Added Reversing Challenges

2020-07-31 18:25:06 +05:30 · 2020-07-31 18:25:06 +05:30 · ed3907e13f
parent 88ee32973e
commit ed3907e13f
3 changed files with 227 additions and 0 deletions
--- a/Reversing/RicknMorty/README.md
+++ b/Reversing/RicknMorty/README.md
@ -0,0 +1,193 @@
+## RickNMorty
+The main idea finding the flag is reverse the functions using Ghidhra to understand the code.
+
+#### Step-1:
+After I downloaded `RickNMorty`, and decompiled it in Ghidhra, I got the **main()** as follows:
+```c
+undefined8 main(void)
+{
+  int iVar1;
+  time_t tVar2;
+  long lVar3;
+  long local_48;
+  time_t local_40;
+  time_t local_38;
+  time_t local_30;
+  long local_28;
+  long local_20;
+  char *local_18;
+  int local_10;
+  int local_c;
+  
+  setbuf(stdin,(char *)0x0);
+  setbuf(stdout,(char *)0x0);
+  setbuf(stderr,(char *)0x0);
+  tVar2 = time(&local_30);
+  srand((uint)tVar2);
+  time(&local_38);
+  local_c = 1;
+  local_10 = 0;
+  while( true ) {
+    iVar1 = rand();
+    if (iVar1 % 3 + 4 < local_10) break;
+    iVar1 = rand();
+    local_20 = (long)(iVar1 % 10 + 6);
+    iVar1 = rand();
+    local_28 = (long)(iVar1 % 10 + 6);
+    printf("%d %d\n",local_20,local_28);
+    __isoc99_scanf(&DAT_0040200f,&local_48);
+    lVar3 = function1(local_20);
+    lVar3 = function2(lVar3 + 3);
+    if (lVar3 != local_48) {
+      local_c = 0;
+    }
+    local_10 = local_10 + 1;
+  }
+  time(&local_40);
+  local_18 = (char *)(double)(local_40 - local_38);
+  printf(local_18,"fun() took %f seconds to execute \n");
+  if ((local_c != 1) || (30.00000000 < (double)local_18)) {
+    printf("Nahh.");
+  }
+  else {
+    puts("Hey, you got me!");
+    system("cat flag.txt");
+  }
+  return 0;
+}
+```
+
+#### Step-2:
+A pair of random numbers is generated and passed through `function1()` & `function2()` and checked with pair of numbers with given number to get the flag.
+
+```c
+long function1(long param_1,long param_2)
+{
+  int local_10;
+  int local_c;
+  
+  local_c = 0;
+  local_10 = 1;
+  while ((local_10 <= param_1 || (local_10 <= param_2))) {
+    if ((param_1 % (long)local_10 == 0) && (param_2 % (long)local_10 == 0)) {
+      local_c = local_10;
+    }
+    local_10 = local_10 + 1;
+  }
+  return (long)local_c;
+}
+```
+
+```c
+long function2(long param_1)
+{
+  long lVar1;
+  
+  if (param_1 == 0) {
+    lVar1 = 1;
+  }
+  else {
+    lVar1 = function2(param_1 + -1);
+    lVar1 = lVar1 * param_1;
+  }
+  return lVar1;
+}
+```
+
+#### Step-3:
+So, I wrote this `exploit.py` to get the flag:
+
+```python
+from pwn import *
+
+context.log_level='DEBUG'
+p = remote('chall.csivit.com', 30827) #Remote netcat
+
+def fun1(param_1, param_2):
+    local_c = 0
+    local_10 = 1
+    while (local_10 <= param_1) or (local_10 <= param_2):
+        if (param_1 % local_10 == 0) and (param_2 % local_10 == 0):
+            local_c = local_10
