Tags: dynamic-analysis

Rating: 4.0

# dyn (rev)

Rust Binary

## Dynamic Analysis

When we run this program, we get the following message:


thread 'main' panicked at 'assertion failed: (left == right)
left: "./dyn",
right: "actf{"', main.rs:51:5
note: run with RUST_BACKTRACE=1 environment variable to display a backtrace


It looks like the program checks the command line arguments for the flag. (We see in Ghidra that it does check the last argument).

## In Ghidra

After a bit of reverse engineering, we see suspicious comparison at 0x8d87 to '_ynourtsd_tet_eh2_bfiasl7cedbda7'. Unfortunately that's not the right flag. We see a lot of moving single bytes around in memory in advance to that. This indicates that the flag is shuffled before comparison.

## Execute in gdb

Start the program with input actf{abcdefghijklmnopqrstuvwxyz012345}. This way we can reconstruct the permutation used by comparing the input position to the shuffled position.

Set a breakpoint to core::slice::cmp::<impl core::cmp::PartialEq<[B]> for [A]>::eq

The shuffled input is given in rdx. Use this to reconstruct the flag

## Unshuffle the flag
python
orig = 'abcdefghijklmnopqrstuvwxyz012345'