# NcN CTF Quals 2k13


Access Level 1

# curl http://ctf.noconname.org/4cbe48a830c4cd2d4ac9e6e9373e3055/index.html
<!DOCTYPE html>
<html>
  <head>
    <title>NcN 2013 Registration Quals</title>
                <link rel="stylesheet" href="../res/main.css" type="text/css" media="screen"/>
    <link href='../res/UbuntuMono.css' rel='stylesheet' type='text/css'>
    <meta content="Javier Marcos @javutin" name="author" />
        <script type="text/javascript" src="crypto.js"></script>
        </head>
<body>
        <div id="level">
        <center>
                <h2 style="color: white">Discover the buried valid key:</h2>
    <form action="login.php" method="POST" onsubmit="return encrypt(this);">
    <table border=0 align="center">
     <tr>
        <td><label style="color: white" for="key"><b>Key: </b></label></td>
        <td><input type="text" name="password" id="password" class="input"></td>
                                        <input type="hidden" name="key" id="key" value="">
                                        <input type="hidden" name="verification" id="verification" value="yes">
     </tr>
     <tr>
        <td colspan="2" align="center"><p><input type="submit" name="send" class="button" value="Send"></p></td>
     </tr>
    </table>
    </form>
        </center>
        </div>
</body>
</html>
# curl --silent http://ctf.noconname.org/4cbe48a830c4cd2d4ac9e6e9373e3055/crypto.js | sed 's/eval/console.log/'
var _0x52ae=["\x66\x20\x6F\x28\x38\x29\x7B\x63\x20\x69\x2C\x6A\x3D\x30\x3B\x6B\x28\x69\x3D\x30\x3B\x69\x3C\x38\x2E\x6C\x3B\x69\x2B\x2B\x29\x7B\x6A\x2B\x3D\x28\x38\x5B\x69\x5D\x2E\x73\x28\x29\x2A\x28\x69\x2B\x31\x29\x29\x7D\x67\x20\x74\x2E\x75\x28\x6A\x29\x25\x76\x7D\x66\x20\x70\x28\x68\x29\x7B\x68\x3D\x68\x2E\x71\x28\x30\x29\x3B\x63\x20\x69\x3B\x6B\x28\x69\x3D\x30\x3B\x69\x3C\x77\x3B\x2B\x2B\x69\x29\x7B\x63\x20\x35\x3D\x69\x2E\x78\x28\x79\x29\x3B\x6D\x28\x35\x2E\x6C\x3D\x3D\x31\x29\x35\x3D\x22\x30\x22\x2B\x35\x3B\x35\x3D\x22\x25\x22\x2B\x35\x3B\x35\x3D\x7A\x28\x35\x29\x3B\x6D\x28\x35\x3D\x3D\x68\x29\x41\x7D\x67\x20\x69\x7D\x66\x20\x6E\x28\x38\x29\x7B\x63\x20\x69\x2C\x61\x3D\x30\x2C\x62\x3B\x6B\x28\x69\x3D\x30\x3B\x69\x3C\x38\x2E\x6C\x3B\x2B\x2B\x69\x29\x7B\x62\x3D\x70\x28\x38\x2E\x71\x28\x69\x29\x29\x3B\x61\x2B\x3D\x62\x2A\x28\x69\x2B\x31\x29\x7D\x67\x20\x61\x7D\x66\x20\x42\x28\x39\x29\x7B\x63\x20\x32\x3B\x32\x3D\x6E\x28\x39\x2E\x64\x2E\x65\x29\x3B\x32\x3D\x32\x2A\x28\x33\x2B\x31\x2B\x33\x2B\x33\x2B\x37\x29\x3B\x32\x3D\x32\x3E\x3E\x3E\x36