Tags: rev

Rating: 0

# Writeup
We open the binary with IDA and we realize that the binary gets an input from stdin. Also the input password needs a 44 lenght value so we start with something like that aaaaaaaaaaabbbbbbbbbbbcccccccccccddddddddddd. We set a breakpoint here 0x0040341F and patch this instruction with jnz.
After the fgets function call we will analyze important functions.
## sub_4018D9
We are in this part of lenght bbbbbbbbbbb because of this instruction movzx eax, byte ptr [eax] move 0x62 byte.
Here cmp dl, al we realize that this compare with the first byte of hardcoded key (mv|GLp+Gv+ xored, with our input byte xored two times so we need resolve this:

input[0] = ?
xor1 = 0xb
xor2 = 0x13
al = 0x28


The first input should be 0x30 or 0 if we want that this comparation is equal to al register. After all iteration we will have 0und_Th3_n3 so we have currently this --> aaaaaaaaaaa0und_Th3_n3cccccccccccddddddddddd

## sub_401AB9
Next part we enter in this function and we realize that corresponds to the first part of the flag as it uses aaaaaaaaaaa.
In this instruction cmp bl, al we see that this compare with the first byte of hardcoded key }[2waHmrgxj with our input 0x61 + two bytes, so this 0x63. Also with + four bytes after sixth iteration. We need resolve this:

0x63-0x2 = 0x61 (our input)
0x7d-0x2 = 0x7b or { (correct input)


We get {Y0u_Finctf and the correct will be inctf{Y0u_F. We have currently this --> inctf{Y0u_F0und_Th3_n3cccccccccccddddddddddd
In sub_4018A0 function we enter into and we realize that there is an **IsDebuggerPresent** so we just need patch the instruction with jnz.

## sub_401E73
Next function we see that correspond with this part of lenght password ddddddddddd.
In this code we need that eax register will be 0 after strncmp function call.

lea eax, [ebp+var_2A]
mov [esp+48h+Str2], eax ; Str2
lea eax, [ebp+var_1F]
mov [esp+48h+Str1], eax ; Str1
call strncmp
mov [ebp+var_14], eax


Str1 is hardcoded string {I5z%u5dL~ and Str2 is our input 0x64 + one byte, so this 0x65.

0x65-0x1 = 0x64 (our input)
0x7b-0x1 = 0x7a or z (correct input)


The string will be z_H4y$t4cK}. We have currently this --> inctf{Y0u_F0und_Th3_n3cccccccccccz_H4y$t4cK}

## sub_4024C3
In last function we see that our input starts from the end towards the beginning so we replace this part ccccccccccc with ABCDEFGHIJK. To resolve this problem we have a key 7D 15 41 1E 70 39 66 55 39 5D 6E and other xored value:

First:
0x4a+0x1 = 0x4b (our input)
0x7d-0x1 = 0x7c or | (correct input)
Second:
xor = 0x4b^0x7d #0x4b = input and 0x7d second value of key.
R= 0x15^0x7d = 0x68 or h (correct input) #0x15 third value of key.
Third:
xor = 0x49^0x15 #0x49 = input and 0x15 third value of key.
R= 0x41^0x15 = 0x54 or T (correct input) #0x41 third value of key.
And so on...


Finally we get this string value 3dl3_In_Th| so the flag is: inctf{Y0u_F0und_Th3_n33dl3_In_Th|z_H4y\$t4cK}
by @naivenom
**PKTeam**