Tags: python re gdb 

Rating: 0

# Angel (RE, 468 points, 20 solves)

We're given a password-checking binary:

``` c++
int __cdecl sub_80485BF(char *input_str)
{
int result; // eax@2
char v2; // [sp+3h] [bp-15h]@1
int v3; // [sp+4h] [bp-14h]@1
size_t i; // [sp+8h] [bp-10h]@3

v2 = *input_str;
v3 = 0;
if ( strlen(input_str) > 2 )
{
for ( i = 1; strlen(input_str) - 1 > i; ++i )
{
some_dark_magic(dword_804D148, &off_804C140 + 4 * (unsigned __int8)v2);
if ( dword_804C060[v3] != dword_804D148((unsigned __int8)input_str[i]) )
return puts("Wrong!");
if ( ++v3 == 200 )
break;
v2 = input_str[i];
}
result = puts("Well done!");
}
else
{
result = puts("Wrong!");
}
return result;
}
```

There is some lookup-table stuff going on with `off_804C140` and some dark magic with `some_dark_magic` function ;)

We could reverse the whole program but we're lazy and the encryption has a cool property - the passwords nth check relies only on input bytes we've already analyzed.

This means that we could brute the correct input one byte at a time - we try to append every possible byte to the last successfull input and when we find a match we move one byte forward.

We came up with a nifty little gdb python script:

``` python
import os
import string
from subprocess import Popen, PIPE, STDOUT
import gdb
import codecs
import string
good_characters = 0

class MyBreakpoint(gdb.Breakpoint):

def __init__(self, spec):
super(MyBreakpoint, self).__init__(spec, gdb.BP_BREAKPOINT, internal = False)
self.silent = True

def stop (self):
eax = int(gdb.parse_and_eval("$eax"))
edx = int(gdb.parse_and_eval("$edx"))

if eax == edx:
global matches
matches += 1

return False

MyBreakpoint('*0x08048656')

matches = 0
starting_piece = "you"

while True:
for i in string.printable:

potential_flag = starting_piece + i + "A"*30

matches = 0

with codecs.open("input.txt","w") as output_file:
output_file.write(potential_flag)

gdb.execute("r < input.txt > /tmp/a")

if matches == len(starting_piece):
starting_piece += i
break;

f = open("output", "wb")
f.write(starting_piece)
```

We had to brute-force two first letters and then try about 4 different starting inputs but once we got overt that the script ran smoothly.

`you are looking for this EKO{4ngr_d1dn't_like_th1s}`