InCTF 2017: GOSolveMe(200) RE Writeup

 

In this challenge we have a 64bit ELF Binary, when we run it, it asks for an integer input. if the input is wrong it prints “Wrong Input.” and if it is correct then flag is printed out.

So lets run the binary and give some random integer as input.

Screenshot from 2017-12-18 19-49-57

So to view the Disassembly of this binary we load it in IDA and once the binary is loaded we notice that there are about 2200 functions but except for few of them rest are of no use to us. the function that we need to look at is main_main as the name suggests this function acts as the main function of this program and we can clearly see that input is being taken in this function.

screenshot-from-2017-12-18-19-59-171.png

 

Then when we further look at the disassembly of this function we see that there are two checks being done on our input and if any of those check fails then main_badinput function is called which prints “Wrong Input.”.

 

Firstly our input is compared to 9999999 and checked if it is greater than that value and then it is compared with 99999999 and checked if our input is less than that value if both the condition satisfies then main_calc function is called if any of two check fails then main_badinput is called. So in short the the two checks are actually used to check if the length of the input is 8 digits or not if the length is anything other than 8 main_badinput is called.

screenshot-from-2017-12-18-20-11-301.png

On disassembling main_calc function we see few operations being performed on our input:

Firstly our input is divided by 1000000 and then mod10 is being done to the resultant value and finally the result is stored in some variable so the operation looks something like this: (let a be the variable)

a = ((input/1000000)%10)

When we solve the above expression we see that it just stores second digit of our input in some variable. Then that variable is multiplied by 10 and added with mod10 of the input the operation looks something like this: a = ((a*10)+ (input%10))

Screenshot from 2017-12-18 21-33-19

Now the variable stores second and last digit of our input and then it is compared with some value.

After performing dynamic analysis using GDB we find out that the value with which variable is being compared is 38 and if the check satisfies then eax is set to 1 otherwise it is set to 0.

After exiting the main_calc function we see that the value of eax is being compared to 1. If the condition satisfies then main_printflag function is being called otherwise main_badinput function is being called.

So now we know that the our input will be correct if it is 8 digits long and 2nd and 8th digit of our input is 3 and 8 respectively so now we run the binary and this time give correct input.

Screenshot from 2017-12-18 21-45-21

Input: 13245678  (it can vary as only 2nd and 8th digit are checked)

Flag : inctf{tH3_h|Gh3r_y@U_Cl|mB_tH3_Be??eR_Th3_v|3w}

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: