Author: roerohan
A possible way to solve this challenge is decompiling the binary and trying to understand what's happening in the code.
- ghidra
- gdb
First, we checkout the decompiled version of this binary with the help of ghidra.
As you see in the code, there is a while(true) loop which reads a number %d from stdin and stores it in i. There's also an array of numbers nums. The code snippet containing nums is basically swapping nums[i] with nums[i+1]. The check function basically checks if the list is sorted.
_Bool check(void)
{
uint32_t i;
_Bool pass;
i = 0;
while( true ) {
if (8 < i) {
return true;
}
if (nums[i + 1] < nums[i]) break;
i = i + 1;
}
return false;
}The target is to keep swapping indices in nums to finally sort it as a list. So, we open gdb and find out what nums is.
gdb-peda$ print nums
$1 = {0x1, 0xa, 0x3, 0x2, 0x5, 0x9, 0x8, 0x7, 0x4, 0x6}When you execute this line in gdb, you see that nums is a global array, consisting of numbers from 1 to 10. It is also important to notice in the ghidra decompiled code that the value of i entered by the user must be <=8, otherwise it will just break out of the while(true) loop.
Now, we have to device a strategy to sort these numbers by swapping indices i and i+1 in nums. So, first we try to bring 0x2 or 2 to it's real place by passing 2 followed by 1. That swaps the indices 2 with 3 and then 1 with 2, bringing 2 back to it's original place. We can perform these swaps in gdb and keep checking the outputs of the swaps as we move on. Here's a list of swaps that could sort the array.
2
1
2
7
6
5
4
3
4
8
7
6
5
8
7
6
8
7
8
9
At the end of every iteration, the check function runs to check if the list is sorted. Once it's sorted, we can break out of the loop, since pass is now equal to true.
The list ends with a 9 so that we can break out of the while loop. Once it breaks out, it checks if the value of pass is true, which it is, and then it runs the print_flag function. Passing the numbers in the above list fetches us the flag.
$ nc 2020.redpwnc.tf 31039
I hate my data structures class! Why can't I just sort by hand?
2
1
2
7
6
5
4
3
4
8
7
6
5
8
7
6
8
7
8
9
Well done!
flag{4ft3r_y0u_put_u54c0_0n_y0ur_c011ege_4pp5_y0u_5t1ll_h4ve_t0_d0_th15_57uff}The flag is:
flag{4ft3r_y0u_put_u54c0_0n_y0ur_c011ege_4pp5_y0u_5t1ll_h4ve_t0_d0_th15_57uff}