Rebuilding¶
Menggunakan tools IDA untuk disassembly fungsi main, diperoleh fungsi seperti dibawah. Lalu disassembly dengan tools GDB pada prosses running
int __cdecl main(int argc, const char **argv, const char **envp)
{
int result; // eax
int v4; // eax
int v5; // [rsp+14h] [rbp-Ch]
int i; // [rsp+18h] [rbp-8h]
int j; // [rsp+1Ch] [rbp-4h]
if ( argc != 2 )
{
puts("Missing required argument");
exit(-1);
}
v5 = 0;
if ( strlen(argv[1]) == 32 )
{
for ( i = 0; i <= 31; ++i )
{
printf("\rCalculating");
for ( j = 0; j <= 5; ++j )
{
if ( j == i % 6 )
v4 = 46;
else
v4 = 32;
putchar(v4);
}
fflush(_bss_start);
v5 += ((unsigned __int8)key[i % 6] ^ encrypted[i]) == argv[1][i];
usleep(0x30D40u);
}
puts(&byte_AFE);
if ( v5 == 32 )
{
puts("The password is correct");
result = 0;
}
else
{
puts("The password is incorrect");
result = -1;
}
}
else
{
puts("Password length is incorrect");
result = -1;
}
return result;
}
inti dari source code adalah mencari v5 += ((unsigned __int8)key[i % 6] ^ encrypted[i]) == argv[1][i];, input akan dibandingkan dengan (unsigned __int8)key[i % 6] ^ encrypted[i] (flag), dengan bantuan GDB akan diketahui proses pembandingan nilai input dengan nilai flag
mungkin bukan cara paling efisien
$ gdb ./rebuilding
(gdb) source ~/path/to/gef/gef.py
gef> disas main
...
gef> # terlihat fungsi xor (main+277) dan cmp (main+303) setelah fungsi xor
gef> # langsung set break pada cmp (main+303)
gef> break *main+303
gef> run
...
0x5555554009b6 <main+303> cmp cl, al
...
gef> # register $al merupakan input kita
gef> # register $cl merupakan input flag
gef> info register $cl
cl 0x48 0x48
gef> # chr(0x48) = H
gef> c
...
0x5555554009b6 <main+303> cmp cl, al
...
gef> i r $cl
cl 0x54 0x54
gef> # chr(0x54) = T
gef> # proses manual seterusnya :)
flag.py
flag = [0x48, 0x54, 0x42, 0x7b, 0x68, 0x31, 0x64, 0x31, 0x6e, 0x67, 0x5f, 0x31, 0x6e, 0x5f, 0x63, 0x30, 0x6e, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x30, 0x72, 0x35, 0x5f, 0x31, 0x6e, 0x31, 0x74, 0x7d]
for i in flag:
print(chr(i),end='')
print()
flag HTB{h1d1ng_1n_c0nstruct0r5_1n1t}