ECTF MISC3

In this challenge, I got an ELF 32-bit LSB executable file named misc3.  I executed it and it showed “Try hard man”. I opened it in IDA pro and found that main function calls displayresult function.

This is decompiled code of main function:

int __cdecl main()
{
 void *v0; // esp@1
 char s; // [sp+10h] [bp-78h]@1
 char v3; // [sp+5Fh] [bp-29h]@1
 char v4; // [sp+7Bh] [bp-Dh]@1
 int v5; // [sp+7Ch] [bp-Ch]@1
v0 = alloca(0);
 v4 = 65;
 v3 = 65;
 v5 = 0;
 gets(&s);
 if ( v5 != 2 || v3 != 68 || v4 != 90 )
 {
 printf("Try hard man\n");
 }
 else
 {
 printf("You did it!!!!!!!\n");
 displayresult();
 }
 return 0;
}

This is decompiled code of displayresult function:

int __cdecl displayresult()
{
 int v1; // ST1C_4@9
 int v2; // [sp+10h] [bp-E8h]@7
 size_t j; // [sp+18h] [bp-E0h]@3
 int v4; // [sp+20h] [bp-D8h]@7
 size_t i; // [sp+24h] [bp-D4h]@1
 char *v6; // [sp+28h] [bp-D0h]@1
 char *v7; // [sp+2Ch] [bp-CCh]@1
 char s; // [sp+30h] [bp-C8h]@1
 char v9[78]; // [sp+31h] [bp-C7h]@7
 char v10; // [sp+7Fh] [bp-79h]@1

 char v11; // [sp+80h] [bp-78h]@1
memcpy(&s, "W#WTVXV#URWYWXSPWUVRT'TQRPWPTXV%T'SYVRRRWPVSWRWYWXW$RWUQWVW%WPWXW\"S$WRW'W%SXQQ", 0x4Fu);
 v10 = 0;
 v7 = &v11;
 v6 = &s;
 for ( i = strlen(&s); i; --i )
 {
 *v6 ^= 0x61u;
 ++v6;
 }
 for ( j = 0; j < strlen(&s); j += 2 )
 {
 v4 = *(&s + j) - 48;
 v2 = v9[j] - 65;
 if ( (unsigned int)v2 <= 5 )
 JUMPOUT(__CS__, (unsigned int)off_8048758[v2]);
 v1 = v9[j] - 48;
 *v7 = v1 + 16 * v4;
 printf("%c", v1 + 16 * v4);
 ++v7;
 }
 printf("\n");
 return 0;
}

So all I need to do is to call displayresult function.  I disassembled the ELF file using gdb. And I jumped to displayresult function and executed it.  Done! Solved!

seshagiri [seshagiri-Lenovo-G550: ~]$ gdb misc3 
(gdb) disassemble main 
Dump of assembler code for function main: 
 0x080485e2 <+75>: call 0x80483e4 <displayresult> 
 0x080485e7 <+80>: jmp 0x80485f5 <main+94> 
 0x080485e9 <+82>: movl $0x8048783,(%esp) 
 0x080485f0 <+89>: call 0x8048308 <printf@plt> 
 0x080485f5 <+94>: mov $0x0,%eax 
 0x080485fa <+99>: leave 
 0x080485fb <+100>: ret
(gdb) break main
(gdb) run
(gdb)  set $eip=0x80483e4
(gdb) s 74 in exp100.c 
(gdb) s 
displayresult () at exp100.c:12 12 in exp100.c 
(gdb) c 
Continuing.
x▒�����c��key{Chi!ds_P1aY}_(s3archin6@gmail.com) 
[Inferior 1 (process 11673) exited normally]

After a long time I solved a binary challenge!

And the Key is : Chi!ds_P1aY

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s