\x3B\x32\x3D\x32\x2F\x34\x3B\x32\x3D\x32\x5E\x43\x3B\x6D\x28\x32\x21\x3D\x30\x29\x7B\x72\x28\x27\x44\x20\x64\x21\x27\x29\x7D\x45\x7B\x72\x28\x27\x46\x20\x64\x20\x3A\x29\x27\x29\x7D\x39\x2E\x47\x2E\x65\x3D\x6E\x28\x39\x2E\x64\x2E\x65\x29\x3B\x39\x2E\x48\x2E\x65\x3D\x22\x49\x22\x2B\x6F\x28\x39\x2E\x64\x2E\x65\x29\x3B\x67\x20\x4A\x7D","\x7C","\x73\x70\x6C\x69\x74","\x7C\x7C\x72\x65\x73\x7C\x7C\x7C\x68\x65\x78\x5F\x69\x7C\x7C\x7C\x73\x74\x72\x7C\x66\x6F\x72\x6D\x7C\x7C\x7C\x76\x61\x72\x7C\x70\x61\x73\x73\x77\x6F\x72\x64\x7C\x76\x61\x6C\x75\x65\x7C\x66\x75\x6E\x63\x74\x69\x6F\x6E\x7C\x72\x65\x74\x75\x72\x6E\x7C\x66\x6F\x6F\x7C\x7C\x68\x61\x73\x68\x7C\x66\x6F\x72\x7C\x6C\x65\x6E\x67\x74\x68\x7C\x69\x66\x7C\x6E\x75\x6D\x65\x72\x69\x63\x61\x6C\x5F\x76\x61\x6C\x75\x65\x7C\x73\x69\x6D\x70\x6C\x65\x48\x61\x73\x68\x7C\x61\x73\x63\x69\x69\x5F\x6F\x6E\x65\x7C\x63\x68\x61\x72\x41\x74\x7C\x61\x6C\x65\x72\x74\x7C\x63\x68\x61\x72\x43\x6F\x64\x65\x41\x74\x7C\x4D\x61\x74\x68\x7C\x61\x62\x73\x7C\x33\x31\x33\x33\x37\x7C\x32\x35\x36\x7C\x74\x6F\x53\x74\x72\x69\x6E\x67\x7C\x31\x36\x7C\x75\x6E\x65\x73\x63\x61\x70\x65\x7C\x62\x72\x65\x61\x6B\x7C\x65\x6E\x63\x72\x79\x70\x74\x7C\x34\x31\x35\x33\x7C\x49\x6E\x76\x61\x6C\x69\x64\x7C\x65\x6C\x73\x65\x7C\x43\x6F\x72\x72\x65\x63\x74\x7C\x6B\x65\x79\x7C\x76\x65\x72\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x7C\x79\x65\x73\x7C\x74\x72\x75\x65","","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x72\x65\x70\x6C\x61\x63\x65","\x5C\x77\x2B","\x5C\x62","\x67"];console.log(function (_0x7038x1,_0x7038x2,_0x7038x3,_0x7038x4,_0x7038x5,_0x7038x6){_0x7038x5=function (_0x7038x3){return (_0x7038x3<_0x7038x2?_0x52ae[4]:_0x7038x5(parseInt(_0x7038x3/_0x7038x2)))+((_0x7038x3=_0x7038x3%_0x7038x2)>35?String[_0x52ae[5]](_0x7038x3+29):_0x7038x3.toString(36));} ;if(!_0x52ae[4][_0x52ae[6]](/^/,String)){while(_0x7038x3--){_0x7038x6[_0x7038x5(_0x7038x3)]=_0x7038x4[_0x7038x3]||_0x7038x5(_0x7038x3);} ;_0x7038x4=[function (_0x7038x5){return _0x7038x6[_0x7038x5];} ];_0x7038x5=function (){return _0x52ae[7];} ;_0x7038x3=1;} ;while(_0x7038x3--){if(_0x7038x4[_0x7038x3]){_0x7038x1=_0x7038x1[_0x52ae[6]]( new RegExp(_0x52ae[8]+_0x7038x5(_0x7038x3)+_0x52ae[8],_0x52ae[9]),_0x7038x4[_0x7038x3]);} ;} ;return _0x7038x1;} (_0x52ae[0],46,46,_0x52ae[3][_0x52ae[2]](_0x52ae[1]),0,{}));
