CTFtime.org / DEADFACE CTF / Cereal Killer3 / Writeup

```
0x33c@0x33c:~/Downloads$ r2 ./deadface_re03.bin

[0x00001110]> aaaa

[Cannot find function at 0x00001110 sym. and entry0 (aa)
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[x] Finding function preludes
[x] Enable constraint types analysis for variables

[0x00001110]> afl

0x00001160 4 57 -> 52 sym.deregister_tm_clones
0x00001249 1 4 sym.__x86.get_pc_thunk.dx
0x000011a0 4 71 sym.register_tm_clones
0x00001150 1 4 sym.__x86.get_pc_thunk.bx
0x00001665 1 4 sym.__x86.get_pc_thunk.bp
0x00001146 1 4 fcn.00001146
0x000011f4 5 71 fcn.000011f4
0x0000125b 38 915 fcn.0000125b

> [0x00001110]> [email protected]

┌ 915: fcn.0000125b ();
│ ; var int32_t var_394h @ ebp-0x394
│ ; var int32_t var_390h @ ebp-0x390
│ ; var int32_t var_38ch @ ebp-0x38c
│ ; var int32_t var_388h @ ebp-0x388
│ ; var int32_t var_384h @ ebp-0x384
│ ; var int32_t var_380h @ ebp-0x380
│ ; var int32_t var_37ch @ ebp-0x37c
│ ; var int32_t var_378h @ ebp-0x378
│ ; var int32_t var_374h @ ebp-0x374
│ ; var int32_t var_370h @ ebp-0x370
│ ; var int32_t var_36ch @ ebp-0x36c
│ ; var int32_t var_368h @ ebp-0x368
│ ; var int32_t var_364h @ ebp-0x364
│ ; var int32_t var_360h @ ebp-0x360
│ ; var int32_t var_35ch @ ebp-0x35c
│ ; var int32_t var_358h @ ebp-0x358
│ ; var int32_t var_354h @ ebp-0x354
│ ; var int32_t var_30ch @ ebp-0x30c
│ ; var int32_t var_286h @ ebp-0x286
│ ; var int32_t var_274h @ ebp-0x274
│ ; var int32_t var_273h @ ebp-0x273
│ ; var int32_t var_261h @ ebp-0x261
│ ; var int32_t var_260h @ ebp-0x260
│ ; var int32_t var_23fh @ ebp-0x23f
│ ; var int32_t var_23eh @ ebp-0x23e
│ ; var int32_t var_21dh @ ebp-0x21d
│ ; var int32_t var_21ch @ ebp-0x21c
│ ; var int32_t var_1ch @ ebp-0x1c
│ ; var int32_t var_10h @ ebp-0x10
│ 0x0000125b 55 push ebp
│ 0x0000125c 89e5 mov ebp, esp
│ 0x0000125e 57 push edi
│ 0x0000125f 56 push esi
│ 0x00001260 53 push ebx
│ 0x00001261 51 push ecx
│ 0x00001262 81ec88030000 sub esp, 0x388
│ 0x00001268 e8e3feffff call sym.__x86.get_pc_thunk.bx
│ 0x0000126d 81c35b2d0000 add ebx, 0x2d5b
│ 0x00001273 65a114000000 mov eax, dword gs:[0x14]
│ 0x00001279 8945e4 mov dword [var_1ch], eax
│ 0x0000127c 31c0 xor eax, eax
│ 0x0000127e 8d85f4fcffff lea eax, dword [var_30ch]
│ 0x00001284 8d9358e1ffff lea edx, dword [ebx - 0x1ea8]
│ 0x0000128a b921000000 mov ecx, 0x21 ; '!'
│ 0x0000128f 89c7 mov edi, eax
│ 0x00001291 89d6 mov esi, edx
│ 0x00001293 f3a5 rep movsd dword es:[edi], dword ptr [esi]
│ 0x00001295 8d85acfcffff lea eax, dword [var_354h]
│ 0x0000129b 8d93f8e1ffff lea edx, dword [ebx - 0x1e08]
│ 0x000012a1 b912000000 mov ecx, 0x12
│ 0x000012a6 89c7 mov edi, eax
│ 0x000012a8 89d6 mov esi, edx
│ 0x000012aa f3a5 rep movsd dword es:[edi], dword ptr [esi]
│ 0x000012ac 8d8358e0ffff lea eax, dword [ebx - 0x1fa8]
│ 0x000012b2 898594fcffff mov dword [var_36ch], eax
│ 0x000012b8 8d8380e0ffff lea eax, dword [ebx - 0x1f80]
│ 0x000012be 898598fcffff mov dword [var_368h], eax
│ 0x000012c4 8d83c4e0ffff lea eax, dword [ebx - 0x1f3c]
│ 0x000012ca 89859cfcffff mov dword [var_364h], eax
│ 0x000012d0 8d83f5e0ffff lea eax, dword [ebx - 0x1f0b]
