Tags: ghidra rev
Rating: 5.0
# not_malware
Author: [roerohan](https://github.com/roerohan)
# Requirements
- Ghidra
# Source
- [not_malware](./not_malware)
```
To be perfectly frank, I do some malware-y things, but that doesn't mean that I'm actually malware, I promise!
nc rev.chal.csaw.io 5008
```
# Exploitation
When you read the code after decompilation using Ghidra, you see it roughly consists of the following steps:
1. Prevent the use of a debugger.
2. Asks the user "What\'s your credit card number (for safekeeping) ?" and takes an input.
```
printf("What\'s your credit card number (for safekeeping) ?\n>> ")
```
3. Reads a string located 27 bytes above `yeetbank`, and checks if the first 8 bytes of the input is the same as that string.
```
iVar1 = strncmp(local_28,"yeetbank" + (long)local_18 * 9,8);
```
This string is `softbank`.
4. Checks whether the next byte of the input string is `:`.
5. Sets 3 local variables. The first one is assigned as the seed using `srand()` of a random number generating function. The other is used to as an index to read a number from this random number. We can pass these as `000`, so that it becomes `srand(0)` and then `rand()` with the constant seed `0` always returns `1804289383`. Therefore, the first index will always be `1`.
6. The next 20 if statements check whether the next 20 bytes of input are the first character of the random number generated, in our case `1`.
7. Lastly, it checks if the string ends with a `:` followed by `end`.
Finally, our exploit string is:
```
softbank:000:11111111111111111111:end
```
Connect to the netcat link and enter this string.
```
What's your credit card number (for safekeeping) ?
>> softbank:000:11111111111111111111:end
Thanks!
flag{th4x_f0r_ur_cr3d1t_c4rd}
```
The flag is:
```
flag{th4x_f0r_ur_cr3d1t_c4rd}
```