shinobi CTF

HTBとCTF頑張る

no crypto picoMini 2021 by redpwn

CTF Binary

no crypto 150point

Description

there's crypto in here but the challenge is not crypto... 🤔

no crypto

Solution

  1. run binary

     ./not-crypto 
 I heard you wanted to bargain for a flag... whatcha got? 
 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 Nope, come back later

    標準入力でフラグを入力させるタイプのようだ。

  2. open with ghidra

    memcpy関数で結果の成否を判別している。

     iVar24 = memcmp(local_88,local_198,0x40);
 if (iVar24 == 0) {
 puts("Yep, that\'s it!");
 }
 else {
 iVar24 = 1;
 puts("Nope, come back later");
 }

  3. open with ghidra

    memcpy関数で結果の成否を判別している。

     iVar24 = memcmp(local_88,local_198,0x40);
 if (iVar24 == 0) {
 puts("Yep, that\'s it!");
 }
 else {
 iVar24 = 1;
 puts("Nope, come back later");
 }

  4. run with gdb

    memcpy関数にブレークポイントを置いて実行ファイルを動かす。

     gdb-peda$ b memcmp
 Breakpoint 1 at 0x1060
 gdb-peda$ run
 Starting program: /home/ubu/nh/ctf/not-crypto 
 I heard you wanted to bargain for a flag... whatcha got?
 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 [----------------------------------registers-----------------------------------]
 RAX: 0x10 
 RBX: 0x7fffffffdea0 --> 0x7fffffffdec6 --> 0x555555555c700000 ('')
 RCX: 0xa4 
 RDX: 0x40 ('@')
 RSI: 0x7fffffffdd50 ('a' <repeats 64 times>, "\367l\214\377\\\207/\216\236C\236Ԙ2l\034\325<\020\271\211\273?7\027\370\241\343\217\312\315\377\243\201\006\312*:9\375=\302\230\036\262\bU\341\227}\376\375\275", <incomplete sequence \307>)
 RDI: 0x7fffffffde60 ("picoCTF{c0mp1l3r_0pt1m1z4t10n_15_pur3_w1z4rdry_but_n0_pr0bl3m?}\n\306\336\377\377\377\177")
 RBP: 0xa1 
 RSP: 0x7fffffffdcd8 --> 0x5555555553be (mov    r12d,eax)
 RIP: 0x7ffff7f47c50 (<__memcmp_avx2_movbe>: endbr64)
 R8 : 0xba 
 R9 : 0x96 
 R10: 0x55555555451b --> 0x5f00706d636d656d ('memcmp')
 R11: 0x7ffff7f47c50 (<__memcmp_avx2_movbe>: endbr64)
 R12: 0x97 
 R13: 0x73 ('s')
 R14: 0xf9 
 R15: 0x3a (':')
 EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)

    比較する文字列であるフラグのアドレスがRDIに格納されている。

Flag

得られたフラグで実行ファイルを動かす。

./not-crypto 
I heard you wanted to bargain for a flag... whatcha got?
picoCTF{c0mp1l3r_0pt1m1z4t10n_15_pur3_w1z4rdry_but_n0_pr0bl3m?}
Yep, that's it!