rishitsaiya
4 years ago
3 changed files with 227 additions and 0 deletions
@ -0,0 +1,193 @@ |
|||
## RickNMorty |
|||
The main idea finding the flag is reverse the functions using Ghidhra to understand the code. |
|||
|
|||
#### Step-1: |
|||
After I downloaded `RickNMorty`, and decompiled it in Ghidhra, I got the **main()** as follows: |
|||
```c |
|||
undefined8 main(void) |
|||
{ |
|||
int iVar1; |
|||
time_t tVar2; |
|||
long lVar3; |
|||
long local_48; |
|||
time_t local_40; |
|||
time_t local_38; |
|||
time_t local_30; |
|||
long local_28; |
|||
long local_20; |
|||
char *local_18; |
|||
int local_10; |
|||
int local_c; |
|||
|
|||
setbuf(stdin,(char *)0x0); |
|||
setbuf(stdout,(char *)0x0); |
|||
setbuf(stderr,(char *)0x0); |
|||
tVar2 = time(&local_30); |
|||
srand((uint)tVar2); |
|||
time(&local_38); |
|||
local_c = 1; |
|||
local_10 = 0; |
|||
while( true ) { |
|||
iVar1 = rand(); |
|||
if (iVar1 % 3 + 4 < local_10) break; |
|||
iVar1 = rand(); |
|||
local_20 = (long)(iVar1 % 10 + 6); |
|||
iVar1 = rand(); |
|||
local_28 = (long)(iVar1 % 10 + 6); |
|||
printf("%d %d\n",local_20,local_28); |
|||
__isoc99_scanf(&DAT_0040200f,&local_48); |
|||
lVar3 = function1(local_20); |
|||
lVar3 = function2(lVar3 + 3); |
|||
if (lVar3 != local_48) { |
|||
local_c = 0; |
|||
} |
|||
local_10 = local_10 + 1; |
|||
} |
|||
time(&local_40); |
|||
local_18 = (char *)(double)(local_40 - local_38); |
|||
printf(local_18,"fun() took %f seconds to execute \n"); |
|||
if ((local_c != 1) || (30.00000000 < (double)local_18)) { |
|||
printf("Nahh."); |
|||
} |
|||
else { |
|||
puts("Hey, you got me!"); |
|||
system("cat flag.txt"); |
|||
} |
|||
return 0; |
|||
} |
|||
``` |
|||
|
|||
#### Step-2: |
|||
A pair of random numbers is generated and passed through `function1()` & `function2()` and checked with pair of numbers with given number to get the flag. |
|||
|
|||
```c |
|||
long function1(long param_1,long param_2) |
|||
{ |
|||
int local_10; |
|||
int local_c; |
|||
|
|||
local_c = 0; |
|||
local_10 = 1; |
|||
while ((local_10 <= param_1 || (local_10 <= param_2))) { |
|||
if ((param_1 % (long)local_10 == 0) && (param_2 % (long)local_10 == 0)) { |
|||
local_c = local_10; |
|||
} |
|||
local_10 = local_10 + 1; |
|||
} |
|||
return (long)local_c; |
|||
} |
|||
``` |
|||
|
|||
```c |
|||
long function2(long param_1) |
|||
{ |
|||
long lVar1; |
|||
|
|||
if (param_1 == 0) { |
|||
lVar1 = 1; |
|||
} |
|||
else { |
|||
lVar1 = function2(param_1 + -1); |
|||
lVar1 = lVar1 * param_1; |
|||
} |
|||
return lVar1; |
|||
} |
|||
``` |
|||
|
|||
#### Step-3: |
|||
So, I wrote this `exploit.py` to get the flag: |
|||
|
|||
```python |
|||
from pwn import * |
|||
|
|||
context.log_level='DEBUG' |
|||
p = remote('chall.csivit.com', 30827) #Remote netcat |
|||
|
|||
def fun1(param_1, param_2): |
|||
local_c = 0 |
|||
local_10 = 1 |
|||
while (local_10 <= param_1) or (local_10 <= param_2): |
|||
if (param_1 % local_10 == 0) and (param_2 % local_10 == 0): |
|||
local_c = local_10 |
|||
local_10 += 1 |
