Challenge Information
+------------+----------------+---------------------+--------+
| Event | Challenge | Category | Points |
+------------+----------------+---------------------+--------+
| TJCTF 2018 | Bricked Binary | Reverse Engineering | 80 |
+------------+----------------+---------------------+--------+Description
Earlier, I input my flag to this image and received 22c15d5f23238a8fff8d299f8e5a1c62 as the output. Unfortunately, later on I broke the program and also managed to lose my flag. Can you find it for me?
The flag is not in standard flag format.
Challenge Detail
At the start , we can get a encryption program . I used gdb and found that the program use “strcpy” to change our input and make the function “hash” cannot work. So I used vim + xxd to patch the binary. I coverd the “strcpy” with “nop”.
And then the program finally work. I input a char and get a hex output. I input two chars and get two hex outputs. So I guess the length of the flag is 16. Finally , write a python script to brute force it.
from pwn import *
ans = "22c15d5f23238a8fff8d299f8e5a1c62"
guess = ""
good = ""for g in range(0,16):
for i in range(32,127):
r = process(argv=["./patched_hashgen",guess[0:g]+chr(i)+guess[g+1:]])
words = r.recvuntil("\n")
if words[g*2]== ans[g*2] and words[g*2+1] == ans[g*2+1]:
print ""
print "feedback:"+chr(i)
print ""
good+=chr(i)print good
解題過程
一開始會拿到一個加密的程式,但是發覺怎麼樣也動不了。用gdb去觀察後,發覺他會用strcpy把我們的輸入蓋掉。
於是就用vim+xxd,把這個部分用nop代替,這個加密程式就能成功跑起來了。
首先跑跑看程式,發覺輸入一個char跑出的結果是一個hex,兩個char跑出的是兩個hex,於是我猜flag長度是16個char。最後再寫一個python script來暴力猜出flag就可以了。
from pwn import *
ans = "22c15d5f23238a8fff8d299f8e5a1c62"
guess = ""
good = ""for g in range(0,16):
for i in range(32,127):
r = process(argv=["./patched_hashgen",guess[0:g]+chr(i)+guess[g+1:]])
words = r.recvuntil("\n")
if words[g*2]== ans[g*2] and words[g*2+1] == ans[g*2+1]:
print ""
print "feedback:"+chr(i)
print ""
good+=chr(i)print good
