Tags: rev 

Rating: 5.0

# Homework Help - Reverse (265 pts)

## Description

> I wrote a program to solve my math homework so I could find flags. Unfortunatly my program sucks at math and just makes me do it. It does find flags though.

### Provided files
`homework_help` 64-bit ELF executable \[[download](https://ctfnote.shinmai.wtf:31337/files/downloadFile?id=5C5Qo65eZgX71kq)\]

## Ideas and observations
1. disassembly doesn't initally show anything useful
2. main() calls ask() which prints some preamble, prompts the user for an input and runs eval(input)
3. eval does some checks on the input but still nothing indicating a flag
4. there's a function called `offer_help` that's not called from any of thre previous 3 functions, but _is_ called from `__stack_chk_fail`. It `fgets` 0x21 bytes from stdin to a memory region `FLAG`
5. `__stack_chk_fail` seems to be the real flagcheck

## Notes
1. `__stack_chk_fail`:
1. sets up some values on the stack (bytes interleaved by 3 null bytes)
2. does a `_setjmp` and a check
3. sets some initial values
4. iterates over the bytes on the stack, xoring them with a running xor result and compares agains the bytes stored at `FLAG`

## Solution
1. pull out the bytes stored on the stack
2. set a variable `A` to `0x41` and `B` to the first byte from the stack
3. for 0x20 loops with the iterator `i`:
1. `B = B ^ A`
2. `flag+=B`
3. `A = stack_bytes[i]`

This gets us the flag: `wctf{+m0r3_l1ke_5t4ck_chk_w1n=-}`

Original writeup (https://gist.github.com/shinmai/5720d1f0a214d0878cfb530eb975c469#homework-help---reverse-265-pts).