│ 0x000012d6 8985a0fcffff mov dword [var_360h], eax
│ 0x000012dc 8d8314e1ffff lea eax, dword [ebx - 0x1eec]
│ 0x000012e2 8985a4fcffff mov dword [var_35ch], eax
│ 0x000012e8 c7856cfcffff. mov dword [var_394h], 0
│ 0x000012f2 c78570fcffff. mov dword [var_390h], 0
│ 0x000012fc c78574fcffff. mov dword [var_38ch], 0
│ ┌─< 0x00001306 eb71 jmp 0x1379
│ │ ; CODE XREF from fcn.0000125b @ 0x1380
│ ┌──> 0x00001308 8b8d70fcffff mov ecx, dword [var_390h]
│ ╎│ 0x0000130e ba56555555 mov edx, 0x55555556 ; 'VUUU'
│ ╎│ 0x00001313 89c8 mov eax, ecx
│ ╎│ 0x00001315 f7ea imul edx
│ ╎│ 0x00001317 89c8 mov eax, ecx
│ ╎│ 0x00001319 c1f81f sar eax, 0x1f
│ ╎│ 0x0000131c 29c2 sub edx, eax
│ ╎│ 0x0000131e 89d0 mov eax, edx
│ ╎│ 0x00001320 89c2 mov edx, eax
│ ╎│ 0x00001322 01d2 add edx, edx
│ ╎│ 0x00001324 01c2 add edx, eax
│ ╎│ 0x00001326 89c8 mov eax, ecx
│ ╎│ 0x00001328 29d0 sub eax, edx
│ ╎│ 0x0000132a 85c0 test eax, eax
│ ┌───< 0x0000132c 7513 jne 0x1341
│ │╎│ 0x0000132e 83bd6cfcffff. cmp dword [var_394h], 0
│ │╎│ 0x00001335 0f94c0 sete al
│ │╎│ 0x00001338 0fb6c0 movzx eax, al
│ │╎│ 0x0000133b 89856cfcffff mov dword [var_394h], eax
│ │╎│ ; CODE XREF from fcn.0000125b @ 0x132c
│ └───> 0x00001341 83bd6cfcffff. cmp dword [var_394h], 0
│ ┌───< 0x00001348 7428 je 0x1372
│ │╎│ 0x0000134a 8b9570fcffff mov edx, dword [var_390h]
│ │╎│ 0x00001350 8b8594fcffff mov eax, dword [var_36ch]
│ │╎│ 0x00001356 01d0 add eax, edx
│ │╎│ 0x00001358 0fb600 movzx eax, byte [eax]
│ │╎│ 0x0000135b 8d8d7afdffff lea ecx, dword [var_286h]
│ │╎│ 0x00001361 8b9574fcffff mov edx, dword [var_38ch]
│ │╎│ 0x00001367 01ca add edx, ecx
│ │╎│ 0x00001369 8802 mov byte [edx], al
│ │╎│ 0x0000136b 838574fcffff. add dword [var_38ch], 1
│ │╎│ ; CODE XREF from fcn.0000125b @ 0x1348
│ └───> 0x00001372 838570fcffff. add dword [var_390h], 1
│ ╎│ ; CODE XREF from fcn.0000125b @ 0x1306
│ ╎└─> 0x00001379 83bd70fcffff. cmp dword [var_390h], 0x23
│ └──< 0x00001380 7e86 jle 0x1308
│ 0x00001382 c6858cfdffff. mov byte [var_274h], 0
│ 0x00001389 c78578fcffff. mov dword [var_388h], 0
│ 0x00001393 c7857cfcffff. mov dword [var_384h], 0
│ ┌─< 0x0000139d eb5c jmp 0x13fb
│ │ ; CODE XREF from fcn.0000125b @ 0x1402
│ ┌──> 0x0000139f c78578fcffff. mov dword [var_388h], 0
│ ┌───< 0x000013a9 eb1c jmp 0x13c7
│ │╎│ ; CODE XREF from fcn.0000125b @ 0x13ce
│ ┌────> 0x000013ab 8b8578fcffff mov eax, dword [var_388h]
│ ╎│╎│ 0x000013b1 8b8485acfcff. mov eax, dword [ebp + eax*4 - 0x354]
│ ╎│╎│ 0x000013b8 39857cfcffff cmp dword [var_384h], eax
│ ┌─────< 0x000013be 7412 je 0x13d2
│ │╎│╎│ 0x000013c0 838578fcffff. add dword [var_388h], 1
│ │╎│╎│ ; CODE XREF from fcn.0000125b @ 0x13a9
│ │╎└───> 0x000013c7 83bd7cfcffff. cmp dword [var_384h], 0x11
│ │└────< 0x000013ce 7edb jle 0x13ab
│ │ ┌───< 0x000013d0 eb01 jmp 0x13d3
│ │ │╎│ ; CODE XREF from fcn.0000125b @ 0x13be
│ └─────> 0x000013d2 90 nop
│ │╎│ ; CODE XREF from fcn.0000125b @ 0x13d0
│ └───> 0x000013d3 8d957afdffff lea edx, dword [var_286h]
│ ╎│ 0x000013d9 8b8578fcffff mov eax, dword [var_388h]
│ ╎│ 0x000013df 01d0 add eax, edx
│ ╎│ 0x000013e1 0fb600 movzx eax, byte [eax]