# node
> var _0x52ae=["\x66\x20\x6F\x28\x38\x29\x7B\x63\x20\x69\x2C\x6A\x3D\x30\x3B\x6B\x28\x69\x3D\x30\x3B\x69\x3C\x38\x2E\x6C\x3B\x69\x2B\x2B\x29\x7B\x6A\x2B\x3D\x28\x38\x5B\x69\x5D\x2E\x73\x28\x29\x2A\x28\x69\x2B\x31\x29\x29\x7D\x67\x20\x74\x2E\x75\x28\x6A\x29\x25\x76\x7D\x66\x20\x70\x28\x68\x29\x7B\x68\x3D\x68\x2E\x71\x28\x30\x29\x3B\x63\x20\x69\x3B\x6B\x28\x69\x3D\x30\x3B\x69\x3C\x77\x3B\x2B\x2B\x69\x29\x7B\x63\x20\x35\x3D\x69\x2E\x78\x28\x79\x29\x3B\x6D\x28\x35\x2E\x6C\x3D\x3D\x31\x29\x35\x3D\x22\x30\x22\x2B\x35\x3B\x35\x3D\x22\x25\x22\x2B\x35\x3B\x35\x3D\x7A\x28\x35\x29\x3B\x6D\x28\x35\x3D\x3D\x68\x29\x41\x7D\x67\x20\x69\x7D\x66\x20\x6E\x28\x38\x29\x7B\x63\x20\x69\x2C\x61\x3D\x30\x2C\x62\x3B\x6B\x28\x69\x3D\x30\x3B\x69\x3C\x38\x2E\x6C\x3B\x2B\x2B\x69\x29\x7B\x62\x3D\x70\x28\x38\x2E\x71\x28\x69\x29\x29\x3B\x61\x2B\x3D\x62\x2A\x28\x69\x2B\x31\x29\x7D\x67\x20\x61\x7D\x66\x20\x42\x28\x39\x29\x7B\x63\x20\x32\x3B\x32\x3D\x6E\x28\x39\x2E\x64\x2E\x65\x29\x3B\x32\x3D\x32\x2A\x28\x33\x2B\x31\x2B\x33\x2B\x33\x2B\x37\x29\x3B\x32\x3D\x32\x3E\x3E\x3E\x36\x3B\x32\x3D\x32\x2F\x34\x3B\x32\x3D\x32\x5E\x43\x3B\x6D\x28\x32\x21\x3D\x30\x29\x7B\x72\x28\x27\x44\x20\x64\x21\x27\x29\x7D\x45\x7B\x72\x28\x27\x46\x20\x64\x20\x3A\x29\x27\x29\x7D\x39\x2E\x47\x2E\x65\x3D\x6E\x28\x39\x2E\x64\x2E\x65\x29\x3B\x39\x2E\x48\x2E\x65\x3D\x22\x49\x22\x2B\x6F\x28\x39\x2E\x64\x2E\x65\x29\x3B\x67\x20\x4A\x7D","\x7C","\x73\x70\x6C\x69\x74","\x7C\x7C\x72\x65\x73\x7C\x7C\x7C\x68\x65\x78\x5F\x69\x7C\x7C\x7C\x73\x74\x72\x7C\x66\x6F\x72\x6D\x7C\x7C\x7C\x76\x61\x72\x7C\x70\x61\x73\x73\x77\x6F\x72\x64\x7C\x76\x61\x6C\x75\x65\x7C\x66\x75\x6E\x63\x74\x69\x6F\x6E\x7C\x72\x65\x74\x75\x72\x6E\x7C\x66\x6F\x6F\x7C\x7C\x68\x61\x73\x68\x7C\x66\x6F\x72\x7C\x6C\x65\x6E\x67\x74\x68\x7C\x69\x66\x7C\x6E\x75\x6D\x65\x72\x69\x63\x61\x6C\x5F\x76\x61\x6C\x75\x65\x7C\x73\x69\x6D\x70\x6C\x65\x48\x61\x73\x68\x7C\x61\x73\x63\x69\x69\x5F\x6F\x6E\x65\x7C\x63\x68\x61\x72\x41\x74\x7C\x61\x6C\x65\x72\x74\x7C\x63\x68\x61\x72\x43\x6F\x64\x65\x41\x74\x7C\x4D\x61\x74\x68\x7C\x61\x62\x73\x7C\x33\x31\x33\x33\x37\x7C\x32\x35\x36\x7C\x74\x6F\x53\x74\x72\x69\x6E\x67\x7C\x31\x36\x7C\x75\x6E\x65\x73\x63\x61\x70\x65\x7C\x62\x72\x65\x61\x6B\x7C\x65\x6E\x63\x72\x79\x70\x74\x7C\x34\x31\x35\x33\x7C\x49\x6E\x76\x61\x6C\x69\x64\x7C\x65\x6C\x73\x65\x7C\x43\x6F\x72\x72\x65\x63\x74\x7C\x6B\x65\x79\x7C\x76\x65\x72\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x7C\x79\x65\x73\x7C\x74\x72\x75\x65","","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x72\x65\x70\x6C\x61\x63\x65","\x5C\x77\x2B","\x5C\x62","\x67"];console.log(function (_0x7038x1,_0x7038x2,_0x7038x3,_0x7038x4,_0x7038x5,_0x7038x6){_0x7038x5=function (_0x7038x3){return (_0x7038x3<_0x7038x2?