# PicoCTF 2k13 - moreevil 


# gdb -q -n -x moreevil.py
Please enter your password: 1  
 [0x401f2f] cmp ebx, eax                                                        [0x1] < [0x13]
Wrong!

# gdb -q -n -x moreevil.py
Please enter your password: 1234567890123456789 
[0x4020df] xor ebx, r10d                                                        ['1'] ^ ['q'] = '@'
 [0x4020df] xor ebx, r10d                                                       ['2'] ^ ['q'] = 'C'
  [0x4020df] xor ebx, r10d                                                      ['3'] ^ ['q'] = 'B'
   [0x4020df] xor ebx, r10d                                                     ['4'] ^ ['q'] = 'E'
    [0x4020df] xor ebx, r10d                                                    ['5'] ^ ['q'] = 'D'
     [0x4020df] xor ebx, r10d                                                   ['6'] ^ ['q'] = 'G'
      [0x4020df] xor ebx, r10d                                                  ['7'] ^ ['q'] = 'F'
       [0x4020df] xor ebx, r10d                                                 ['8'] ^ ['q'] = 'I'
        [0x4020df] xor ebx, r10d                                                ['9'] ^ ['q'] = 'H'
         [0x4020df] xor ebx, r10d                                               ['0'] ^ ['q'] = 'A'
          [0x4020df] xor ebx, r10d                                              ['1'] ^ ['q'] = '@'
           [0x4020df] xor ebx, r10d                                             ['2'] ^ ['q'] = 'C'
            [0x4020df] xor ebx, r10d                                            ['3'] ^ ['q'] = 'B'
             [0x4020df] xor ebx, r10d                                           ['4'] ^ ['q'] = 'E'
              [0x4020df] xor ebx, r10d                                          ['5'] ^ ['q'] = 'D'
               [0x4020df] xor ebx, r10d                                         ['6'] ^ ['q'] = 'G'
                [0x4020df] xor ebx, r10d                                        ['7'] ^ ['q'] = 'F'
                 [0x4020df] xor ebx, r10d                                       ['8'] ^ ['q'] = 'I'
                  [0x4020df] xor ebx, r10d                                      ['9'] ^ ['q'] = 'H'
                   [0x401fd6] cmp r11d, ebx                                     [0x13] == [0x13]
[0x4021e8] mov rbx, rax                                                         rbx = [0x6030c8]
[0x4021eb] mov rbx, QWORD PTR [rbx]                                             rbx = [0x19]
[0x4021ee] cmp r11d, ebx                                                        ['@'] > [0x19]
Wrong!
# gdb moreevil
(gdb) set environment LD_PRELOAD=lib/hook64.so
(gdb) break *0x4021ee
(gdb) run
Please enter your password: 1234567890123456789
(gdb) x/152xb 0x6030c8
0x6030c8: 0x19 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x6030d0: 0x1e 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x6030d8: 0x06 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x6030e0: 0x51 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x6030e8: 0x1d 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x6030f0: 0x1e 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x6030f8: 0x06 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x603100: 0x51 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x603108: 0x12 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x603110: 0x10 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x603118: 0x1f 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x603120: 0x51 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x603128: 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x603130: 0x1e 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x603138: 0x04 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x603140: 0x51 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x603148: 0x16 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x603150: 0x1e 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x603158: 0x4e 0x00 0x00 0x00 0x00 0x00 0x00 0x00

# ipython
In [1]: key = [0x19, 0x1e, 0x06, 0x51, 0x1d, 0x1e, 0x06, 0x51, 0x12, 0x10, 0x1f, 0x51, 0x08, 0x1e, 0x04, 0x51, 0x16, 0x1e, 0x4e]
In [2]: password = ''
In [3]: for byte in key:
            password += chr(byte ^ ord('q'))

In [4]: password
Out[4]: 'how low can you go?'
Posted by t0n1
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)