│ ╎│ 0x000013e4 8d8d8dfdffff lea ecx, dword [var_273h]
│ ╎│ 0x000013ea 8b957cfcffff mov edx, dword [var_384h]
│ ╎│ 0x000013f0 01ca add edx, ecx
│ ╎│ 0x000013f2 8802 mov byte [edx], al
│ ╎│ 0x000013f4 83857cfcffff. add dword [var_384h], 1
│ ╎│ ; CODE XREF from fcn.0000125b @ 0x139d
│ ╎└─> 0x000013fb 83bd7cfcffff. cmp dword [var_384h], 0x11
│ └──< 0x00001402 7e9b jle 0x139f
│ 0x00001404 c6859ffdffff. mov byte [var_261h], 0
│ 0x0000140b c78580fcffff. mov dword [var_380h], 0
│ 0x00001415 c78584fcffff. mov dword [var_37ch], 0
│ 0x0000141f c78588fcffff. mov dword [var_378h], 0
│ ┌─< 0x00001429 eb76 jmp 0x14a1
│ │ ; CODE XREF from fcn.0000125b @ 0x14a8
│ ┌──> 0x0000142b 8b8d84fcffff mov ecx, dword [var_37ch]
│ ╎│ 0x00001431 bae9a28b2e mov edx, 0x2e8ba2e9
│ ╎│ 0x00001436 89c8 mov eax, ecx
│ ╎│ 0x00001438 f7ea imul edx
│ ╎│ 0x0000143a d1fa sar edx, 1
│ ╎│ 0x0000143c 89c8 mov eax, ecx
│ ╎│ 0x0000143e c1f81f sar eax, 0x1f
│ ╎│ 0x00001441 29c2 sub edx, eax
│ ╎│ 0x00001443 89d0 mov eax, edx
│ ╎│ 0x00001445 c1e002 shl eax, 2
│ ╎│ 0x00001448 01d0 add eax, edx
│ ╎│ 0x0000144a 01c0 add eax, eax
│ ╎│ 0x0000144c 01d0 add eax, edx
│ ╎│ 0x0000144e 29c1 sub ecx, eax
│ ╎│ 0x00001450 89ca mov edx, ecx
│ ╎│ 0x00001452 85d2 test edx, edx
│ ┌───< 0x00001454 7513 jne 0x1469
│ │╎│ 0x00001456 83bd80fcffff. cmp dword [var_380h], 0
│ │╎│ 0x0000145d 0f94c0 sete al
│ │╎│ 0x00001460 0fb6c0 movzx eax, al
│ │╎│ 0x00001463 898580fcffff mov dword [var_380h], eax
│ │╎│ ; CODE XREF from fcn.0000125b @ 0x1454
│ └───> 0x00001469 83bd80fcffff. cmp dword [var_380h], 0
│ ┌───< 0x00001470 7428 je 0x149a
│ │╎│ 0x00001472 8b9584fcffff mov edx, dword [var_37ch]
│ │╎│ 0x00001478 8b8598fcffff mov eax, dword [var_368h]
│ │╎│ 0x0000147e 01d0 add eax, edx
│ │╎│ 0x00001480 0fb600 movzx eax, byte [eax]
│ │╎│ 0x00001483 8d8dc2fdffff lea ecx, dword [var_23eh]
│ │╎│ 0x00001489 8b9588fcffff mov edx, dword [var_378h]
│ │╎│ 0x0000148f 01ca add edx, ecx
│ │╎│ 0x00001491 8802 mov byte [edx], al
│ │╎│ 0x00001493 838588fcffff. add dword [var_378h], 1
│ │╎│ ; CODE XREF from fcn.0000125b @ 0x1470
│ └───> 0x0000149a 838584fcffff. add dword [var_37ch], 1
│ ╎│ ; CODE XREF from fcn.0000125b @ 0x1429
│ ╎└─> 0x000014a1 83bd84fcffff. cmp dword [var_37ch], 0x41
│ └──< 0x000014a8 7e81 jle 0x142b
│ 0x000014aa c685e3fdffff. mov byte [var_21dh], 0
│ 0x000014b1 c7858cfcffff. mov dword [var_374h], 0
│ 0x000014bb c78590fcffff. mov dword [var_370h], 0
│ ┌─< 0x000014c5 eb5c jmp 0x1523
│ │ ; CODE XREF from fcn.0000125b @ 0x152a
│ ┌──> 0x000014c7 c7858cfcffff. mov dword [var_374h], 0
│ ┌───< 0x000014d1 eb1c jmp 0x14ef
│ │╎│ ; CODE XREF from fcn.0000125b @ 0x14f6
│ ┌────> 0x000014d3 8b858cfcffff mov eax, dword [var_374h]
│ ╎│╎│ 0x000014d9 8b8485f4fcff. mov eax, dword [ebp + eax*4 - 0x30c]
│ ╎│╎│ 0x000014e0 398590fcffff cmp dword [var_370h], eax
│ ┌─────< 0x000014e6 7412 je 0x14fa
│ │╎│╎│ 0x000014e8 83858cfcffff. add dword [var_374h], 1
│ │╎│╎│ ; CODE XREF from fcn.0000125b @ 0x14d1
│ │╎└───> 0x000014ef 83bd90fcffff. cmp dword [var_370h], 0x20
│ │└────< 0x000014f6 7edb jle 0x14d3
│ │ ┌───< 0x000014f8 eb01 jmp 0x14fb
