Sunday, 18 December 2016

Sharif CTF : RE Challenges

The first 3 re challenges were very simple. Out of the 4 others 3 were windows re and 1 was an apk file.

I could solve only the first 3.

Getit - 50 Points challenge

This challenge I couldn't understand the disassembly much. I was just stepping through the code in GDB. Saw a string comparison, above that a string was being moved to edi. It turned out to be the flag. :-)

      0x40081c <main+198>: movsxd rbx,eax
      0x40081f <main+201>: mov    edi,0x6010e0
      0x400824 <main+206>: call   0x4005e0 <strlen@plt>
=> 0x400829 <main+211>: cmp    rbx,rax

The flag was stored at address 0x6010e0, it was moved to rdi.
We can see that by-

      x/s $rdi

Flag :

SharifCTF{b70c59275fcfa8aebf2d5911223c6589}


RepairMe - 100 Points challenge

I don't know why they gave this challenge. I got the flag while just executing it.

Flag :

SharifCTF{98ad7e41c78b7df41cb2ad0c17c61408}


SCrack- 150 Points challenge

In this challenge either you have to give right input to get the flag or you can get the flag directly by examining the disassembly. I chose the second way. Starting from the following address, start converting the hex value which is being moved to esi into character. First character will be 'S'. Till you get the whole flag repeat the same  process.

      0x0000000000400c50 <+515>: mov    esi,0x53
      0x0000000000400c55 <+520>: mov    edi,0x6021c0
      0x0000000000400c5a <+525>: call   0x4008e0  <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_c@plt>
      0x0000000000400c5f <+530>: mov    esi,0x68
      0x0000000000400c64 <+535>: mov    rdi,rax
      0x0000000000400c67 <+538>: call   0x4008e0    <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_c@plt>

Finally you will get the flag as:

SharifCTF{ed97d286f356dadb5cde0902006c7deb}

No comments:

Post a Comment