 0;
  local_b8 = 0;
  local_b0 = 0;
  local_a8 = 0;
  local_a0 = 0;
  local_98 = 0;
  local_90 = 0;
  local_88 = 0;
  local_80 = 0;
  local_78 = 0;
  local_70 = 0;
  local_68 = 0;
  local_60 = 0;
  local_58 = 0;
  local_50 = 0;
  local_48 = 0;
  local_40 = 0;
  local_38 = 0;
  local_30 = 0;
  local_28 = 0;
  local_20 = 0;
  local_124[0] = 0x18;
  local_124[1] = 0x1f;
  local_124[2] = 4;
  local_124[3] = 0x79;
  local_120 = 0x4f;
  local_11f = 0x5a;
  local_11e = 4;
  local_11d = 0x18;
  local_11c = 0x1a;
  local_11b = 0x1b;
  local_11a = 0x1e;
  local_119 = 0;
  printf("Enter the passcode: ");
  iVar1 = __isoc99_scanf("%255[^\n]%*[^\n]",&local_118);
  if (iVar1 == -1) {
    uVar2 = 1;
  }
  else {
    __isoc99_scanf(&DAT_0010202c);
    if ((char)local_118 == '\0') {
      printf("Invalid passcode.");
    }
    else {
      sVar3 = strlen((char *)&local_118);
      if (sVar3 < 0xb) {
        printf("Invalid passcode. Too short.");
      }
      else {
        sVar3 = strlen((char *)&local_118);
        if (sVar3 < 0xc) {
          sVar3 = strlen((char *)&local_118);
          if (sVar3 == 0xb) {
            local_10 = 0;
            while ((sVar3 = strlen((char *)local_124), local_10 < sVar3 &&
                   (*(byte *)((long)&local_118 + local_10) == (local_124[local_10] ^ 0x2a)))) {
              local_10 = local_10 + 1;
            }
            sVar3 = strlen((char *)local_124);
            if (local_10 == sVar3) {
              puts("The passcode has been verified.\n");
              printf("Flag is : flag{%s}",&local_118);
            }
            else {
              printf("Invalid passcode. Nice try.");
            }
          }
          else {
            printf("Invalid passcode.");
          }
        }
        else {
          printf("Invalid passcode. Too long.");
        }
      }
    }
    putchar(10);
    uVar2 = 0;
  }
  return uVar2;
}

image.png
フラグの長さは0xb(11バイト)

Ghidraのデコンパイル誤りを訂正し,コードを読みやすくする
local_124 ( byte[4] ) --> enc_flag ( byte[11] )
local_10 --> i
local_118 ( undefined8 ) --> flag ( byte[11] )

訂正後
/* WARNING: Could not reconcile some variable overlaps */

undefined8 FUN_00101175(void)

{
  int iVar1;
  undefined8 uVar2;
  size_t sVar3;
  byte enc_flag [11];
  byte flag [11];
  ulong i;
  
  flag._0_8_ = 0;
  stack0xfffffffffffffef0 = 0;
  enc_flag[0] = 0x18;
  enc_flag[1] = 0x1f;
  enc_flag[2] = 4;
  enc_flag[3] = 0x79;
  enc_flag[4] = 0x4f;
  enc_flag[5] = 0x5a;
  enc_flag[6] = 4;
  enc_flag[7] = 0x18;
  enc_flag[8] = 0x1a;
  enc_flag[9] = 0x1b;
  enc_flag[10] = 0x1e;
  printf("Enter the passcode: ");
  iVar1 = __isoc99_scanf("%255[^\n]%*[^\n]",flag);
  if (iVar1 == -1) {
    uVar2 = 1;
  }
  else {
    __isoc99_scanf(&DAT_0010202c);
    if (flag[0] == 0) {
      printf("Invalid passcode.");
    }
    else {
      sVar3 = strlen((char *)flag);
      if (sVar3 < 0xb) {
        printf("Invalid passcode. Too short.");
      }
      else {
        sVar3 = strlen((char *)flag);
        if (sVar3 < 0xc) {
          sVar3 = strlen((char *)flag);
          if (sVar3 == 0xb) {
            i = 0;
            while ((sVar3 = strlen((char *)enc_flag), i < sVar3 && (flag[i] == (enc_flag[i] ^ 0x2a))
                   )) {
              i = i + 1;
            }
            sVar3 = strlen((char *)enc_flag);
            if (i == sVar3) {
              puts("The passcode has been verified.\n");
              printf("Flag is : flag{%s}",flag);
            }
            else {
              printf("Invalid passcode. Nice try.");
            }
          }
          else {
            printf("Invalid passcode.");
          }
        }
        else {
          printf("Invalid passcode. Too long.");
        }
      }
    }
    putchar(10);
    uVar2 = 0;
  }
  return uVar2;
}

stack strings を xor してるだけみたいなので,Ghidra script 書く

ans=[]
inst = getInstructionAt(toAddr(0x001012b6))
i = 0
while i < 0xb:
    ans.append(inst.getOpObjects(1)[0].getValue() ^ 0x2a)
    inst = inst.getNext()
    i = i + 1
print(ans)
print(''.join(map(chr,ans)))

image.png
ビンゴ!

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?