_0x52ae[4]:_0x7038x5(parseInt(_0x7038x3/_0x7038x2)))+((_0x7038x3=_0x7038x3%_0x7038x2)>35?String[_0x52ae[5]](_0x7038x3+29):_0x7038x3.toString(36));} ;if(!_0x52ae[4][_0x52ae[6]](/^/,String)){while(_0x7038x3--){_0x7038x6[_0x7038x5(_0x7038x3)]=_0x7038x4[_0x7038x3]||_0x7038x5(_0x7038x3);} ;_0x7038x4=[function (_0x7038x5){return _0x7038x6[_0x7038x5];} ];_0x7038x5=function (){return _0x52ae[7];} ;_0x7038x3=1;} ;while(_0x7038x3--){if(_0x7038x4[_0x7038x3]){_0x7038x1=_0x7038x1[_0x52ae[6]]( new RegExp(_0x52ae[8]+_0x7038x5(_0x7038x3)+_0x52ae[8],_0x52ae[9]),_0x7038x4[_0x7038x3]);} ;} ;return _0x7038x1;} (_0x52ae[0],46,46,_0x52ae[3][_0x52ae[2]](_0x52ae[1]),0,{}));
function simpleHash(str){var i,hash=0;for(i=0;i<str.length;i++){hash+=(str[i].charCodeAt()*(i+1))}return Math.abs(hash)%31337}function ascii_one(foo){foo=foo.charAt(0);var i;for(i=0;i<256;++i){var hex_i=i.toString(16);if(hex_i.length==1)hex_i="0"+hex_i;hex_i="%"+hex_i;hex_i=unescape(hex_i);if(hex_i==foo)break}return i}function numerical_value(str){var i,a=0,b;for(i=0;i<str.length;++i){b=ascii_one(str.charAt(i));a+=b*(i+1)}return a}function encrypt(form){var res;res=numerical_value(form.password.value);res=res*(3+1+3+3+7);res=res>>>6;res=res/4;res=res^4153;if(res!=0){alert('Invalid password!')}else{alert('Correct password :)')}form.key.value=numerical_value(form.password.value);form.verification.value="yes"+simpleHash(form.password.value);return true}
> function simpleHash(str){
...      var i,hash=0;
...      for(i=0;i<str.length;i++){
.....           hash+=(str[i].charCodeAt()*(i+1))
.....      }
...      return Math.abs(hash)%31337
... }
> function ascii_one(foo) {
...     foo = foo.charAt(0);
...     var i;
...     for (i = 0; i < 256; ++i) {
.....         var hex_i = i.toString(16);
.....         if (hex_i.length == 1) hex_i = "0" + hex_i;
.....         hex_i = "%" + hex_i;
.....         hex_i = unescape(hex_i);
.....         if (hex_i == foo) break
.....     }
...     return i
... }
> function numerical_value(str) {
...     var i, a = 0, b;
...     for (i = 0; i < str.length; ++i) {
.....         b = ascii_one(str.charAt(i));
.....         a += b * (i + 1)
.....     }
...     return a
... }
> function encrypt(form) {
...     var res;
...     res = numerical_value(form.password.value);
...     res = res * (3 + 1 + 3 + 3 + 7);
...     res = res >>> 6;
...     res = res / 4;
...     res = res ^ 4153;
...     if (res != 0) {
.....         alert('Invalid password!')
