Lets_get_dynamic.md

Let's get dynamic

Category: Reverse Engineering, 150 points

Description

Can you tell what this file is reading?

An assembly file was attached.

	.file	"chall.c"
	.text
	.section	.rodata
	.align 8
.LC0:
	.string	"Correct! You entered the flag."
.LC1:
	.string	"No, that's not right."
	.text
	.globl	main
	.type	main, @function
main:
.LFB5:
	.cfi_startproc
	pushq	%rbp
	.cfi_def_cfa_offset 16
	.cfi_offset 6, -16
	movq	%rsp, %rbp
	.cfi_def_cfa_register 6
	pushq	%rbx
	subq	$296, %rsp
	.cfi_offset 3, -24
	movl	%edi, -292(%rbp)
	movq	%rsi, -304(%rbp)
	movq	%fs:40, %rax
	movq	%rax, -24(%rbp)
	xorl	%eax, %eax
	movabsq	$4137700413143496212, %rax
	movabsq	$3668774195188830448, %rdx
	movq	%rax, -144(%rbp)
	movq	%rdx, -136(%rbp)
	movabsq	$-3415231997387159298, %rax
	movabsq	$3180240096696696075, %rdx
	movq	%rax, -128(%rbp)
	movq	%rdx, -120(%rbp)
	movabsq	$-5717177924950513641, %rax
	movabsq	$-3967246834314051972, %rdx
	movq	%rax, -112(%rbp)
	movq	%rdx, -104(%rbp)
	movw	$97, -96(%rbp)
	movabsq	$6214777055764401527, %rax
	movabsq	$8184225536171504527, %rdx
	movq	%rax, -80(%rbp)
	movq	%rdx, -72(%rbp)
	movabsq	$-8364134581669616439, %rax
	movabsq	$5916610601309242417, %rdx
	movq	%rax, -64(%rbp)
	movq	%rdx, -56(%rbp)
	movabsq	$-2598080388612165765, %rax
	movabsq	$-4252370736625094538, %rdx
	movq	%rax, -48(%rbp)
	movq	%rdx, -40(%rbp)
	movw	$63, -32(%rbp)
	movq	stdin(%rip), %rdx
	leaq	-208(%rbp), %rax
	movl	$49, %esi
	movq	%rax, %rdi
	call	fgets@PLT
	movl	$0, -276(%rbp)
	jmp	.L2
.L3:
	movl	-276(%rbp), %eax
	cltq
	movzbl	-144(%rbp,%rax), %edx
	movl	-276(%rbp), %eax
	cltq
	movzbl	-80(%rbp,%rax), %eax
	xorl	%eax, %edx
	movl	-276(%rbp), %eax
	xorl	%edx, %eax
	xorl	$19, %eax
	movl	%eax, %edx
	movl	-276(%rbp), %eax
	cltq
	movb	%dl, -272(%rbp,%rax)
	addl	$1, -276(%rbp)
.L2:
	movl	-276(%rbp), %eax
	movslq	%eax, %rbx
	leaq	-144(%rbp), %rax
	movq	%rax, %rdi
	call	strlen@PLT
	cmpq	%rax, %rbx
	jb	.L3
	leaq	-272(%rbp), %rcx
	leaq	-208(%rbp), %rax
	movl	$49, %edx
	movq	%rcx, %rsi
	movq	%rax, %rdi
	call	memcmp@PLT
	testl	%eax, %eax
	je	.L4
	leaq	.LC0(%rip), %rdi
	call	puts@PLT
	movl	$0, %eax
	jmp	.L6
.L4:
	leaq	.LC1(%rip), %rdi
	call	puts@PLT
	movl	$1, %eax
.L6:
	movq	-24(%rbp), %rcx
	xorq	%fs:40, %rcx
	je	.L7
	call	__stack_chk_fail@PLT
.L7:
	addq	$296, %rsp
	popq	%rbx
	popq	%rbp
	.cfi_def_cfa 7, 8
	ret
	.cfi_endproc
.LFE5:
	.size	main, .-main
	.ident	"GCC: (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0"
	.section	.note.GNU-stack,"",@progbits

Solution

First, we'll compile the assembly file:

┌──(user@kali)-[/media/sf_CTFs/pico/Lets_get_dynamic]
└─$ gcc chall.S -o chall

Then we'll run it:

┌──(user@kali)-[/media/sf_CTFs/pico/Lets_get_dynamic]
└─$ ./chall
test
Correct! You entered the flag.

Well, that doesn't seem right. Perhaps running it with ltrace will reveal something new?

┌──(user@kali)-[/media/sf_CTFs/pico/Lets_get_dynamic]
└─$ ltrace ./chall
fgets(test
"test\n", 49, 0x7faf0ae14980)                                                                                             = 0x7ffd4e0ebac0
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
strlen("\024\266gp\232\020l9\360\220YI\261\032\3522\376\3100\322\227\250\232\320\v}\017\260\204{","...)                         = 49
memcmp(0x7ffd4e0ebac0, 0x7ffd4e0eba80, 49, 0x7ffd4e0eba80)                                                                      = 4
puts("Correct! You entered the flag."Correct! You entered the flag.
)                                                                                          = 31
+++ exited (status 0) +++

We can see a memcmp, let's set a breakpoint there:

gef>  b *0x00005555555552f6
Breakpoint 2 at 0x5555555552f6
gef>  c
gef>  printf "%s\n", $rdi
test
gef>  printf "%s\n", $rsi
picoCTF{dyn4m1c_4n4ly1s_1s_5up3r_us3ful_14bfa700}

The flag: picoCTF{dyn4m1c_4n4ly1s_1s_5up3r_us3ful_14bfa700}