│ │ │╎│ ; CODE XREF from fcn.0000125b @ 0x14e6
│ └─────> 0x000014fa 90 nop
│ │╎│ ; CODE XREF from fcn.0000125b @ 0x14f8
│ └───> 0x000014fb 8d95c2fdffff lea edx, dword [var_23eh]
│ ╎│ 0x00001501 8b858cfcffff mov eax, dword [var_374h]
│ ╎│ 0x00001507 01d0 add eax, edx
│ ╎│ 0x00001509 0fb600 movzx eax, byte [eax]
│ ╎│ 0x0000150c 8d8da0fdffff lea ecx, dword [var_260h]
│ ╎│ 0x00001512 8b9590fcffff mov edx, dword [var_370h]
│ ╎│ 0x00001518 01ca add edx, ecx
│ ╎│ 0x0000151a 8802 mov byte [edx], al
│ ╎│ 0x0000151c 838590fcffff. add dword [var_370h], 1
│ ╎│ ; CODE XREF from fcn.0000125b @ 0x14c5
│ ╎└─> 0x00001523 83bd90fcffff. cmp dword [var_370h], 0x20
│ └──< 0x0000152a 7e9b jle 0x14c7
│ 0x0000152c c685c1fdffff. mov byte [var_23fh], 0
│ 0x00001533 83ec0c sub esp, 0xc
│ 0x00001536 ffb59cfcffff push dword [var_364h]
│ 0x0000153c e89ffbffff call sym.imp.puts
│ 0x00001541 83c410 add esp, 0x10
│ 0x00001544 83ec08 sub esp, 8
│ 0x00001547 ffb5a0fcffff push dword [var_360h]
│ 0x0000154d 8d8348e1ffff lea eax, dword [ebx - 0x1eb8]
│ 0x00001553 50 push eax
│ 0x00001554 e867fbffff call sym.imp.printf
│ 0x00001559 83c410 add esp, 0x10
│ 0x0000155c 83ec08 sub esp, 8
│ 0x0000155f 8d85e4fdffff lea eax, dword [var_21ch]
│ 0x00001565 50 push eax
│ 0x00001566 8d8348e1ffff lea eax, dword [ebx - 0x1eb8]
│ 0x0000156c 50 push eax
│ 0x0000156d e88efbffff call sym.imp.__isoc99_scanf
│ 0x00001572 83c410 add esp, 0x10
│ 0x00001575 c785a8fcffff. mov dword [var_358h], 0
│ 0x0000157f 83ec08 sub esp, 8
│ 0x00001582 8d858dfdffff lea eax, dword [var_273h]
│ 0x00001588 50 push eax
│ 0x00001589 8d85e4fdffff lea eax, dword [var_21ch]
│ 0x0000158f 50 push eax
│ 0x00001590 e81bfbffff call sym.imp.strcmp
│ 0x00001595 83c410 add esp, 0x10
│ 0x00001598 8985a8fcffff mov dword [var_358h], eax
│ 0x0000159e 83bda8fcffff. cmp dword [var_358h], 0
│ ┌─< 0x000015a5 7514 jne 0x15bb
│ │ 0x000015a7 83ec0c sub esp, 0xc
│ │ 0x000015aa 8d85a0fdffff lea eax, dword [var_260h]
│ │ 0x000015b0 50 push eax
│ │ 0x000015b1 e82afbffff call sym.imp.puts
│ │ 0x000015b6 83c410 add esp, 0x10
│ ┌──< 0x000015b9 eb11 jmp 0x15cc
│ ││ ; CODE XREF from fcn.0000125b @ 0x15a5
│ │└─> 0x000015bb 83ec0c sub esp, 0xc
│ │ 0x000015be ffb5a4fcffff push dword [var_35ch]
│ │ 0x000015c4 e817fbffff call sym.imp.puts
│ │ 0x000015c9 83c410 add esp, 0x10
│ │ ; CODE XREF from fcn.0000125b @ 0x15b9
│ └──> 0x000015cc b800000000 mov eax, 0
│ 0x000015d1 8b75e4 mov esi, dword [var_1ch]
│ 0x000015d4 653335140000. xor esi, dword gs:[0x14]
│ ┌─< 0x000015db 7405 je 0x15e2
│ │ 0x000015dd e88e000000 call sym.__stack_chk_fail_local
│ │ ; CODE XREF from fcn.0000125b @ 0x15db
│ └─> 0x000015e2 8d65f0 lea esp, dword [var_10h]
│ 0x000015e5 59 pop ecx
│ 0x000015e6 5b pop ebx
│ 0x000015e7 5e pop esi
│ 0x000015e8 5f pop edi
│ 0x000015e9 5d pop ebp
│ 0x000015ea 8d61fc lea esp, dword [ecx - 4]
└ 0x000015ed c3 ret

[0x00001110]> db 0x0000159e

[0x00001110]> ood

Process with PID 153008 started...
= attach 153008 153008
File dbg:///home/zorigt/Downloads/deadface_re03.bin reopened in read-write mode
d153008

[0xf7f54120]> dc

What is the best and sp00kiest breakfast cereal?
