no crypto picoMini 2021 by redpwn
no crypto 150point
Description
there's crypto in here but the challenge is not crypto... 🤔
Solution
run binary
./not-crypto I heard you wanted to bargain for a flag... whatcha got? aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Nope, come back later
標準入力でフラグを入力させるタイプのようだ。
open with ghidra
memcpy関数で結果の成否を判別している。
iVar24 = memcmp(local_88,local_198,0x40); if (iVar24 == 0) { puts("Yep, that\'s it!"); } else { iVar24 = 1; puts("Nope, come back later"); }
open with ghidra
memcpy関数で結果の成否を判別している。
iVar24 = memcmp(local_88,local_198,0x40); if (iVar24 == 0) { puts("Yep, that\'s it!"); } else { iVar24 = 1; puts("Nope, come back later"); }
run with gdb
memcpy関数にブレークポイントを置いて実行ファイルを動かす。
gdb-peda$ b memcmp Breakpoint 1 at 0x1060 gdb-peda$ run Starting program: /home/ubu/nh/ctf/not-crypto I heard you wanted to bargain for a flag... whatcha got? aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa [----------------------------------registers-----------------------------------] RAX: 0x10 RBX: 0x7fffffffdea0 --> 0x7fffffffdec6 --> 0x555555555c700000 ('') RCX: 0xa4 RDX: 0x40 ('@') RSI: 0x7fffffffdd50 ('a' <repeats 64 times>, "\367l\214\377\\\207/\216\236C\236Ԙ2l\034\325<\020\271\211\273?7\027\370\241\343\217\312\315\377\243\201\006\312*:9\375=\302\230\036\262\bU\341\227}\376\375\275", <incomplete sequence \307>) RDI: 0x7fffffffde60 ("picoCTF{c0mp1l3r_0pt1m1z4t10n_15_pur3_w1z4rdry_but_n0_pr0bl3m?}\n\306\336\377\377\377\177") RBP: 0xa1 RSP: 0x7fffffffdcd8 --> 0x5555555553be (mov r12d,eax) RIP: 0x7ffff7f47c50 (<__memcmp_avx2_movbe>: endbr64) R8 : 0xba R9 : 0x96 R10: 0x55555555451b --> 0x5f00706d636d656d ('memcmp') R11: 0x7ffff7f47c50 (<__memcmp_avx2_movbe>: endbr64) R12: 0x97 R13: 0x73 ('s') R14: 0xf9 R15: 0x3a (':') EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
比較する文字列であるフラグのアドレスがRDIに格納されている。
Flag
得られたフラグで実行ファイルを動かす。
./not-crypto
I heard you wanted to bargain for a flag... whatcha got?
picoCTF{c0mp1l3r_0pt1m1z4t10n_15_pur3_w1z4rdry_but_n0_pr0bl3m?}
Yep, that's it!