# NcN CTF 2k13: Australia (Base - 500 pts) 


# file derp
derp: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.26, BuildID[sha1]=0xbf6173b70ab3b4daee58d25e06e33f1738444a18, not stripped
# chmod +x derp
# echo 0 > /proc/sys/kernel/randomize_va_space
# gdb --quiet ./derp
(gdb) set disassembly-flavor intel
(gdb) break main
(gdb) run
(gdb) disassemble main
(gdb) x/6i 0x080483a4
   0x80483a4 <main+208>: mov    eax,ds:0x80d1088
   0x80483a9 <main+213>: sub    eax,0x2
   0x80483ac <main+216>: mov    DWORD PTR [esp+0x4],eax
   0x80483b0 <main+220>: mov    eax,DWORD PTR [esp+0x1c]
   0x80483b4 <main+224>: mov    DWORD PTR [esp],eax
   0x80483b7 <main+227>: call   0x804841a <check_buffer>
(gdb) x/xw 0x80d1088
0x80d1088 <goodboy_len>: 0x00000042
(gdb) break *0x80483b7
(gdb) continue
Continuing.
Facebook CTF
Enter flag: cookie

Breakpoint 2, 0x080483b7 in main ()
(gdb) info registers eax
eax            0x80d5298 135090840
(gdb) x/s 0x80d5298
0x80d5298:  "cookie\n"
(gdb) break *0x804841a
(gdb) continue
(gdb) disassemble
(gdb) x/3i 0x0804849c
=> 0x804849c <check_buffer+130>: mov    eax,DWORD PTR [ebp-0x4]
   0x804849f <check_buffer+133>: cmp    eax,DWORD PTR [ebp+0xc]
   0x80484a2 <check_buffer+136>: jb     0x804843c <check_buffer+34>
(gdb) break *0x0804849c
(gdb) continue
(gdb) x/xb $ebp-0x4
0xffffd4e4: 0x00
(gdb) x/xb $ebp+0xc
0xffffd4f4: 0x40
(gdb) x/64xb 0x080b2224
0x80b2224: 0xeb 0xe8 0xbf 0xe4 0xea 0xbe 0xba 0xe4
0x80b222c: 0xe5 0xea 0xe8 0xea 0xe8 0xee 0xe9 0xba
0x80b2234: 0xea 0xe8 0xeb 0xba 0xbf 0xba 0xeb 0xea
0x80b223c: 0xe8 0xef 0xbd 0xba 0xed 0xe9 0xba 0xee
0x80b2244: 0xe9 0xed 0xbe 0xed 0xe4 0xea 0xbe 0xba
0x80b224c: 0xe9 0xe4 0xbd 0xea 0xb8 0xe9 0xb8 0xbf
0x80b2254: 0xeb 0xb9 0xbe 0xe4 0xbe 0xba 0xe5 0xbf
0x80b225c: 0xba 0xbf 0xe5 0xb8 0xec 0xe8 0xbf 0xb8
(gdb) x/3i 0x0804848b
=> 0x804848b <check_buffer+113>: xor    eax,ecx
   0x804848d <check_buffer+115>: cmp    dl,al
   0x804848f <check_buffer+117>: je     0x8048498 <check_buffer+126>
(gdb) break *0x0804848b
(gdb) continue
(gdb) info registers eax
eax            0xdc 220
(gdb) info registers ecx
ecx            0x63 99
(gdb) info registers edx
edx            0xeb 235
(gdb) quit
# python -c 'list=[0xeb,0xe8,0xbf,0xe4,0xea,0xbe,0xba,0xe4,0xe5,0xea,0xe8,0xea,0xe8,0xee,0xe9,0xba,0xea,0xe8,0xeb,0xba,0xbf,0xba,0xeb,0xea,0xe8,0xef,0xbd,0xba,0xed,0xe9,0xba,0xee,0xe9,0xed,0xbe,0xed,0xe4,0xea,0xbe,0xba,0xe9,0xe4,0xbd,0xea,0xb8,0xe9,0xb8,0xbf,0xeb,0xb9,0xbe,0xe4,0xbe,0xba,0xe5,0xbf,0xba,0xbf,0xe5,0xb8,0xec,0xe8,0xbf,0xb8]; print "".join(chr(i^0xdc) for i in list)' | ./derp
Facebook CTF
Enter flag: Winner! Post your flag.
Posted by t0n1
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)