CTF-BR! – r100

r100 – shuffle

Posted 7 de dezembro de 2014

> SECCON > SECCON CTF 2014 > r100 - shuffle

find the string before randomizing.

Solução

Executando o binário fornecido, notamos o seguinte comportamento (bem adequado para o nome dele):

$ ./shuffle 
 SSCm CoOE{ eWC4}FEoTcCe2
$ ./shuffle 
1{C!elcEhFmCO 0OWNC4oT

$ ./shuffle

SSCm CoOE{ eWC4}FEoTcCe2

$ ./shuffle

1{C!elcEhFmCO 0OWNC4oT

Analisando o código percebemos que ele montava a string char por char na função main, antes de começar a fazer o shuffle dela. Então, bastou colocar um breakpoint antes dele fazer isso e olhar a stack!

Flag

$ gdb -q ./shuffle
Reading symbols from /home/felipe/seccon/shuffle...(no debugging symbols found)...done.
(gdb) b *0x80486ba
Breakpoint 1 at 0x80486ba
(gdb) r
Starting program: /home/felipe/seccon/shuffle

Breakpoint 1, 0x080486ba in main ()
(gdb) x/20s $esp
0xffffd580: ""
0xffffd581: ""
0xffffd582: ""
0xffffd583: ""
0xffffd584: "\025s\350\367\247\325\377\377\204\326\377\377"
0xffffd591: ""
0xffffd592: ""
0xffffd593: ""
0xffffd594: "0\326\377\377\340\234\373\367y\203\004\b\220\345\37\367SECCON{Welcome to the SECCON 2014 CTF!}"

$ gdb -q ./shuffle

Reading symbols from /home/felipe/seccon/shuffle...(no debugging symbols found)...done.

(gdb) b *0x80486ba

Breakpoint 1 at 0x80486ba

(gdb) r

Starting program: /home/felipe/seccon/shuffle

Breakpoint 1, 0x080486ba in main ()

(gdb) x/20s $esp

0xffffd580: ""

0xffffd581: ""

0xffffd582: ""

0xffffd583: ""

0xffffd584: "\025s\350\367\247\325\377\377\204\326\377\377"

0xffffd591: ""

0xffffd592: ""

0xffffd593: ""

0xffffd594: "0\326\377\377\340\234\373\367y\203\004\b\220\345\37\367SECCON{Welcome to the SECCON 2014 CTF!}"

Criado por

Epic Leet Team

Felipe Pena