ECTF MISC4

I got an ELF file named misc4. I immediately opened it in IDA pro and found that there’s nothing interesting in main function. In the function names listing in IDA pro, I found that there’s a displayresult function. When I examined it, I found it as similar as misc200’s displayresult function with little bit changes.

This is the decompiled code of main:

int __cdecl main(int a1, int a2)
{
 void *v2; // esp@1
 char dest; // [sp+10h] [bp-58h]@3
 char v5; // [sp+5Eh] [bp-Ah]@1
 char v6; // [sp+5Fh] [bp-9h]@1
v2 = alloca(0);
 v5 = 65;
 v6 = 65;
 if ( a1 != 2 )
 exit(0);
 strcpy(&dest, *(const char **)(a2 + 4));
 if ( v6 != 126 || v5 != 68 )
 {
 printf("Sorry try hard!!!!\nHint:You really need to \"modify\" stack :P\n");
 }
 else
 {
 flag = 1;
 printf("You did it!!!!!!!\nNow come an find me :)\n");
 }
 return 0;
}

This is the decompiled code of displayresult():

int __cdecl displayresult()
{
 signed int i; // ecx@4
 char *v1; // edi@4
 int v3; // ST1C_4@15
 int v4; // [sp+10h] [bp-E8h]@13
 size_t k; // [sp+18h] [bp-E0h]@9
 int v6; // [sp+20h] [bp-D8h]@13
 size_t j; // [sp+24h] [bp-D4h]@7
 char *v8; // [sp+28h] [bp-D0h]@7
 char *v9; // [sp+2Ch] [bp-CCh]@7
 char s; // [sp+30h] [bp-C8h]@4
 char v11[76]; // [sp+31h] [bp-C7h]@13
 char v12; // [sp+7Dh] [bp-7Bh]@4
 char v13; // [sp+80h] [bp-78h]@7
if ( !flag )
 {
 printf("But this was a much better try ! :P\n");
 exit(0);
 }
 printf("\n\n oh !!!! great !!!!!........... you found me........\n\n");
 memcpy(&s, "W#WTVXV#TQRURPU$T'WXW$T'UQRTRTV%T'SYVRRRWPVSWRWYWXW$RWUQWVW%WPWXW\"S$WRW'W%SX", 0x4Du);
 v1 = &v12;
 for ( i = 3; i; --i )
 *v1++ = 0;
 v9 = &v13;
 v8 = &s;
 for ( j = strlen(&s); j; --j )
 {
 *v8 ^= 0x61u;
 ++v8;
 }
 for ( k = 0; k < strlen(&s); k += 2 )
 {
 v6 = *(&s + k) - 48;
 v4 = v11[k] - 65;
 if ( (unsigned int)v4 <= 5 )
 JUMPOUT(__CS__, (unsigned int)off_8048858[v4]);
 v3 = v11[k] - 48;
 *v9 = v3 + 16 * v6;
 printf("%c", v3 + 16 * v6);
 ++v9;
 }
 printf("\n\n\n\n");
 return 0;
}

By examining the Psuedocode. We can understand that uninitialized variable is checked whether it is zero or not. And hence the program will always exit. Then I inferred that the program should jump to the second print statement and that can be done only in a debugger. I opened up GDB and did these:

$ gdb -q misc4 
Reading symbols from /home/seshagiri/s7_codes/bla/hackyou/ECTF/misc4...done. 
(gdb) break main 
Breakpoint 1 at 0x804860d: file exp200.c, line 71. 
(gdb) disassemble displayresult 
Dump of assembler code for function displayresult: 
 0x08048414 <+0>: push %ebp 
 0x08048415 <+1>: mov %esp,%ebp 
 0x08048417 <+3>: push %edi 
 0x08048418 <+4>: push %esi 
 0x08048419 <+5>: sub $0xf0,%esp 
 0x0804841f <+11>: cmpl $0x0,0x8049a18 
 0x08048426 <+18>: jne 0x8048440 <displayresult+44> 
 0x08048428 <+20>: movl $0x8048780,(%esp) 
 0x0804842f <+27>: call 0x804832c <printf@plt> 
 0x08048434 <+32>: movl $0x0,(%esp) 
 0x0804843b <+39>: call 0x804833c <exit@plt> 
 0x08048440 <+44>: movl $0x80487c0,(%esp) 
 0x08048447 <+51>: call 0x804832c <printf@plt>
(gdb) r
Starting program: /home/seshagiri/s7_codes/bla/hackyou/ECTF/misc4
Breakpoint 1, main (argc=1, argv=0xffffcee4) at exp200.c:71
71 exp200.c: No such file or directory.
(gdb) set $eip=0x08048414
(gdb) s
11 in exp200.c
(gdb) set $eip=0x08048447
(gdb) c
Continuing.
key{P41N_in_@55}_(s3archin6@gmail.com)
Program received signal SIGSEGV, Segmentation fault.
0x08048241 in ?? ()

w00t! Harvest of the month!
I got the flag: P41N_in_@55

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s