Tags: ghidra rev 

Rating: 5.0

# not_malware

Author: [roerohan](https://github.com/roerohan)

# Requirements

- Ghidra

# Source

- [not_malware](./not_malware)

```
To be perfectly frank, I do some malware-y things, but that doesn't mean that I'm actually malware, I promise!

nc rev.chal.csaw.io 5008
```

# Exploitation

When you read the code after decompilation using Ghidra, you see it roughly consists of the following steps:

1. Prevent the use of a debugger.
2. Asks the user "What\'s your credit card number (for safekeeping) ?" and takes an input.

```
printf("What\'s your credit card number (for safekeeping) ?\n>> ")
```

3. Reads a string located 27 bytes above `yeetbank`, and checks if the first 8 bytes of the input is the same as that string.

```
iVar1 = strncmp(local_28,"yeetbank" + (long)local_18 * 9,8);
```

This string is `softbank`.

4. Checks whether the next byte of the input string is `:`.

5. Sets 3 local variables. The first one is assigned as the seed using `srand()` of a random number generating function. The other is used to as an index to read a number from this random number. We can pass these as `000`, so that it becomes `srand(0)` and then `rand()` with the constant seed `0` always returns `1804289383`. Therefore, the first index will always be `1`.

6. The next 20 if statements check whether the next 20 bytes of input are the first character of the random number generated, in our case `1`.

7. Lastly, it checks if the string ends with a `:` followed by `end`.

Finally, our exploit string is:

```
softbank:000:11111111111111111111:end
```

Connect to the netcat link and enter this string.

```
What's your credit card number (for safekeeping) ?
>> softbank:000:11111111111111111111:end
Thanks!
flag{th4x_f0r_ur_cr3d1t_c4rd}
```

The flag is:

```
flag{th4x_f0r_ur_cr3d1t_c4rd}
```

Original writeup (https://github.com/csivitu/CTF-Write-ups/tree/master/CSAW%20Quals%202020/Rev/not_malware).