From ed3907e13ffd7e6b170e9e01fb86a8e4f0919986 Mon Sep 17 00:00:00 2001
From: rishitsaiya <rishitsaiya@gmail.com>
Date: Fri, 31 Jul 2020 18:25:06 +0530
Subject: [PATCH] Added Reversing Challenges

---
 Reversing/RicknMorty/README.md  | 193 ++++++++++++++++++++++++++++++++
 Reversing/RicknMorty/RickNMorty | Bin 0 -> 17144 bytes
 Reversing/RicknMorty/exploit.py |  34 ++++++
 3 files changed, 227 insertions(+)
 create mode 100644 Reversing/RicknMorty/README.md
 create mode 100644 Reversing/RicknMorty/RickNMorty
 create mode 100644 Reversing/RicknMorty/exploit.py

diff --git a/Reversing/RicknMorty/README.md b/Reversing/RicknMorty/README.md
new file mode 100644
index 0000000..6c57c3a
--- /dev/null
+++ b/Reversing/RicknMorty/README.md
@@ -0,0 +1,193 @@
+## RickNMorty
+The main idea finding the flag is reverse the functions using Ghidhra to understand the code.
+
+#### Step-1:
+After I downloaded `RickNMorty`, and decompiled it in Ghidhra, I got the **main()** as follows:
+```c
+undefined8 main(void)
+{
+  int iVar1;
+  time_t tVar2;
+  long lVar3;
+  long local_48;
+  time_t local_40;
+  time_t local_38;
+  time_t local_30;
+  long local_28;
+  long local_20;
+  char *local_18;
+  int local_10;
+  int local_c;
+  
+  setbuf(stdin,(char *)0x0);
+  setbuf(stdout,(char *)0x0);
+  setbuf(stderr,(char *)0x0);
+  tVar2 = time(&local_30);
+  srand((uint)tVar2);
+  time(&local_38);
+  local_c = 1;
+  local_10 = 0;
+  while( true ) {
+    iVar1 = rand();
+    if (iVar1 % 3 + 4 < local_10) break;
+    iVar1 = rand();
+    local_20 = (long)(iVar1 % 10 + 6);
+    iVar1 = rand();
+    local_28 = (long)(iVar1 % 10 + 6);
+    printf("%d %d\n",local_20,local_28);
+    __isoc99_scanf(&DAT_0040200f,&local_48);
+    lVar3 = function1(local_20);
+    lVar3 = function2(lVar3 + 3);
+    if (lVar3 != local_48) {
+      local_c = 0;
+    }
+    local_10 = local_10 + 1;
+  }
+  time(&local_40);
+  local_18 = (char *)(double)(local_40 - local_38);
+  printf(local_18,"fun() took %f seconds to execute \n");
+  if ((local_c != 1) || (30.00000000 < (double)local_18)) {
+    printf("Nahh.");
+  }
+  else {
+    puts("Hey, you got me!");
+    system("cat flag.txt");
+  }
+  return 0;
+}
+```
+
+#### Step-2:
+A pair of random numbers is generated and passed through `function1()` & `function2()` and checked with pair of numbers with given number to get the flag.
