Sunday, 11 February 2018

Quad Math - HackIM 2018

This time HackIM had a variety of RE challenges. There was one LLVM IR, one ARM, one Mach-O, one Linux x64 and one more(didn't unlock it, so don't know about that).

I solved the ARM challenge, named Quad math. It was a 150 pointer challenge. I couldn't run it. So I fired up radare to analyse it statically. The main function looked something like this:

       

From the disassembly, it is clear that the binary takes one string as input, then it goes through a series of checks, and finally the result gets printed out. There were a total of 65 check functions which checked the input, character by character. But the checks turned out to be a little short as multiple correct answers were being accepted by the binary. It will become clear in a little while. And each of the checking functions looked something like this:

 

It is actually checking the first and third character of the input(i.e. flag).

        void func_6b8()
        {
             fin = input[0] * input[0] - 203 * input[0] != -10296 || input[2] * input[2] - 203 * input[2] != -10296;
        }

Rest of the characters were being checked similarly(i.e. two alternate characters at a time). So, what I did is, I wrote a z3 script to find the correct input.


As I earlier said, the constraints for checking the flag were a little less, therefore the script printed out many possible answers. So I sent few of them having only printable characters to the admin and he was kind enough to send me the correct flag which will be accepted by the server.

The correct flag was:

hackim18{'W0W_wow_w0w_WoW_y0u_h4v3_m4th_sk1ll5_W0oW_w0ow_wo0w_Wo0W'}

9 comments:

  1. Actually it was not because of it accepting multiple solutions. You had to check the value of the global variable after every function call. I was just dumping its final value. I posted a hint for people to look for that. You can see the source here : https://gist.github.com/sudhackar/80fbe0d670d727e42bb481cfd11174de

    ReplyDelete
    Replies
    1. Nope. It accepts multiple inputs. For example, give "cackim18{'W0W_wow_w0w_WoW_y0u_h4v3_m4th_sk1ll5_W0oW_w0ow_wo0w_Wo0W'}" as input and see the value of the global variable.

      Delete
    2. Few more possible inputs:
      hkckim18{'W0W_wow_w0w_WoW_y0u_h4v3_m4th_sk1ll5_W0oW_w0ow_wo0w_Wo0W'}
      hkckim18{'W0W_wow_w0w_WoW_y0u_h4v3_m4th_sk1ll5_W0oW_w0ow_wo0w_Wo0W'W

      I modified your code to print the value of variable fin every time. :)
      https://gist.github.com/r00tus3r/663580f38a0641e413554ac467720f42

      Delete
    3. you're missing the point, the terminals are only bounded to one quadratic equation thats why this happens. You had to understand this with relation to the flag.

      Delete
    4. hackim18{'W0W_wow_w0w_WoW_y0u_h4v3_m4th_sk1ll5_W0oW_w0ow_wo0w_Wo0W'}
      cackim18{'W0W_wow_w0w_WoW_y0u_h4v3_m4th_sk1ll5_W0oW_w0ow_wo0w_Wo0W'}
      hkckim18{'W0W_wow_w0w_WoW_y0u_h4v3_m4th_sk1ll5_W0oW_w0ow_wo0w_Wo0W'}
      ckckim18{'W0W_wow_w0w_WoW_y0u_h4v3_m4th_sk1ll5_W0oW_w0ow_wo0w_Wo0W'}
      hackim18{'W0W_wow_w0w_WoW_y0u_h4v3_m4th_sk1ll5_W0oW_w0ow_wo0w_Wo0W0}
      hackim18{'W0W_wow_w0w_WoW_y0u_h4v3_m4th_sk1ll5_W0oW_w0ow_wo0w_Wo0W'W


      are some of the inputs that should satisfy. As you can see only the terminals are getting affected flag[0], flag[1], flag[67], flag[66] are the only ones that could change. The flag format being "hackim18{'%s'}" this was easily understood by many teams.

      Delete
    5. Oh cool. You could have said that first.

      Delete
  2. The script you build is it in python or C

    ReplyDelete
  3. And which which tool you used before radare

    ReplyDelete
  4. Baccarat - Play at the World's Best Online Casino - Wolverione
    We have the best games and 1xbet the best bonuses, 바카라 사이트 and most attractive sign up offers for Baccarat here kadangpintar at Wolverione!

    ReplyDelete