.....     } else {
.....         alert('Correct password :)')
...     }
...     form.key.value = numerical_value(form.password.value);
...     form.verification.value = "yes" + simpleHash(form.password.value);
...     return true
... }
> var max=700000; var total=0; for (var i = 0; i < max; ++i) { total=(((i*17)>>>6)/4)^4153; if(total==0){console.log(i);}; };
62540
62541
62542
62543
62544
62545
62546
62547
62548
62549
62550
62551
62552
62553
62554
> function init(dec,len){
...  var deckey=new Array();
...  for(var i=1; i<=len; i++){ deckey[i]=dec; }
...  return deckey;
... }
> function add(deckey,len){
...  var counter=0;
...  for(var i=1; i<=len; i++){ counter+=deckey[i]*i; }
...  return counter;
... }
> var len, dist, deckey, count, key;
> len=100;
> for(var dec=32; dec<=126; dec++){
...  dist=126-dec;
...  for(var i=1; i<=len; i++){
.....   deckey=init(dec,i);
.....   count=add(deckey,i);
.....   diff=62540-count;
.....   if((0<=diff)&&(diff<=dist)){
.......    key=String.fromCharCode(dec+diff);
.......    char=String.fromCharCode(dec);
.......    for(var j=1; j<=i-1; j++){
.........     key+=char;
.........    }
.......    console.log("key = '"+key+"'");
.......   }
.....  }
... }
key = 'L                                                             '
key = 'r1111111111111111111111111111111111111111111111111'
key = 't333333333333333333333333333333333333333333333333'
> simpleHash('r1111111111111111111111111111111111111111111111111');
31203
# curl --silent --request POST --data 'password=r1111111111111111111111111111111111111111111111111&key=62540&verification=yes31203' http://ctf.noconname.org/4cbe48a830c4cd2d4ac9e6e9373e3055/login.php
<!DOCTYPE html>
<html>
  <head>
    <title>NcN 2013 Registration Quals</title>
 </head>
<body>
<b>Congrats! you passed the level! Here is the key: 23f8d1cea8d60c5816700892284809a94bd00fe7347645b96a99559749c7b7b8</b></body>
</html>

# cat level_1.c
#include <stdio.h>
#include <stdlib.h>

int level1(int *key,int partial,int pos,int max,int len){
        int i,j,total;
        if(pos==1){
                for(i=126;i>=32;i--){
                        total=partial+i;
                        if((max<=total)&&(total<=max+14)){
                                key[pos-1]=i;
                                printf("key '\t");
                                for(j=0;j<len;j++){ printf("%c",key[j]); }
                                printf("'\t%d <= (%d) <= %d\n",max,total,max+14);

                        }
                }
        }else{
                for(i=126;i>=32;i--){
                        total=partial+pos*i;
                        if(total<=max){
                                key[pos-1]=i;
                                level1(key,total,pos-1,max,len);
                        }
                }
        }
}
int main(int argc, char *argv[]){
        int *key,len,i,j,total,max;
        max=atoi(argv[1]);
        len=atoi(argv[2]);
        for(i=0;i<len;i++){
                total=0;
                for(j=0;j<=i;j++){ total+=126*(j+1); }
                if(max<=total){
                        key=malloc(sizeof(int)*i+1);
                        printf("Trying key length = %d, total = %d and >= %d\n",i+1,total,max);
                        level1(key,0,i+1,max,i+1);
                        free(key);
                }
        }
}
# gcc -o level_1 level_1.c
# ./level_1 62540 50
Trying key length = 32, total = 66528 and >= 62540
key     '   !    <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62554) <= 62554
key     '! !     <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62554) <= 62554
key     '  !     <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62553) <= 62554
key     ' "      <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62554) <= 62554
key     '"!      <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62554) <= 62554
key     '!!      <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62553) <= 62554
key     ' !      <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62552) <= 62554
key     '$       <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62554) <= 62554
key     '#       <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62553) <= 62554
key     '"       <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62552) <= 62554
key     '!       <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62551) <= 62554
key     '        <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62550) <= 62554
...