+
+```c
+long function1(long param_1,long param_2)
+{
+  int local_10;
+  int local_c;
+  
+  local_c = 0;
+  local_10 = 1;
+  while ((local_10 <= param_1 || (local_10 <= param_2))) {
+    if ((param_1 % (long)local_10 == 0) && (param_2 % (long)local_10 == 0)) {
+      local_c = local_10;
+    }
+    local_10 = local_10 + 1;
+  }
+  return (long)local_c;
+}
+```
+
+```c
+long function2(long param_1)
+{
+  long lVar1;
+  
+  if (param_1 == 0) {
+    lVar1 = 1;
+  }
+  else {
+    lVar1 = function2(param_1 + -1);
+    lVar1 = lVar1 * param_1;
+  }
+  return lVar1;
+}
+```
+
+#### Step-3:
+So, I wrote this `exploit.py` to get the flag:
+
+```python
+from pwn import *
+
+context.log_level='DEBUG'
+p = remote('chall.csivit.com', 30827) #Remote netcat
+
+def fun1(param_1, param_2):
+    local_c = 0
+    local_10 = 1
+    while (local_10 <= param_1) or (local_10 <= param_2):
+        if (param_1 % local_10 == 0) and (param_2 % local_10 == 0):
+            local_c = local_10
+        local_10 += 1
+    return local_c
+
+def fun2(param_1):
+    lvar1 = 0
+    if param_1 == 0:
+        lvar1 = 1
+    else:
+        lvar1 = fun2(param_1 - 1)
+        lvar1 = lvar1 * param_1
+    return lvar1
+
+while True:
+    line = p.recvline()
+    if not line or line.decode().startswith('fun() took'):
+        break
+
+    nums = line.decode().rstrip().split(' ')
+    ans = fun1(int(nums[0]), int(nums[1]))
+    ans = fun2(ans + 3)
+    p.sendline(str(ans))
+
+p.stream()
+```
+
+#### Step-4:
+Running the script gave me:
+
+```bash
+[DEBUG] PLT 0x40102c puts
+[DEBUG] PLT 0x401040 setbuf
+[DEBUG] PLT 0x401050 system
+[DEBUG] PLT 0x401060 printf
+[DEBUG] PLT 0x401070 srand
+[DEBUG] PLT 0x401080 time
+[DEBUG] PLT 0x401090 __isoc99_scanf
+[DEBUG] PLT 0x4010a0 rand
+[*] 
+    Arch:     amd64-64-little
+    RELRO:    Partial RELRO
+    Stack:    No canary found
+    NX:       NX enabled
+    PIE:      No PIE (0x400000)
+[+] Opening connection to chall.csivit.com on port 30827: Done
+[DEBUG] Received 0x6 bytes:
+    b'11 15\n'
+[DEBUG] Sent 0x3 bytes:
+    b'24\n'
+[DEBUG] Received 0x5 bytes:
+    b'9 12\n'
+[DEBUG] Sent 0x4 bytes:
+    b'720\n'
+[DEBUG] Received 0x5 bytes:
+    b'7 10\n'
+[DEBUG] Sent 0x3 bytes:
+    b'24\n'
+[DEBUG] Received 0x5 bytes:
+    b'9 11\n'
+[DEBUG] Sent 0x3 bytes:
+    b'24\n'
+[DEBUG] Received 0x5 bytes:
+    b'8 10\n'
+[DEBUG] Sent 0x4 bytes:
+    b'120\n'
+[DEBUG] Received 0x5 bytes:
+    b'6 13\n'
+[DEBUG] Sent 0x3 bytes:
+    b'24\n'
+[DEBUG] Received 0x28 bytes:
+    b'fun() took 0.000000 seconds to execute \n'
+[DEBUG] Received 0x11 bytes:
+    b'Hey, you got me!\n'
+Hey, you got me!
+[DEBUG] Received 0x28 bytes:
+    b'csictf{h3_7u2n3d_h1m531f_1n70_4_p1ck13}\n'
+csictf{h3_7u2n3d_h1m531f_1n70_4_p1ck13}
+```
+Voila! We got the flag.
