Tags: dynamic-analysis 

Rating: 4.0

# dyn (rev)

Rust Binary

## Dynamic Analysis

When we run this program, we get the following message:

thread 'main' panicked at 'assertion failed: `(left == right)`
left: `"./dyn"`,
right: `"actf{"`', main.rs:51:5
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

It looks like the program checks the command line arguments for the flag. (We see in Ghidra that it does check the last argument).

## In Ghidra

After a bit of reverse engineering, we see suspicious comparison at 0x8d87 to `'_ynourtsd_tet_eh2_bfiasl7cedbda7'`. Unfortunately that's not the right flag. We see a lot of moving single bytes around in memory in advance to that. This indicates that the flag is shuffled before comparison.

## Execute in gdb

Start the program with input `actf{abcdefghijklmnopqrstuvwxyz012345}`. This way we can reconstruct the permutation used by comparing the input position to the shuffled position.

Set a breakpoint to `core::slice::cmp::<impl core::cmp::PartialEq<[B]> for [A]>::eq`

The shuffled input is given in `rdx`. Use this to reconstruct the flag

## Unshuffle the flag
orig = 'abcdefghijklmnopqrstuvwxyz012345'
shuffled = 'fehgbadcnmpojilkvuxwrqts3254zy10'
expected = '_ynourtsd_tet_eh2_bfiasl7cedbda7'

print('actf{' + ''.join([expected[shuffled.find(x)] for x in orig]) + '}')