2014年2月24日月曜日

CODEGATE 2014 Writeup

問題 Reversing 200

dodoCrackme

My eyes almost poped out!


問題ファイル
$file crackme_d079a0af0b01789c01d5755c885da4f6
crackme_d079a0af0b01789c01d5755c885da4f6: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=0xb300ef9227a8911db0d6aea538fe03fe4dfb20fe, stripped

実行する
$./crackme_d079a0af0b01789c01d5755c885da4f6
root@localhost's password:
Permission denied (password).

パスワードを聞かれる パスワードを見つける?

とりあえずobjdumpして眺めている


inc    BYTE PTR [rbp+0x0]
ここにインクリメントして文字列を生成しているようで

gdbで
display/s $rbp
b *0x400295
b *0x4002b2
b *0x4002c6
b *0x4002e9
b *0x400304
b *0x400328
b *0x400345
b *0x40037d
b *0x400397
b *0x4003cb
b *0x4003eb
b *0x400414
b *0x400434
b *0x40044b
b *0x40046b
b *0x40048e
b *0x4004c3
b *0x4004ec
b *0x400508
b *0x40052d
b *0x400541
b *0x400561
b *0x40058d
b *0x4005aa
b *0x4005cf
b *0x4005f9
b *0x400615

ブレイクポイントをうって値を確認すると
root@localhost's password: っという文字列が現れた。

さらに下のほうを見るとまたインクリメントして文字列を生成しているところがあった。
今度は
mov    al,BYTE PTR [rbp+0x0]
alに入れていたのでそこを出力する。

ブレイクポイントをうち実行
display/c $al
b *0x4007f4
b *0x400a70
b *0x400d43
b *0x401019
b *0x40130d
b *0x401616
b *0x4018ce
b *0x401b50
b *0x401e11
b *0x4020d8
b *0x4023a8
b *0x4026c9
b *0x4029c6
b *0x402c99
b *0x402fbd
b *0x40325d
b *0x4034fa
b *0x40379d
b *0x403a4c
b *0x403d7f
b *0x404061
b *0x40437c
b *0x4046b8
b *0x40496d
b *0x404c7c
b *0x404fc1
b *0x4052cd
b *0x40558b
b *0x4058b2
b *0x405bb5
b *0x405e88



(gdb) r
Starting program: /root/Desktop/crackme_d079a0af0b01789c01d5755c885da4f6 
root@localhost's password: 
Breakpoint 1, 0x00000000004007f4 in ?? ()
1: /c $al = 72 'H'
(gdb) c
Continuing.

Breakpoint 2, 0x0000000000400a70 in ?? ()
1: /c $al = 52 '4'
(gdb) 
Continuing.

Breakpoint 3, 0x0000000000400d43 in ?? ()
1: /c $al = 80 'P'
(gdb) 
Continuing.

Breakpoint 4, 0x0000000000401019 in ?? ()
1: /c $al = 80 'P'
(gdb) 
Continuing.

Breakpoint 5, 0x000000000040130d in ?? ()
1: /c $al = 89 'Y'
(gdb) 
Continuing.

Breakpoint 6, 0x0000000000401616 in ?? ()
1: /c $al = 95 '_'
(gdb) 
Continuing.

Breakpoint 7, 0x00000000004018ce in ?? ()
1: /c $al = 67 'C'
(gdb) 
Continuing.

Breakpoint 8, 0x0000000000401b50 in ?? ()
1: /c $al = 48 '0'
(gdb) 
Continuing.

Breakpoint 9, 0x0000000000401e11 in ?? ()
1: /c $al = 68 'D'
(gdb) 
Continuing.

Breakpoint 10, 0x00000000004020d8 in ?? ()
1: /c $al = 69 'E'
(gdb) 
Continuing.

Breakpoint 11, 0x00000000004023a8 in ?? ()
1: /c $al = 71 'G'
(gdb) 
Continuing.

Breakpoint 12, 0x00000000004026c9 in ?? ()
1: /c $al = 97 'a'
(gdb) 
Continuing.

Breakpoint 13, 0x00000000004029c6 in ?? ()
1: /c $al = 84 'T'
(gdb) 
Continuing.

Breakpoint 14, 0x0000000000402c99 in ?? ()
1: /c $al = 69 'E'
(gdb) 
Continuing.

Breakpoint 15, 0x0000000000402fbd in ?? ()
1: /c $al = 95 '_'
(gdb) 
Continuing.

Breakpoint 16, 0x000000000040325d in ?? ()
1: /c $al = 50 '2'
(gdb) 
Continuing.

Breakpoint 17, 0x00000000004034fa in ?? ()
1: /c $al = 48 '0'
(gdb) 
Continuing.

Breakpoint 18, 0x000000000040379d in ?? ()
1: /c $al = 49 '1'
(gdb) 
Continuing.

Breakpoint 19, 0x0000000000403a4c in ?? ()
1: /c $al = 52 '4'
(gdb) 
Continuing.

Breakpoint 20, 0x0000000000403d7f in ?? ()
1: /c $al = 95 '_'
(gdb) 
Continuing.

Breakpoint 21, 0x0000000000404061 in ?? ()
1: /c $al = 67 'C'
(gdb) 
Continuing.

Breakpoint 22, 0x000000000040437c in ?? ()
1: /c $al = 85 'U'
(gdb) 
Continuing.

Breakpoint 23, 0x00000000004046b8 in ?? ()
1: /c $al = 95 '_'
(gdb) 
Continuing.

Breakpoint 24, 0x000000000040496d in ?? ()
1: /c $al = 49 '1'
(gdb) 
Continuing.

Breakpoint 25, 0x0000000000404c7c in ?? ()
1: /c $al = 78 'N'
(gdb) 
Continuing.

Breakpoint 26, 0x0000000000404fc1 in ?? ()
1: /c $al = 95 '_'
(gdb) 
Continuing.

Breakpoint 27, 0x00000000004052cd in ?? ()
1: /c $al = 75 'K'
(gdb) 
Continuing.

Breakpoint 28, 0x000000000040558b in ?? ()
1: /c $al = 48 '0'
(gdb) 
Continuing.

Breakpoint 29, 0x00000000004058b2 in ?? ()
1: /c $al = 82 'R'
(gdb) 
Continuing.

Breakpoint 30, 0x0000000000405bb5 in ?? ()
1: /c $al = 69 'E'
(gdb) 
Continuing.

Breakpoint 31, 0x0000000000405e88 in ?? ()
1: /c $al = 52 '4'
(gdb) 
Continuing.

出てきた文字列をすべてつなげる

H4PPY_C0DEGaTE_2014_CU_1N_K0RE4

これがflagだった。