+
+#### Step-5:
+Finally the flag becomes: 
+`csictf{h3_7u2n3d_h1m531f_1n70_4_p1ck13}`
\ No newline at end of file
diff --git a/Reversing/RicknMorty/RickNMorty b/Reversing/RicknMorty/RickNMorty
new file mode 100644
index 0000000000000000000000000000000000000000..bdef3e142db427f940fe15fa9d09beda3610e6c3
GIT binary patch
literal 17144
zcmeHOeQaCR6~DIgML%q(w6wIaycIGvK;5(}C8270PUH3krG=HafVTGG`Xjb*>|j4b
z0;<TA4$Vu`McT&7CQX&lSjHx;s}QTUL7k>*0%Mblw5t2k0-~D(9fa}~Ak;hOzI&YK
z7iVnyXA<*?-aGgF?m6e)d+xn2@A}>QsHc6q)nZ{pR<@O)bj&GpNWU|7Vlx*7*2ESv
znO)1SVO4-sz$Nn><a&yD*s5m`uMv7S;Al52@`tT5NGQw5z_U)osfNhWZkA+`)OlmI
zE)r)>T}Hb~ObVHa_7T4zoDwI!LU|Gz14%Mx#A`(Ti5u-OHq51~v#qk85S-$1OxTkh
zifHE)c21#BJSzf0oZ^Yq$LqB4ciJk0gtCl`wetHcM_r^lFK7Wwhb5Gd%SF6{ON<dG
zyDxzqZ=cBjG)7_HEy|lOE{x(KxM(h07me)Sv~gWDur?ZrrFz!(G;LbDX`?F{cWvP9
zUJ4b!F|}itmt8o#?~z}x`eF0N=YIR>v%mP!p;teC@+8(9>wx}H2MP75I7}~w3-fuq
zEE4OpIIW1;;X-P-_RuvUug}?hX@G{Mo?*B@0%^%0QxdTyBp7)6Jh*2bym21<u6gi<
z^WfhFT!PC?^#GKrXYD-rQ-DiwnQ0LKrTp9icr9DO`ed1#(D=PU;6o;StH6(%a0cVS
zkKMnCB@@0_fT?OE8TU6gt4Y5v7Gm8gEy=V<SCA#OKqSVx6Oot}LLr{gkOdP7mh4Sx
z!7i2zYWq_m@PIzmq~=R#YL^d;cC@#(Y*RP5ZYiWTxNc@@TgOfn?1P;VFi&*s+!l?;
zf*rp7(IEKf?25;P4^>w!sfdlY8vany$D@u~K*q61^JaM@0z=Wpf&xpej9h^>adZSU
zahuFJj$O1P${BFue4R4j)CXuYZNPEt5K({OGZg0p5%m}1G*2*(`U`Of0)keEe#FPL
zl|bN<0mnEHtuf&A?7_T71CC`7H5qX6uYhOC1{?xcAjN<$D4_6MG~hUv%T$g)IRfPf
zlp|1%Ksf^C2z*u|@Q&kiA1VD8Ym|Y?SJpA6d@Z9{^I4_;bj>JlV*ch=0nXRI26soD
z3@Mbum^V3*2de)g%J|ATndS1!C|gm^aQQ`)@s)1!7?)3>jIVN&N4fk<l<^gAa)`^v
zQN~x*$v!SWjWWK<O?HEf^<Dpuw)EM3O8Ql$|Fx+*JKDxF*`+d5#zyYrY;4~WsOPc;
zVE672>W_w8j=F>3fw7?zVR*4qw%}d65*qzySZ8CSt4|`7pBN3zDr0+}=lWlLle6@c
zGV<na%E+`$v7AxPUe>M#566Xv#ll0#QP;}YsH3hA3&isKwrqjAu+)`aC4C|HFtp-K
z<&A(?_Kpsj%R~J)zJZF+D^4YSU|Q)vFwIicCosfsEK>$NfaEMndMtMiJSmQ!d8S_&
z<p${kIVGK%81u|v$zz^rZqkGn{&6tODNiULe5j<e(BRay1$e>;R{@;%%=CjXDjZRo
zJ-GwVQF7wI@d3|_a%8VwAk;8@U?!cK&Ur8A^8?=L8@)4ww_Be0;6u=|WJR_5FUk<6
z>mW?eW4*BEXFh?N4^-yY8nEL!w$P~e1H=YB=h5b6NCW$o4rLKK32A68HWONl&L@8l
zx7--2o>Kg$lt`vC6bdOLIca3tnm#vjxvpU<J(3<DnXp>MEt&M$hLJ&c6*M#L$>oOr
z8?y;zzzY`yH+@DK-0}=87EWMIa#p>f86AJJfUiWnU~>-Ju@$1H^k;0CwqSa|n^Bsx
