# TumCTF 2k16 - zwiebel (55)


$ wget 'https://2016.ctf.link/assets/files/zwiebel.tar.xz'
$ tar xvf zwiebel.tar.xz
$ r2 -wA zwiebel
[0x004006d0]> s sym.imp.ptrace
[0x004006b0]> pd 3
/ (fcn) sym.imp.ptrace 48
|   sym.imp.ptrace ();
|           ; CALL XREF from 0x004007db (sym.__printf)
|           0x004006b0      ff25aa0b2000   jmp qword [reloc.ptrace_96] ; [0x601260:8]=0x4006b6 LEA reloc.ptrace_96 ; reloc.ptrace_96
|           0x004006b6      6808000000     push 8
\           0x004006bb      e960ffffff     jmp 0x400620                ; sym.imp.printf-0x40
[0x004007d0]> s sym.__printf
[0x004007d0]> pd 12
/ (fcn) sym.__printf 45
|   sym.__printf ();
|           0x004007d0      50             push rax
|           0x004007d1      31ff           xor edi, edi
|           0x004007d3      31f6           xor esi, esi
|           0x004007d5      31d2           xor edx, edx
|           0x004007d7      31c9           xor ecx, ecx
|           0x004007d9      31c0           xor eax, eax
|           0x004007db      e8d0feffff     call sym.imp.ptrace
|           0x004007e0      4885c0         test rax, rax
|       ,=< 0x004007e3      7504           jne 0x4007e9
|       |   0x004007e5      31c0           xor eax, eax
|       |   0x004007e7      5a             pop rdx
|       |   0x004007e8      c3             ret

[0x004007db]> s 0x004007db
[0x004007db]> wx 90909090909090909090
[0x004007db]> pd 19 @ sym.__printf
/ (fcn) sym.__printf 45
|   sym.__printf ();
|           0x004007d0      50             push rax
|           0x004007d1      31ff           xor edi, edi
|           0x004007d3      31f6           xor esi, esi
|           0x004007d5      31d2           xor edx, edx
|           0x004007d7      31c9           xor ecx, ecx
|           0x004007d9      31c0           xor eax, eax
|           0x004007db      90             nop
|           0x004007dc      90             nop
|           0x004007dd      90             nop
|           0x004007de      90             nop
|           0x004007df      90             nop
|           0x004007e0      90             nop
|           0x004007e1      90             nop
|           0x004007e2      90             nop
|           0x004007e3      90             nop
|           0x004007e4      90             nop
|           0x004007e5      31c0           xor eax, eax
|           0x004007e7      5a             pop rdx
|           0x004007e8      c3             ret

$ cat zwiebel.py
import re
import r2pipe
import sys

def convert2int(value):
 if '0x' in value: t = 16
 else: t = 10
 return int(value, t)

def step():
 r2.cmd('ds')
 r2.cmd('sr rip')

r2 = r2pipe.open(filename = '', flags = ['-dA', 'rarun2', 'program=zwiebel', 'stdin="AAAA"'])
r2.cmd('dc')
r2.cmd('db 0x00400875')
r2.cmd('dc')

flag = [0x20] * 50

while True:
 while True:
  step()
  ci = r2.cmdj('pdj 1~:0')[0]
  o = ci['opcode']
  #print o
  ot = ci['type']
  if ot == 'cjmp':
   m = re.search('\[(.*)\]', r2.cmdj('pdj -2~:0')[0]['opcode'])
   #print m[0]
   mask = convert2int(r2.cmdj('pdj -1~:0')[0]['opcode'].split()[2])
   if '+' in m.group(1):
    offset = convert2int(m.group(1).split()[2])
   else:
    offset = 0
   #print offset
   o = o.split(' ')
   j = o[0]
   a = o[1]
   #print o, j, a
   if j == 'je':
    r2.cmd('dr zf=0')
    flag[offset] |= mask

   elif j == 'jne':
    r2.cmd('dr zf=1')
    flag[offset] &= (~mask & 0xff)
   step()
   break

 r = r2.cmdj('pdj 8')
 a = r[7]['offset']
 r2.cmd('db ' + hex(a))
 r2.cmd('dc')
 step()
 sys.stdout.write('\r' + ''.join(map(chr,flag)))

print
r2.quit()

$ python zwiebel.py 2> /dev/null
hxp{1_h0p3_y0u_d1dnt_p33l_th3_0ni0n_by_h4nd}

Reference

https://www.youtube.com/watch?v=y69uIxU0eI8

No comments: