Skip to main content

#LabyREnth CTF - Windows track no. 3 - SquirtleChallenge.exe

This task is also simple one. We have unpacked executable, which I put into IDA first. After quick examination, we can notice that password is hardcoded in the execuatable at address: 0x414194:
"incorrect". Here's the code of the function:

signed int passwordCompare()
{
  FILE *v0; // eax@1
  char Buf; // [sp+0h] [bp-1Ch]@1
  char Str2[8]; // [sp+Ch] [bp-10h]@1
  __int16 v4; // [sp+14h] [bp-8h]@1

  _mm_storel_epi64((__m128i *)Str2, _mm_loadl_epi64((const __m128i *)&password));
  v4 = 116;
  sub_412880("Type the password:\n");
  v0 = (FILE *)_acrt_iob_func(0);
  fgets(&Buf, 10, v0);
  sub_412880("You typed: %s \n", &Buf);
  if ( strncmp(&Buf, Str2, 0xAu) )
  {
    sub_412880("Everytime you type the password wrong a Squirtle dies.\n\n");
    system("pause");
    exit(0);
  }
  return 1;
}
After figuring out the password, code goes through various conditions that we have to fulfill to make squirtle happy. I think that best way of doing that is to put the .exe in debugger and change branch everytime we need to. 


 


It takes couple of minutes to figure out which branch we have to change. After that we will be rewarded with .jpg looking exactly like that:


This obviously is the ASCII Code of our flag. Do it by hand or use this: 

signed int passwordCompare()
{
#include &ltstdio.h&gt
#include &ltiostream&gt

using namespace std;

char flag[] = { 0x50, 0x41,
    0x4e, 0x7b,
    0x54, 0x68,
    0x33, 0x5f,
    0x24, 0x71,
    0x75, 0x69,
    0x72, 0x74,
    0x4c, 0x33,
    0x5f, 0x24,
    0x71, 0x75,
    0x40, 0x64,
    0x5f, 0x77,
    0x40, 0x7a,
    0x5f, 0x62,
    0x4c, 0x75,
    0x66, 0x66,
    0x69, 0x4e,
    0x67, 0x7d  };

int main(void)
{

 for (int i = 0; i < sizeof(flag); i++)
 {
  printf("%c", flag[i]);
 }
 cout << endl;
 return 0;
}

And that's all, we have a flag.
Etykiety:

Comments

Post a Comment

Popular posts from this blog

#LabyREnth CTF - Windows track no. 1 - AntiD.exe

In this task we have to reverse file called 'AntiD.exe'. After first examination of this, it looks to be simple PE32 executable, packed with UPX. Unfortunately we can't decompress it using UPX tool, so I started to unpack it manually. First thing to notice is that in PE Optional Header - DllCharasteristics is set to 8140, which means that DLLs in this executable can move around a bit (I'm usually using programs like 'CFF Explorer' or something similar to check this things out). I've changed this header to 8100, what actually terminated this behaviour ;) To decompress this .exe I personally used x64dbg and Scylla, but the tool doesn't matter at all - it could be any runtime debugger and I mp Rec I suppose. What we need to do is stop program execution at Entry Point of AntiD.exe, and run exactly one instruction : pushal - in my case, as you can see on image below (but You can also see this as PUSHAD in OllyDbg, or any other debugger). Aft...
Post a Comment
Read more

#IceCTF - Strong Feeling

You can download ELF here: ------------------------> link To get a flag in this one, easiest way I think is to bruteforce it! After quick look of executable in decompiler we can see that program outputs different strings every time we input a proper flag character to it. The best way to check that (knowing that flags in that CTF looks like "IceCTF{xxx}") is to  input 'I' first, then "Ic", then "Ice", etc. The strings in ELF aren't obfuscated, so we can just count it to figure out number of characters in the flag. The only thing that has to be done now is bruteforcer itself. I wrote something like that: #include &ltstdio.h&gt #include &ltstdlib.h&gt #include &ltcstring&gt using namespace std; int main(void) { char *flag = new char[32]; char *path = new char[128]; char *buffer = new char[128]; char *buf2 = new char[128]; FILE *plik; for (int i = 0; i < 32; i++) for (char j = 0x21; j < 0x7f; j++) ...
Post a Comment
Read more

#LabyREnth CTF - Windows track no. 2 - BabbySay.exe

This task is really very simple one. We are provided with .NET application named: "BabbySay.exe", wchich is a simple app that spawns a piano window for us. We can play some tunes by clicking black and white keys. I've started by its decompilation with "ILSpy", which is nice tool to do that . After quick examination in ILSpy we can clearly see the function responsible for printing the flag for us, w i thout any doubt h as to be:  key_click(object, EventArgs): // BabbySay.Form1 public void key_click(object sender, EventArgs args) { KeyButton keyButton = sender as KeyButton; keyButton.player.Play(); if (keyButton.number == 16 && keyButton.is_black && this.dat_state == 0) { this.dat_state = 1; this.thangs[3] = " _|| || | |_ ___ `. | || | _ | || | \\_ `. " + this.thangs[3]; this.thangs[10] = this.thangs[10] + " '----------------' '----------------' '----------------' '...
Post a Comment
Read more