zTD9m(?2X)|8OZQwmB`C`yk4&|^175B8TqiT;l=b>%L|sX4ddxkgDn-!o@vM7kI~1V
zXB_=~AI%0JJ>bnM4cU<6t;{9GaYN>kqt-J88B-y}5z9c$7hnxBlsN@V`VY)lQVo|J
z&dOT>4>{I(rV=Ybs~V)-2Op#VEsHR{5R~7j1!*DL^On~D#8WSf^7-e!yM1uWw;C98
z?`cb)b9>v;@3}kN=^3vwxb`5xceOWsg3q8_9Q}@bV$<r@|4GcB_VlIp^qZ~ezq|8G
z|ElzlT9oF$q+ZA8)0g+UzvABO-se`0bBND(s0DKVTq``uuxe#0N1z;mas<i|C`X_i
zfpP@O5hzFC|2qQsoe8NvAk_yJu=;2;z~xXXwx&VS;_>^X`jC_i`s1-c5@adZ6ZEIF
zptOJ~!QPvs-grvtjB8R?@bk>?)1*+;*Xh!FG`7nZ4#QGTr>(MOm2ESAL&k3}C*I2E
zj{sMu^7(GyJ-~5!?s_|)&j43}PXNyX$B$X>1DAkLzmw0)z{Bt6^Iyl63J`wxMY24+
zn^}6CmQ{<YYla{XznkGl+ANfXi*MFi?L@2*u8V-tH>2w@3$7J_4FP9%=XU#w+Z_uZ
zs_A35t=xRW7q4H9F#3wZ6@t31N5E}&K4#svxGD+-f{6Kt;Ccx19{^s+x9SR*|5Lce
zA^!`;eBZ47OMw3l@-5gU<li=9K@F_qMYxV#%IAZ?*>=10o7Oh_io-UKT^g+L*w-AY
zY_&H&R;AdR`m1-?<(R$6ZEtkj*R<HB7W;}8yR*e!!{f3M;&UGSPz=yrnaU9;N1z;m
zas<i|C`X_ifpP@O5hzFCvmb$>TA4TUKEcJZ3YT4+770%Kq-pQpdHB?dbTz-jZL7>v
ztAtE@3RjXW@^Kx6MEUPs&d0fIlac9rw1J<fkWtk4;sS3H`LstbgPB0IM{$KNvSor3
zE9@nNue(V4YL~GLmuA<Gv{!Jsz`Ltto+5m_QkSXT!$Obt5>ol_<&C%Jh|q^mv|Ofm
z!t##GJtAMY`JXY`S8lGrCb2($yWo2S4+;LD;ExIZxZqC-ZuYlh+qPS!HL&x#L0aGF
zTJOSj_@|K#M&Ynko}*@iUOZhAx4~!EQu-CFMvNb$GaHOH8dt@5Rbl)U<JGKGzu90k
zQ-2rhU%_bH6ypmRjjv)HMstby+1Mf`mBbep&S@0;u``;V#khmfxrJifS=jeqjMuV^
zBpV@~w&BihF`tc@Hg+YeDTyy-rN)^JW-IMmF7|U3V`9D*<ICASCGpw)<i+}hr&9sO
zd04^T&KCfYz<FH?$LB#Qd^O-!*a<yl>X+*UE{W$Uh@5cWJL=POR={j0BrLEWeps}N
zo)h<Sd~Q7Z07pOc+y;@;A-G#g^vh2GFIE5f+Vykpr<PT$mLXM4rTm=aDof_{dlqmD
z{5ogu_df`I^Z3Evw(wUwI)B1NxM4?G*xd233<9+T;($AUkm$FpdcY-)6yMx{mpXS)
zX+{0H<H`&AFv{mpC&w4FG10&Lw?5E%K=`Nq@Hn234g&53|G0n1NCU!8(-Ix$zX^gu
z9pcux^Y=Sk-{?V4|9Bq!xq0xj^WanS;5LX4*55quoIGxG>r)4Kt#vuO&(z+V5XX}M
zlFW@Ngz09$OT~F7$6>yR{^h@Ug3WK>a>9H$Cd<Nu&i0}{oYt8T^O45G6~YglXIm$%
zQUZTm^dtXG7xEqj9R1JfFQJcn%aHhQw7`cr&Y_~)(|}_f%zmB)Tq@Gkg}c#@b?)>3
z?Rokoi~gaWM`f8ipz+2cv54mK!wDCk7V)o51fy|3i2j6@)Kajw&Cg~}uBcj<>c_Jy
zNjSF>h^w8^_<mnh4QTO1QuU>Jm_Odt9Sv&10Q|cysiB6TIMtU(_<Ge~OiT2#P{P+0
zR0FB5u3j)PNGevWNHvj)L3LDh`)>D6kLuags=|SpVl_C{(|YeN_s+I$#X0<p4nXie
zp?VbIL22F1)E(`2w7A>VJGO7X%hREDxLevi=#`)B@h4Nf!vFFFkA6Z(mg(#dp7_DT
zM8ybv9`S3Dcx=6Xyr?)+4F-Igk0pW{o=l3<0i$9i{p?XOrXNx&#^#(#D$eGIpNb*q
zDJWh)g9J@4K9Hmal5sT*)xyI{ZFhhcoQ_gc$zXt=mNI)P#0`6ose!1<N0d(sqJJ1+
zYIh{aC>k4}xc$kbD4HLkDn6Dq>;4u{g_Bd%?RccB<T)w*q}Hq*b_a7Md%HB>e&AX{
z=V400DX(Cno4I0fE$HfurCj?{5jZp$2?)sD(zaIfbuyk8_9es273htDKb>m{J?Ft-
zA_?7FB&d)Ft@ojUNOeaw=Hj7oX+ikt<-+*@d2v1fT*0uI0pS4HlB8ScQ$e?&G&uHk
zMf^}|9DKpe#S74#L138+W@Hykv=R@H{}94;8a!IyT|%c}tIQL_0-$x8o~!Fp8u@i_
z;o6Ao>3y8epW=Ivk?46(*d|CA?Q>R{XXS)LiA%FLvwbUMy$@?CDxco(Ys7+&))(}D
zpzwSYE_VTkr){DBv<_$z_I(%}pend9N%pkP+XEP?Qu(xAJs~QZfjlD#cLiu4q;PFW
z_O!0(5fzq%Ce@$xh~E$SxYi_@)*nZN0kz*;f8mxr3<<0%+0!~@T-Xl_MJnIi{)584
zMd;CbrW*?c%J94XUUn6v&Gv@@!<Yzl_@^s_1mx5i{f?kZdR-}vJPnu8UJ~|_upcri
zLt4NE{%w;zy&oJCiuIx&$qm_){5_LBt+&pL57P8I3F({Mv7^GC;!p2IOwujFIxE~M
zegq6d0^3ja^xhnnbd3(374GKppM@NwJ+1RHl5V14rh&}mXCTiGmzXZI>p}6&->gqE
z@t43B-UbWyv~H~VH|@`ZEsh;3pVk?4Zl2D^)A*utsUKefTWliP(>ioQydX-DXC$&G
z{x`@p+85TVjk?u6Mq@~m9r3qJ_Vj*zkFckDk{hxk`90y2>fa~JJS!~h1tWDP6;gWQ
zBVbs6vmV)--^o!I$;fH!={fqnPdL02AMQXnk71X8q5bsy#NW-R?vN}{78lAuubG@v
Vxq2?X`<AwU=2l(9W->5|?4LuaVblNs

literal 0
HcmV?d00001

diff --git a/Reversing/RicknMorty/exploit.py b/Reversing/RicknMorty/exploit.py
new file mode 100644
index 0000000..e9c7bff
--- /dev/null
+++ b/Reversing/RicknMorty/exploit.py
@@ -0,0 +1,34 @@
+from pwn import *
+
+context.log_level='DEBUG'
+p = remote('chall.csivit.com', 30827) #Remote netcat
+
+def fun1(param_1, param_2):
+    local_c = 0
+    local_10 = 1
+    while (local_10 <= param_1) or (local_10 <= param_2):
+        if (param_1 % local_10 == 0) and (param_2 % local_10 == 0):
+            local_c = local_10
+        local_10 += 1
+    return local_c
+
+def fun2(param_1):
+    lvar1 = 0
+    if param_1 == 0:
+        lvar1 = 1
+    else:
+        lvar1 = fun2(param_1 - 1)
+        lvar1 = lvar1 * param_1
+    return lvar1
+
+while True:
+    line = p.recvline()
+    if not line or line.decode().startswith('fun() took'):
+        break
+
+    nums = line.decode().rstrip().split(' ')
+    ans = fun1(int(nums[0]), int(nums[1]))
+    ans = fun2(ans + 3)
+    p.sendline(str(ans))
+
+p.stream()
\ No newline at end of file