Please enter the passphrase: aaaaa
hit breakpoint at: 5657959e

[0x5657959e]> [email protected]

┌ 915: fcn.0000125b ();
│ ; var int32_t var_394h @ ebp-0x394
│ ; var int32_t var_390h @ ebp-0x390
│ ; var int32_t var_38ch @ ebp-0x38c
│ ; var int32_t var_388h @ ebp-0x388
│ ; var int32_t var_384h @ ebp-0x384
│ ; var int32_t var_380h @ ebp-0x380
│ ; var int32_t var_37ch @ ebp-0x37c
│ ; var int32_t var_378h @ ebp-0x378
│ ; var int32_t var_374h @ ebp-0x374
│ ; var int32_t var_370h @ ebp-0x370
│ ; var int32_t var_36ch @ ebp-0x36c
│ ; var int32_t var_368h @ ebp-0x368
│ ; var int32_t var_364h @ ebp-0x364
│ ; var int32_t var_360h @ ebp-0x360
│ ; var int32_t var_35ch @ ebp-0x35c
│ ; var int32_t var_358h @ ebp-0x358
│ ; var int32_t var_354h @ ebp-0x354
│ ; var int32_t var_30ch @ ebp-0x30c
│ ; var int32_t var_286h @ ebp-0x286
│ ; var int32_t var_274h @ ebp-0x274
│ ; var int32_t var_273h @ ebp-0x273
│ ; var int32_t var_261h @ ebp-0x261
│ ; var int32_t var_260h @ ebp-0x260
│ ; var int32_t var_23fh @ ebp-0x23f
│ ; var int32_t var_23eh @ ebp-0x23e
│ ; var int32_t var_21dh @ ebp-0x21d
│ ; var int32_t var_21ch @ ebp-0x21c
│ ; var int32_t var_1ch @ ebp-0x1c
│ ; var int32_t var_10h @ ebp-0x10
│ 0x5657925b 55 push ebp
│ 0x5657925c 89e5 mov ebp, esp
│ 0x5657925e 57 push edi
│ 0x5657925f 56 push esi
│ 0x56579260 53 push ebx
│ 0x56579261 51 push ecx
│ 0x56579262 81ec88030000 sub esp, 0x388
│ 0x56579268 e8e3feffff call sym.__x86.get_pc_thunk.bx
│ 0x5657926d 81c35b2d0000 add ebx, 0x2d5b
│ 0x56579273 65a114000000 mov eax, dword gs:[0x14]
│ 0x56579279 8945e4 mov dword [var_1ch], eax
│ 0x5657927c 31c0 xor eax, eax
│ 0x5657927e 8d85f4fcffff lea eax, dword [var_30ch]
│ 0x56579284 8d9358e1ffff lea edx, dword [ebx - 0x1ea8]
│ 0x5657928a b921000000 mov ecx, 0x21 ; '!' ; 33
│ 0x5657928f 89c7 mov edi, eax
│ 0x56579291 89d6 mov esi, edx
│ 0x56579293 f3a5 rep movsd dword es:[edi], dword ptr [esi]
│ 0x56579295 8d85acfcffff lea eax, dword [var_354h]
│ 0x5657929b 8d93f8e1ffff lea edx, dword [ebx - 0x1e08]
│ 0x565792a1 b912000000 mov ecx, 0x12 ; 18
│ 0x565792a6 89c7 mov edi, eax
│ 0x565792a8 89d6 mov esi, edx
│ 0x565792aa f3a5 rep movsd dword es:[edi], dword ptr [esi]
│ 0x565792ac 8d8358e0ffff lea eax, dword [ebx - 0x1fa8]
│ 0x565792b2 898594fcffff mov dword [var_36ch], eax
│ 0x565792b8 8d8380e0ffff lea eax, dword [ebx - 0x1f80]
│ 0x565792be 898598fcffff mov dword [var_368h], eax
│ 0x565792c4 8d83c4e0ffff lea eax, dword [ebx - 0x1f3c]
│ 0x565792ca 89859cfcffff mov dword [var_364h], eax
│ 0x565792d0 8d83f5e0ffff lea eax, dword [ebx - 0x1f0b]
│ 0x565792d6 8985a0fcffff mov dword [var_360h], eax
│ 0x565792dc 8d8314e1ffff lea eax, dword [ebx - 0x1eec]
│ 0x565792e2 8985a4fcffff mov dword [var_35ch], eax
│ 0x565792e8 c7856cfcffff. mov dword [var_394h], 0
│ 0x565792f2 c78570fcffff. mov dword [var_390h], 0
│ 0x565792fc c78574fcffff. mov dword [var_38ch], 0
│ ┌─< 0x56579306 eb71 jmp 0x56579379
│ │ ; CODE XREF from fcn.0000125b @ 0x56579380
│ ┌──> 0x56579308 8b8d70fcffff mov ecx, dword [var_390h]
│ ╎│ 0x5657930e ba56555555 mov edx, 0x55555556 ; 'VUUU'
│ ╎│ 0x56579313 89c8 mov eax, ecx
│ ╎│ 0x56579315 f7ea imul edx
│ ╎│ 0x56579317 89c8 mov eax, ecx
│ ╎│ 0x56579319 c1f81f sar eax, 0x1f
│ ╎│ 0x5657931c 29c2 sub edx, eax
│ ╎│ 0x5657931e 89d0 mov eax, edx
│ ╎│ 0x56579320 89c2 mov edx, eax