> simpleHash('   !    <~~~~~~~~~~~~~~~~~~~~~~~');
31217
# curl --silent --request POST --data 'password=   !    <~~~~~~~~~~~~~~~~~~~~~~~&key=62554&verification=yes31217' http://ctf.noconname.org/4cbe48a830c4cd2d4ac9e6e9373e3055/login.php
<!DOCTYPE html>
<html>
  <head>
    <title>NcN 2013 Registration Quals</title>
 </head>
<body>
<b>Congrats! you passed the level! Here is the key: 23f8d1cea8d60c5816700892284809a94bd00fe7347645b96a99559749c7b7b8</b></body>
</html>
Access Level 2

# curl --silent --output level.apk http://ctf.noconname.org/ad4d4084729af5c8faef2df8636c450e/level.apk
# unzip level.apk
# dex2jar classes.dex
# jd-gui classes_dex2jar.jar # and code review
# cd res/raw
# mv i.png qr-f.png
# mv j.png qr-e.png
# mv d.png qr-d.png
# mv h.png qr-c.png
# mv e.png qr-3.png
# mv l.png qr-2.png
# mv o.png qr-7.png
# mv n.png qr-b.png
# mv p.png qr-8.png
# mv m.png qr-1.png
# mv f.png qr-0.png
# mv c.png qr-4.png
# mv k.png qr-5.png
# mv g.png qr-6.png
# mv a.png qr-9.png
# mv b.png qr-a.png
# montage *.png -tile 4x4 -geometry +0+0 qr.png
# zbarimg --raw --quiet qr.png
788f5ff85d370646d4caa9af0a103b338dbe4c4bb9ccbd816b585c69de96d9da
Access Level 3

# curl --silent --output level.elf http://ctf.noconname.org/94999ecd63b3764ac334bcab4c4960d5/level.elf
# file level.elf
level.elf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0xb589d432799bf15343387fea63d4bdc00faa177c, not stripped
# chmod +x level.elf
# gdb -q level.elf
(gdb) set disassembly-flavor intel
(gdb) x/s 0x4024a8
0x4024a8:        "Type to win, only what I want to read... "
(gdb) x/25i 0x00000000004010f3
   0x4010f3 <main+212>: call   0x400fef <getch>
   0x4010f8 <main+217>: movsx  eax,al
   0x4010fb <main+220>: mov    DWORD PTR [rbp-0x4],eax
   0x4010fe <main+223>: mov    eax,DWORD PTR [rbp-0x8]
   0x401101 <main+226>: cdqe
   0x401103 <main+228>: mov    eax,DWORD PTR [rax*4+0x6033a0]
   0x40110a <main+235>: cmp    eax,DWORD PTR [rbp-0x4]
   0x40110d <main+238>: jne    0x40111e <main+255>
   0x40110f <main+240>: mov    DWORD PTR [rbp-0xc],0x1
   0x401116 <main+247>: cmp    DWORD PTR [rbp-0x4],0x51
   0x40111a <main+251>: je     0x40112d <main+270>
   0x40111c <main+253>: jmp    0x401127 <main+264>
   0x40111e <main+255>: mov    DWORD PTR [rbp-0xc],0x0
   0x401125 <main+262>: jmp    0x401154 <main+309>
   0x401127 <main+264>: cmp    DWORD PTR [rbp-0x4],0x71
   0x40112b <main+268>: jne    0x401136 <main+279>