+        local_10 += 1
+    return local_c
+
+def fun2(param_1):
+    lvar1 = 0
+    if param_1 == 0:
+        lvar1 = 1
+    else:
+        lvar1 = fun2(param_1 - 1)
+        lvar1 = lvar1 * param_1
+    return lvar1
+
+while True:
+    line = p.recvline()
+    if not line or line.decode().startswith('fun() took'):
+        break
+
+    nums = line.decode().rstrip().split(' ')
+    ans = fun1(int(nums[0]), int(nums[1]))
+    ans = fun2(ans + 3)
+    p.sendline(str(ans))
+
+p.stream()
+```
+
+#### Step-4:
+Running the script gave me:
+
+```bash
+[DEBUG] PLT 0x40102c puts
+[DEBUG] PLT 0x401040 setbuf
+[DEBUG] PLT 0x401050 system
+[DEBUG] PLT 0x401060 printf
+[DEBUG] PLT 0x401070 srand
+[DEBUG] PLT 0x401080 time
+[DEBUG] PLT 0x401090 __isoc99_scanf
+[DEBUG] PLT 0x4010a0 rand
+[*] 
+    Arch:     amd64-64-little
+    RELRO:    Partial RELRO
+    Stack:    No canary found
+    NX:       NX enabled
+    PIE:      No PIE (0x400000)
+[+] Opening connection to chall.csivit.com on port 30827: Done
+[DEBUG] Received 0x6 bytes:
+    b'11 15\n'
+[DEBUG] Sent 0x3 bytes:
+    b'24\n'
+[DEBUG] Received 0x5 bytes:
+    b'9 12\n'
+[DEBUG] Sent 0x4 bytes:
+    b'720\n'
+[DEBUG] Received 0x5 bytes:
+    b'7 10\n'
+[DEBUG] Sent 0x3 bytes:
+    b'24\n'
+[DEBUG] Received 0x5 bytes:
+    b'9 11\n'
+[DEBUG] Sent 0x3 bytes:
+    b'24\n'
+[DEBUG] Received 0x5 bytes:
+    b'8 10\n'
+[DEBUG] Sent 0x4 bytes:
+    b'120\n'
+[DEBUG] Received 0x5 bytes:
+    b'6 13\n'
+[DEBUG] Sent 0x3 bytes:
+    b'24\n'
+[DEBUG] Received 0x28 bytes:
+    b'fun() took 0.000000 seconds to execute \n'
+[DEBUG] Received 0x11 bytes:
+    b'Hey, you got me!\n'
+Hey, you got me!
+[DEBUG] Received 0x28 bytes:
+    b'csictf{h3_7u2n3d_h1m531f_1n70_4_p1ck13}\n'
+csictf{h3_7u2n3d_h1m531f_1n70_4_p1ck13}
+```
+Voila! We got the flag.
+
+#### Step-5:
+Finally the flag becomes: 
+`csictf{h3_7u2n3d_h1m531f_1n70_4_p1ck13}`
--- a/Reversing/RicknMorty/RickNMorty
+++ b/Reversing/RicknMorty/RickNMorty
--- a/Reversing/RicknMorty/exploit.py
+++ b/Reversing/RicknMorty/exploit.py
@ -0,0 +1,34 @@
+from pwn import *
+
+context.log_level='DEBUG'
+p = remote('chall.csivit.com', 30827) #Remote netcat
+
+def fun1(param_1, param_2):
+    local_c = 0
+    local_10 = 1
+    while (local_10 <= param_1) or (local_10 <= param_2):
+        if (param_1 % local_10 == 0) and (param_2 % local_10 == 0):
+            local_c = local_10
+        local_10 += 1
+    return local_c
+
+def fun2(param_1):
+    lvar1 = 0
+    if param_1 == 0:
+        lvar1 = 1
+    else:
+        lvar1 = fun2(param_1 - 1)
+        lvar1 = lvar1 * param_1
+    return lvar1
+
+while True:
+    line = p.recvline()
+    if not line or line.decode().startswith('fun() took'):
+        break
+
+    nums = line.decode().rstrip().split(' ')
+    ans = fun1(int(nums[0]), int(nums[1]))
+    ans = fun2(ans + 3)
+    p.sendline(str(ans))
+
+p.stream()