│ ╎│ 0x56579322 01d2 add edx, edx
│ ╎│ 0x56579324 01c2 add edx, eax
│ ╎│ 0x56579326 89c8 mov eax, ecx
│ ╎│ 0x56579328 29d0 sub eax, edx
│ ╎│ 0x5657932a 85c0 test eax, eax
│ ┌───< 0x5657932c 7513 jne 0x56579341
│ │╎│ 0x5657932e 83bd6cfcffff. cmp dword [var_394h], 0
│ │╎│ 0x56579335 0f94c0 sete al
│ │╎│ 0x56579338 0fb6c0 movzx eax, al
│ │╎│ 0x5657933b 89856cfcffff mov dword [var_394h], eax
│ │╎│ ; CODE XREF from fcn.0000125b @ 0x5657932c
│ └───> 0x56579341 83bd6cfcffff. cmp dword [var_394h], 0
│ ┌───< 0x56579348 7428 je 0x56579372
│ │╎│ 0x5657934a 8b9570fcffff mov edx, dword [var_390h]
│ │╎│ 0x56579350 8b8594fcffff mov eax, dword [var_36ch]
│ │╎│ 0x56579356 01d0 add eax, edx
│ │╎│ 0x56579358 0fb600 movzx eax, byte [eax]
│ │╎│ 0x5657935b 8d8d7afdffff lea ecx, dword [var_286h]
│ │╎│ 0x56579361 8b9574fcffff mov edx, dword [var_38ch]
│ │╎│ 0x56579367 01ca add edx, ecx
│ │╎│ 0x56579369 8802 mov byte [edx], al
│ │╎│ 0x5657936b 838574fcffff. add dword [var_38ch], 1
│ │╎│ ; CODE XREF from fcn.0000125b @ 0x56579348
│ └───> 0x56579372 838570fcffff. add dword [var_390h], 1
│ ╎│ ; CODE XREF from fcn.0000125b @ 0x56579306
│ ╎└─> 0x56579379 83bd70fcffff. cmp dword [var_390h], 0x23
│ └──< 0x56579380 7e86 jle 0x56579308
│ 0x56579382 c6858cfdffff. mov byte [var_274h], 0
│ 0x56579389 c78578fcffff. mov dword [var_388h], 0
│ 0x56579393 c7857cfcffff. mov dword [var_384h], 0
│ ┌─< 0x5657939d eb5c jmp 0x565793fb
│ │ ; CODE XREF from fcn.0000125b @ 0x56579402
│ ┌──> 0x5657939f c78578fcffff. mov dword [var_388h], 0
│ ┌───< 0x565793a9 eb1c jmp 0x565793c7
│ │╎│ ; CODE XREF from fcn.0000125b @ 0x565793ce
│ ┌────> 0x565793ab 8b8578fcffff mov eax, dword [var_388h]
│ ╎│╎│ 0x565793b1 8b8485acfcff. mov eax, dword [ebp + eax*4 - 0x354]
│ ╎│╎│ 0x565793b8 39857cfcffff cmp dword [var_384h], eax
│ ┌─────< 0x565793be 7412 je 0x565793d2
│ │╎│╎│ 0x565793c0 838578fcffff. add dword [var_388h], 1
│ │╎│╎│ ; CODE XREF from fcn.0000125b @ 0x565793a9
│ │╎└───> 0x565793c7 83bd7cfcffff. cmp dword [var_384h], 0x11
│ │└────< 0x565793ce 7edb jle 0x565793ab
│ │ ┌───< 0x565793d0 eb01 jmp 0x565793d3
│ │ │╎│ ; CODE XREF from fcn.0000125b @ 0x565793be
│ └─────> 0x565793d2 90 nop
│ │╎│ ; CODE XREF from fcn.0000125b @ 0x565793d0
│ └───> 0x565793d3 8d957afdffff lea edx, dword [var_286h]
│ ╎│ 0x565793d9 8b8578fcffff mov eax, dword [var_388h]
│ ╎│ 0x565793df 01d0 add eax, edx
│ ╎│ 0x565793e1 0fb600 movzx eax, byte [eax]
│ ╎│ 0x565793e4 8d8d8dfdffff lea ecx, dword [var_273h]
│ ╎│ 0x565793ea 8b957cfcffff mov edx, dword [var_384h]
│ ╎│ 0x565793f0 01ca add edx, ecx
│ ╎│ 0x565793f2 8802 mov byte [edx], al
│ ╎│ 0x565793f4 83857cfcffff. add dword [var_384h], 1
│ ╎│ ; CODE XREF from fcn.0000125b @ 0x5657939d
│ ╎└─> 0x565793fb 83bd7cfcffff. cmp dword [var_384h], 0x11
│ └──< 0x56579402 7e9b jle 0x5657939f
│ 0x56579404 c6859ffdffff. mov byte [var_261h], 0
│ 0x5657940b c78580fcffff. mov dword [var_380h], 0
│ 0x56579415 c78584fcffff. mov dword [var_37ch], 0
│ 0x5657941f c78588fcffff. mov dword [var_378h], 0
│ ┌─< 0x56579429 eb76 jmp 0x565794a1
│ │ ; CODE XREF from fcn.0000125b @ 0x565794a8
│ ┌──> 0x5657942b 8b8d84fcffff mov ecx, dword [var_37ch]
│ ╎│ 0x56579431 bae9a28b2e mov edx, 0x2e8ba2e9
│ ╎│ 0x56579436 89c8 mov eax, ecx
│ ╎│ 0x56579438 f7ea imul edx
│ ╎│ 0x5657943a d1fa sar edx, 1
│ ╎│ 0x5657943c 89c8 mov eax, ecx
│ ╎│ 0x5657943e c1f81f sar eax, 0x1f