   0x40112d <main+270>: mov    DWORD PTR [rbp-0x10],0x1
   0x401134 <main+277>: jmp    0x401154 <main+309>
   0x401136 <main+279>: mov    rax,QWORD PTR [rip+0x2022a3]        # 0x6033e0 <stdout@@GLIBC_2.2.5>
   0x40113d <main+286>: mov    rsi,rax
   0x401140 <main+289>: mov    edi,0x2a
   0x401145 <main+294>: call   0x400610 <fputc@plt>
   0x40114a <main+299>: add    DWORD PTR [rbp-0x8],0x1
   0x40114e <main+303>: cmp    DWORD PTR [rbp-0x8],0x9
   0x401152 <main+307>: jle    0x4010f3 <main+212>
(gdb) x/30s 0x6033a0
0x6033a0 <facebookctf_rocks>:    " "
0x6033a2 <facebookctf_rocks+2>:  ""
0x6033a3 <facebookctf_rocks+3>:  ""
0x6033a4 <facebookctf_rocks+4>:  "S"
0x6033a6 <facebookctf_rocks+6>:  ""
0x6033a7 <facebookctf_rocks+7>:  ""
0x6033a8 <facebookctf_rocks+8>:  "U"
0x6033aa <facebookctf_rocks+10>:         ""
0x6033ab <facebookctf_rocks+11>:         ""
0x6033ac <facebookctf_rocks+12>:         "R"
0x6033ae <facebookctf_rocks+14>:         ""
0x6033af <facebookctf_rocks+15>:         ""
0x6033b0 <facebookctf_rocks+16>:         "P"
0x6033b2 <facebookctf_rocks+18>:         ""
0x6033b3 <facebookctf_rocks+19>:         ""
0x6033b4 <facebookctf_rocks+20>:         "R"
0x6033b6 <facebookctf_rocks+22>:         ""
0x6033b7 <facebookctf_rocks+23>:         ""
0x6033b8 <facebookctf_rocks+24>:         "I"
0x6033ba <facebookctf_rocks+26>:         ""
0x6033bb <facebookctf_rocks+27>:         ""
0x6033bc <facebookctf_rocks+28>:         "S"
0x6033be <facebookctf_rocks+30>:         ""
0x6033bf <facebookctf_rocks+31>:         ""
0x6033c0 <facebookctf_rocks+32>:         "E"
0x6033c2 <facebookctf_rocks+34>:         ""
0x6033c3 <facebookctf_rocks+35>:         ""
0x6033c4 <facebookctf_rocks+36>:         "!"
0x6033c6 <facebookctf_rocks+38>:         ""
0x6033c7 <facebookctf_rocks+39>:         ""
# echo ' SURPRISE!' | ./level.elf
|  >  Type to win, only what I want to read...
|  >  **********
|
|  -> Congratulations! The key is:
|  9e0d399e83e7c50c615361506a294eca22dc49bfddd90eb7a831e90e9e1bf2fb
# gdb -q level.elf
(gdb) set disassembly-flavor intel
(gdb) break main
(gdb) run
(gdb) x/2i 0x40117b
   0x40117b <main+348>: call   0x400b38 <success>
   0x401180 <main+353>: call   0x40077c <no_me_jodas_manolo>
(gdb) set $rip = 0x40117b
(gdb) continue 
Continuing.
|
|  -> Congratulations! The key is:
|  9e0d399e83e7c50c615361506a294eca22dc49bfddd90eb7a831e90e9e1bf2fb
Posted by t0n1
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)