|||
return local_c |
|||
|
|||
def fun2(param_1): |
|||
lvar1 = 0 |
|||
if param_1 == 0: |
|||
lvar1 = 1 |
|||
else: |
|||
lvar1 = fun2(param_1 - 1) |
|||
lvar1 = lvar1 * param_1 |
|||
return lvar1 |
|||
|
|||
while True: |
|||
line = p.recvline() |
|||
if not line or line.decode().startswith('fun() took'): |
|||
break |
|||
|
|||
nums = line.decode().rstrip().split(' ') |
|||
ans = fun1(int(nums[0]), int(nums[1])) |
|||
ans = fun2(ans + 3) |
|||
p.sendline(str(ans)) |
|||
|
|||
p.stream() |
|||
``` |
|||
|
|||
#### Step-4: |
|||
Running the script gave me: |
|||
|
|||
```bash |
|||
[DEBUG] PLT 0x40102c puts |
|||
[DEBUG] PLT 0x401040 setbuf |
|||
[DEBUG] PLT 0x401050 system |
|||
[DEBUG] PLT 0x401060 printf |
|||
[DEBUG] PLT 0x401070 srand |
|||
[DEBUG] PLT 0x401080 time |
|||
[DEBUG] PLT 0x401090 __isoc99_scanf |
|||
[DEBUG] PLT 0x4010a0 rand |
|||
[*] |
|||
Arch: amd64-64-little |
|||
RELRO: Partial RELRO |
|||
Stack: No canary found |
|||
NX: NX enabled |
|||
PIE: No PIE (0x400000) |
|||
[+] Opening connection to chall.csivit.com on port 30827: Done |
|||
[DEBUG] Received 0x6 bytes: |
|||
b'11 15\n' |
|||
[DEBUG] Sent 0x3 bytes: |
|||
b'24\n' |
|||
[DEBUG] Received 0x5 bytes: |
|||
b'9 12\n' |
|||
[DEBUG] Sent 0x4 bytes: |
|||
b'720\n' |
|||
[DEBUG] Received 0x5 bytes: |
|||
b'7 10\n' |
|||
[DEBUG] Sent 0x3 bytes: |
|||
b'24\n' |
|||
[DEBUG] Received 0x5 bytes: |
|||
b'9 11\n' |
|||
[DEBUG] Sent 0x3 bytes: |
|||
b'24\n' |
|||
[DEBUG] Received 0x5 bytes: |
|||
b'8 10\n' |
|||
[DEBUG] Sent 0x4 bytes: |
|||
b'120\n' |
|||
[DEBUG] Received 0x5 bytes: |
|||
b'6 13\n' |
|||
[DEBUG] Sent 0x3 bytes: |
|||
b'24\n' |
|||
[DEBUG] Received 0x28 bytes: |
|||
b'fun() took 0.000000 seconds to execute \n' |
|||
[DEBUG] Received 0x11 bytes: |
|||
b'Hey, you got me!\n' |
|||
Hey, you got me! |
|||
[DEBUG] Received 0x28 bytes: |
|||
b'csictf{h3_7u2n3d_h1m531f_1n70_4_p1ck13}\n' |
|||
csictf{h3_7u2n3d_h1m531f_1n70_4_p1ck13} |
|||
``` |
|||
Voila! We got the flag. |
|||
|
|||
#### Step-5: |
|||
Finally the flag becomes: |
|||
`csictf{h3_7u2n3d_h1m531f_1n70_4_p1ck13}` |
Binary file not shown.
@ -0,0 +1,34 @@ |
|||
from pwn import * |
|||
|
|||
context.log_level='DEBUG' |
|||
p = remote('chall.csivit.com', 30827) #Remote netcat |
|||
|
|||
def fun1(param_1, param_2): |
|||
local_c = 0 |
|||
local_10 = 1 |
|||
while (local_10 <= param_1) or (local_10 <= param_2): |
|||
if (param_1 % local_10 == 0) and (param_2 % local_10 == 0): |
|||
local_c = local_10 |
|||
local_10 += 1 |
|||
return local_c |
|||
|
|||
def fun2(param_1): |
|||
lvar1 = 0 |
|||
if param_1 == 0: |
|||
lvar1 = 1 |
|||
else: |
|||
lvar1 = fun2(param_1 - 1) |
|||
lvar1 = lvar1 * param_1 |
|||
return lvar1 |
|||
|
|||
while True: |
|||
line = p.recvline() |
|||
if not line or line.decode().startswith('fun() took'): |
|||
break |
|||
|
|||
nums = line.decode().rstrip().split(' ') |
|||
ans = fun1(int(nums[0]), int(nums[1])) |
|||
ans = fun2(ans + 3) |
|||
p.sendline(str(ans)) |
|||
|
|||
p.stream() |
Loading…
Reference in new issue