│ ╎│ 0x56579441 29c2 sub edx, eax
│ ╎│ 0x56579443 89d0 mov eax, edx
│ ╎│ 0x56579445 c1e002 shl eax, 2
│ ╎│ 0x56579448 01d0 add eax, edx
│ ╎│ 0x5657944a 01c0 add eax, eax
│ ╎│ 0x5657944c 01d0 add eax, edx
│ ╎│ 0x5657944e 29c1 sub ecx, eax
│ ╎│ 0x56579450 89ca mov edx, ecx
│ ╎│ 0x56579452 85d2 test edx, edx
│ ┌───< 0x56579454 7513 jne 0x56579469
│ │╎│ 0x56579456 83bd80fcffff. cmp dword [var_380h], 0
│ │╎│ 0x5657945d 0f94c0 sete al
│ │╎│ 0x56579460 0fb6c0 movzx eax, al
│ │╎│ 0x56579463 898580fcffff mov dword [var_380h], eax
│ │╎│ ; CODE XREF from fcn.0000125b @ 0x56579454
│ └───> 0x56579469 83bd80fcffff. cmp dword [var_380h], 0
│ ┌───< 0x56579470 7428 je 0x5657949a
│ │╎│ 0x56579472 8b9584fcffff mov edx, dword [var_37ch]
│ │╎│ 0x56579478 8b8598fcffff mov eax, dword [var_368h]
│ │╎│ 0x5657947e 01d0 add eax, edx
│ │╎│ 0x56579480 0fb600 movzx eax, byte [eax]
│ │╎│ 0x56579483 8d8dc2fdffff lea ecx, dword [var_23eh]
│ │╎│ 0x56579489 8b9588fcffff mov edx, dword [var_378h]
│ │╎│ 0x5657948f 01ca add edx, ecx
│ │╎│ 0x56579491 8802 mov byte [edx], al
│ │╎│ 0x56579493 838588fcffff. add dword [var_378h], 1
│ │╎│ ; CODE XREF from fcn.0000125b @ 0x56579470
│ └───> 0x5657949a 838584fcffff. add dword [var_37ch], 1
│ ╎│ ; CODE XREF from fcn.0000125b @ 0x56579429
│ ╎└─> 0x565794a1 83bd84fcffff. cmp dword [var_37ch], 0x41
│ └──< 0x565794a8 7e81 jle 0x5657942b
│ 0x565794aa c685e3fdffff. mov byte [var_21dh], 0
│ 0x565794b1 c7858cfcffff. mov dword [var_374h], 0
│ 0x565794bb c78590fcffff. mov dword [var_370h], 0
│ ┌─< 0x565794c5 eb5c jmp 0x56579523
│ │ ; CODE XREF from fcn.0000125b @ 0x5657952a
│ ┌──> 0x565794c7 c7858cfcffff. mov dword [var_374h], 0
│ ┌───< 0x565794d1 eb1c jmp 0x565794ef
│ │╎│ ; CODE XREF from fcn.0000125b @ 0x565794f6
│ ┌────> 0x565794d3 8b858cfcffff mov eax, dword [var_374h]
│ ╎│╎│ 0x565794d9 8b8485f4fcff. mov eax, dword [ebp + eax*4 - 0x30c]
│ ╎│╎│ 0x565794e0 398590fcffff cmp dword [var_370h], eax
│ ┌─────< 0x565794e6 7412 je 0x565794fa
│ │╎│╎│ 0x565794e8 83858cfcffff. add dword [var_374h], 1
│ │╎│╎│ ; CODE XREF from fcn.0000125b @ 0x565794d1
│ │╎└───> 0x565794ef 83bd90fcffff. cmp dword [var_370h], 0x20
│ │└────< 0x565794f6 7edb jle 0x565794d3
│ │ ┌───< 0x565794f8 eb01 jmp 0x565794fb
│ │ │╎│ ; CODE XREF from fcn.0000125b @ 0x565794e6
│ └─────> 0x565794fa 90 nop
│ │╎│ ; CODE XREF from fcn.0000125b @ 0x565794f8
│ └───> 0x565794fb 8d95c2fdffff lea edx, dword [var_23eh]
│ ╎│ 0x56579501 8b858cfcffff mov eax, dword [var_374h]
│ ╎│ 0x56579507 01d0 add eax, edx
│ ╎│ 0x56579509 0fb600 movzx eax, byte [eax]
│ ╎│ 0x5657950c 8d8da0fdffff lea ecx, dword [var_260h]
│ ╎│ 0x56579512 8b9590fcffff mov edx, dword [var_370h]
│ ╎│ 0x56579518 01ca add edx, ecx
│ ╎│ 0x5657951a 8802 mov byte [edx], al
│ ╎│ 0x5657951c 838590fcffff. add dword [var_370h], 1
│ ╎│ ; CODE XREF from fcn.0000125b @ 0x565794c5
│ ╎└─> 0x56579523 83bd90fcffff. cmp dword [var_370h], 0x20
│ └──< 0x5657952a 7e9b jle 0x565794c7
│ 0x5657952c c685c1fdffff. mov byte [var_23fh], 0
│ 0x56579533 83ec0c sub esp, 0xc
│ 0x56579536 ffb59cfcffff push dword [var_364h]
│ 0x5657953c e89ffbffff call sym.imp.puts
│ 0x56579541 83c410 add esp, 0x10
│ 0x56579544 83ec08 sub esp, 8
│ 0x56579547 ffb5a0fcffff push dword [var_360h]
│ 0x5657954d 8d8348e1ffff lea eax, dword [ebx - 0x1eb8]
│ 0x56579553 50 push eax
