Tags: rev
Rating:
You're given a executable file `match_me`
Let's see what it does
```
$ ./match_me
12 <input_guess>
Nope <output>
```
Lets have a look at dynamic library calls for no input.
```
$ ltrace ./match_me
__libc_start_main(0x400a03, 1, 0x7ffcd5f460a8, 0x400ad0 <unfinished ...>
malloc(1000) = 0x133c010
scanf(0x400b6d, 0x133c010, 0x133c010, 0x7f217ad32b20) = 0xffffffff
malloc(1000) = 0x133c810
strlen("firhfgferfibbqlkdfhh") = 20
strlen("firhfgferfibbqlkdfhh") = 20
strlen("firhfgferfibbqlkdfhh") = 20
strncmp("firhfgferfibbqlkdfhh", "[[[[[[[[[[[[[[[[[[[[", 20) = 11
puts("Nope"Nope
) = 5
+++ exited (status 0) +++
```
Interesting. `strcmp` is being called to compare a hardcoded string "firhfgferfibbqlkdfhh" with some other string. Lets run again the ltrace with input "12" (without quotes)
```
$ ltrace ./match_me
__libc_start_main(0x400a03, 1, 0x7ffcd5f460a8, 0x400ad0 <unfinished ...>
malloc(1000) = 0x133c010
scanf(0x400b6d, 0x133c010, 0x133c010, 0x7f217ad32b20) = 0xffffffff
malloc(1000) = 0x133c810
strlen("firhfgferfibbqlkdfhh") = 20
strlen("firhfgferfibbqlkdfhh") = 20
strlen("firhfgferfibbqlkdfhh") = 20
strncmp("firhfgferfibbqlkdfhh", "S[[[[[[[[[[[[[[[[[[[", 20) = 11
puts("Nope"Nope
) = 5
+++ exited (status 0) +++
```
Nice, so we see that integer 12 is mapped to "S" (See the change of compared string from "[[[[[[..." to "S[[[..."). So, all we have to do is write a simple script to find mappings of all integers from 1-100 to corresponding characters.
So, we get 59:f, 76:i, 65:r and so on.
Key with all mappings done = firhfgferfibbqlkdfhh: 5976657559745958655976555564937857597575
Let's check our executable with above key
```
$ ./match_me
5976657559745958655976555564937857597575
Match
```
Yay! Now we need to send this key to defcon.org.in:8082
```
$ echo "5976657559745958655976555564937857597575" | nc defcon.org.in 8082
Flag: d4rk{595c7f5b595a59587f595c55557e5f5e57595b5b}c0de