Bringing this back from the dead. I’m completely new in this field of reversals. I’ve dove straight in and believe Im on “step 2”. To solve the rest of this, would my time be better spent learning how to read/write assembly or should I be looking for tools that can decompile elf/convert assembly to C.
In the few hours i’ve spent using rabin2 and learning some more common assembly operands like cmp and lea, I feel like im progressing in the puzzle - but is this really the most efficient method in 2019?
@ytho I just solved it using the NSA tool Ghidra (https://ghidra-sre.org/); it works similar to tools like IDA, Hopper or Radare.
Step 1 should be very obvious if you know the basic libc functions, step 2 requires you to figure out what that unknown function does (grab an ASCII table) and step3 is what happens after you pass the check.
As mentioned above, maybe you can skip step 2 since that would be rather hard?
! By doing step 3 in python or similar?
I don’t feel like much assembly knowledge is needed here. Maybe just a Ghidra hint:
Start at “entry” in the function browser on the left after opening and analyzing the file (tutorials are available), the first argument in __libc_start_main is your “main” function
Stage 1 was super easy, passed in about 30 seconds. Step 2 was a bit harder but only because I lack any experience in reversing (started a day ago). I have experience in programming in different languages so I understand how programs run.
Step 2 was a bit hard only because I had to get used to the app. I knew what I wanted to do (modify the code) but didn’t know how to. So I just played around with the app, finally managed to change something. Saved the modified bin and rerun it to get the flag.
@S7uXN37 No need for ASCII tables if you can decompile.
Excellent challenge once I took the name literally and started paying attention.
Also just went back and did it via patching, pretty easy once you spot it!
I’m stuck at the ** part. Been trying to study and debug the decompiled code generated from ghidra for hours and I’m not making any progress. Can anybody give me a hint?
edit: Got it, had to use a combination of ghidra + radare (ghidra wasn’t 100% necessary but the decompiled code helps). Learned some really cool things on this one.
Solved it using ghidra’s decompiler, and some gdb debugging for register values manipulation I also solved it with binary patching, so that you get the flag by just executing the binary. Though, by bypassing the 2 “passwords”, you miss the whole point. Reverse engineering is not about to get some flag, but rather to understand the underlying logic. The flag is just to verify that you followed a correct methodology
SPOILERAssume the bin is gonna display on screen your flag. Locate such calls, exclude those whose arg is way too short to be your flag. Between that one remaining call and the creation of its stack frame, it's the assembly that assembles your flag (no pun intended).
But yeah I totally followed the execution flow from start to finish for days before I realize this. And the most delight of this whole process is editing the theme color config file of Cutter the UI of Radare2 hehehehe.