│ 0x56579554 e867fbffff call sym.imp.printf
│ 0x56579559 83c410 add esp, 0x10
│ 0x5657955c 83ec08 sub esp, 8
│ 0x5657955f 8d85e4fdffff lea eax, dword [var_21ch]
│ 0x56579565 50 push eax
│ 0x56579566 8d8348e1ffff lea eax, dword [ebx - 0x1eb8]
│ 0x5657956c 50 push eax
│ 0x5657956d e88efbffff call sym.imp.__isoc99_scanf
│ 0x56579572 83c410 add esp, 0x10
│ 0x56579575 c785a8fcffff. mov dword [var_358h], 0
│ 0x5657957f 83ec08 sub esp, 8
│ 0x56579582 8d858dfdffff lea eax, dword [var_273h]
│ 0x56579588 50 push eax
│ 0x56579589 8d85e4fdffff lea eax, dword [var_21ch]
│ 0x5657958f 50 push eax
│ 0x56579590 e81bfbffff call sym.imp.strcmp
│ 0x56579595 83c410 add esp, 0x10
│ 0x56579598 8985a8fcffff mov dword [var_358h], eax
│ ;-- eip:
│ 0x5657959e b 83bda8fcffff. cmp dword [var_358h], 0
│ ┌─< 0x565795a5 7514 jne 0x565795bb
│ │ 0x565795a7 83ec0c sub esp, 0xc
│ │ 0x565795aa 8d85a0fdffff lea eax, dword [var_260h]
│ │ 0x565795b0 50 push eax
│ │ 0x565795b1 e82afbffff call sym.imp.puts
│ │ 0x565795b6 83c410 add esp, 0x10
│ ┌──< 0x565795b9 eb11 jmp 0x565795cc
│ ││ ; CODE XREF from fcn.0000125b @ 0x565795a5
│ │└─> 0x565795bb 83ec0c sub esp, 0xc
│ │ 0x565795be ffb5a4fcffff push dword [var_35ch]
│ │ 0x565795c4 e817fbffff call sym.imp.puts
│ │ 0x565795c9 83c410 add esp, 0x10
│ │ ; CODE XREF from fcn.0000125b @ 0x565795b9
│ └──> 0x565795cc b800000000 mov eax, 0
│ 0x565795d1 8b75e4 mov esi, dword [var_1ch]
│ 0x565795d4 653335140000. xor esi, dword gs:[0x14]
│ ┌─< 0x565795db 7405 je 0x565795e2
│ │ 0x565795dd e88e000000 call sym.__stack_chk_fail_local
│ │ ; CODE XREF from fcn.0000125b @ 0x565795db
│ └─> 0x565795e2 8d65f0 lea esp, dword [var_10h]
│ 0x565795e5 59 pop ecx
│ 0x565795e6 5b pop ebx
│ 0x565795e7 5e pop esi
│ 0x565795e8 5f pop edi
│ 0x565795e9 5d pop ebp
│ 0x565795ea 8d61fc lea esp, dword [ecx - 4]
└ 0x565795ed c3 ret

[0x5657959e]> px@ebp-0x358

- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
0xffcffe20 0100 0000 0800 0000 0200 0000 0300 0000 ................
0xffcffe30 0700 0000 0500 0000 0e00 0000 0a00 0000 ................
0xffcffe40 0100 0000 0400 0000 0600 0000 0000 0000 ................
0xffcffe50 0b00 0000 0900 0000 1100 0000 0c00 0000 ................
0xffcffe60 0d00 0000 1000 0000 0f00 0000 1200 0000 ................
0xffcffe70 1700 0000 0100 0000 0000 0000 1300 0000 ................
0xffcffe80 1100 0000 0f00 0000 1f00 0000 0b00 0000 ................
0xffcffe90 1e00 0000 0a00 0000 0500 0000 1500 0000 ................
0xffcffea0 0d00 0000 1400 0000 1000 0000 0e00 0000 ................
0xffcffeb0 1900 0000 0800 0000 0400 0000 0300 0000 ................
0xffcffec0 1b00 0000 0700 0000 0900 0000 0200 0000 ................
0xffcffed0 1600 0000 0600 0000 1c00 0000 1800 0000 ................
0xffcffee0 1d00 0000 2000 0000 0c00 0000 1a00 0000 .... ...........
0xffcffef0 b4c0 4230 2d2d 6f33 6f30 426f 422d 6f21 ..B0--o3o0BoB-o!
0xffcfff00 4233 7972 0042 3030 2d42 6f6f 2d42 6f6f B3yr.B00-Boo-Boo
0xffcfff10 2d42 3333 7279 2100 666c 6167 7b42 3030 -B33ry!.flag{B00
[0x5657959e]> B00-Boo-Boo-B33ry!
[2]+ Stopped r2 ./deadface_re03.bin

0x33c@0x33c:~/Downloads$ ./deadface_re03.bin

What is the best and sp00kiest breakfast cereal?
Please enter the passphrase: B00-Boo-Boo-B33ry!
**flag{B00-B00-B00-Bury-IZ-DA-BOMB}**

```

Rate please ;)

Cereal Killer3

Comments

Sign in with