First, we check file in ubuntu: file pro
$ pro: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=7bfce31b622a4e5bd9db43154888a3e1891ccac9, stripped
Next, we start debug file by using ida, then we easy to decomplie in pseudocode
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
int v4; // [rsp+8h] [rbp-38h]
int i; // [rsp+Ch] [rbp-34h]
char s2; // [rsp+10h] [rbp-30h]
unsigned __int64 v7; // [rsp+38h] [rbp-8h]
v7 = __readfsqword(0x28u);
i = 0;
printf("First give me your password: ", a2, a3);
__isoc99_scanf("%d", &v4);
if ( v4 != 98416 )
{
puts("You don't know static analysis !");
exit(0);
}
printf("Second give me your key: ");
__isoc99_scanf("%d", &v4);
v4 -= 49;
for ( i = 0; i <= 11; ++i )
byte_201020[i] += v4;
(*(void (__fastcall **)(char *))byte_201020)(s1);
printf("Then Verify your flag: ");
__isoc99_scanf("%s", &s2);
if ( !strcmp(s1, &s2) )
puts("You are right. Congratulations !!");
else
puts("You don't know dynamic analysis !");
return 0LL;
}
After decomplie, there is 3 step to find the flag. First, you will see the variable v4:
printf("First give me your password: ", a2, a3);
__isoc99_scanf("%d", &v4);
if ( v4 != 98416 )
{
puts("You don't know static analysis !");
exit(0);
}
we easy to find the first pass: 98416 then we check the second pass in code:
printf("Second give me your key: ");
__isoc99_scanf("%d", &v4);
v4 -= 49;
remember, the first variable v4 is different than the second var v4. To find the pass we can see the asm in ida :)
.text:0000000000000861 lea rdi, aSecondGiveMeYo ; "Second give me your key: "
.text:0000000000000868 mov eax, 0
.text:000000000000086D call _printf
.text:0000000000000872 lea rax, [rbp+var_38]
.text:0000000000000876 mov rsi, rax
.text:0000000000000879 lea rdi, aD ; "%d"
.text:0000000000000880 mov eax, 0
.text:0000000000000885 call ___isoc99_scanf
.text:000000000000088A mov eax, [rbp+var_38]
.text:000000000000088D sub eax, 31h ; '1'
.text:0000000000000890 mov [rbp+var_38], eax
.text:0000000000000893 mov [rbp+var_34], 0
.text:000000000000089A jmp short loc_8C7
you will see the cmd: sub eax, 31h ; '1' and the var v4 -= 49, it coud be mean: X - 1 = 49. So pass is: 50 :)
And the final step, in my opinion, we can debug it in ubuntu and using 2 pass we had found :) set breakpoint at 0x55555555491e and we found it.
https://drive.google.com/file/d/15kgs1Q-J9NkKqERyle4GfQFnFDeFqxJd/view
Then we export value RDI registers, we get the flag: BambooFox{dyn4mic_1s_4ls0_gr34t}
| Action | Rating | Author team |
|---|---|---|
| Read writeup |
not rated
|
DarkEn1gma |
