From c71137060ac06868366fecce591cdd0b415447e2 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 3 Apr 2024 20:35:51 +0000 Subject: [PATCH] =?UTF-8?q?Update=20writeups=20=F0=9F=9A=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../beginner:-basic-reversing-problem.md | 301 +++++++++++++++++- writeups | 2 +- 2 files changed, 299 insertions(+), 4 deletions(-) diff --git a/src/content/writeups/utctf/2024/reverse-engineering/beginner:-basic-reversing-problem.md b/src/content/writeups/utctf/2024/reverse-engineering/beginner:-basic-reversing-problem.md index efda014..8a14236 100644 --- a/src/content/writeups/utctf/2024/reverse-engineering/beginner:-basic-reversing-problem.md +++ b/src/content/writeups/utctf/2024/reverse-engineering/beginner:-basic-reversing-problem.md @@ -1,9 +1,304 @@ --- title: "Beginner: Basic Reversing Problem" -description: "task" +description: "So many function calls... but are they that different?" points: 100 solves: 310 -author: nobody +date: April 3 2024 +author: Jozef Steinhübl --- -yeh' Beginner: Basic Reversing Problem.... it was hard lol +## Introduction + +![task](https://raw.githubusercontent.com/GerlachSnezka/utctf/main/assets/2024-reverse-beginner-task.png) + +In this challenge, we got a binary file `baby-rev` that doesn't print anything when executed. We need to decompile it so we can look further into the code. + +## Solving + +For decompiling, we can use [IDA](https://hex-rays.com/ida-free/) or [Dogbolt](https://dogbolt.org/) which is a web-based decompiler so we don't need to install anything. + +After decompiling, we can see that the binary contains a lot of function calls (from l1 to l19). However, all of them are very similar. Each function changes a char in the input using `*(a0) = x;` and then calls the next function with the `a0 + 1` pointer. + +```c +void _init() +{ + if (false) + 0(); + return; +} + +long long sub_401020() +{ + void* v0; // [bp-0x8] + + v0 = 0; +} + +long long sub_401030() +{ + void* v0; // [bp-0x8] + + v0 = 0; + return sub_401020(); +} + +long long _start() +{ + char v0; // [bp+0x0], Other Possible Types: unsigned long + unsigned long v1; // [bp+0x8] + unsigned long long v2; // rsi + unsigned long v3; // rax + unsigned long long v4; // rdx + + v2 = *((long long *)&v0); + v0 = v3; + __libc_start_main(main, v2, &v1, __libc_csu_init, __libc_csu_fini, v4); /* do not return */ +} + +// No decompilation output for function sub_40108e + +extern char __TMC_END__; + +void deregister_tm_clones() +{ + if (true) + { + return; + } + else if (!(false)) + { + return; + } +} + +long long register_tm_clones() +{ + if (true) + { + return 0; + } + else if (!(false)) + { + return 0; + } +} + +extern char __TMC_END__; + +long long __do_global_dtors_aux() +{ + unsigned long v0; // [bp-0x8] + unsigned long v2; // rax + + if (__TMC_END__) + return v2; + *((int *)&v0) = rbp<8>; + if (!(false)) + { + __TMC_END__ = 1; + return (unsigned long long)deregister_tm_clones(); + } + __cxa_finalize(); +} + +long long frame_dummy() +{ + return register_tm_clones(); +} + +void l1(char *a0) +{ + *(a0) = 117; + l2(a0 + 1); + return; +} + +void l2(char *a0) +{ + *(a0) = 116; + l3(a0 + 1); + return; +} + +void l3(char *a0) +{ + *(a0) = 102; + l4(a0 + 1); + return; +} + +void l4(char *a0) +{ + *(a0) = 108; + l5(a0 + 1); + return; +} + +void l5(char *a0) +{ + *(a0) = 97; + l6(a0 + 1); + return; +} + +void l6(char *a0) +{ + *(a0) = 103; + l7(a0 + 1); + return; +} + +void l7(char *a0) +{ + *(a0) = 123; + l8(a0 + 1); + return; +} + +void l8(char *a0) +{ + *(a0) = 105; + l9(a0 + 1); + return; +} + +void l9(char *a0) +{ + *(a0) = 95; + l10(a0 + 1); + return; +} + +void l10(char *a0) +{ + *(a0) = 99; + l11(a0 + 1); + return; +} + +void l11(char *a0) +{ + *(a0) = 52; + l12(a0 + 1); + return; +} + +void l12(char *a0) +{ + *(a0) = 110; + l13(a0 + 1); + return; +} + +void l13(char *a0) +{ + *(a0) = 95; + l14(a0 + 1); + return; +} + +void l14(char *a0) +{ + *(a0) = 114; + l15(a0 + 1); + return; +} + +void l15(char *a0) +{ + *(a0) = 51; + l16(a0 + 1); + return; +} + +void l16(char *a0) +{ + *(a0) = 118; + l17(a0 + 1); + return; +} + +void l17(char *a0) +{ + *(a0) = 33; + l18(a0 + 1); + return; +} + +void l18(char *a0) +{ + *(a0) = 125; + l19(a0 + 1); + return; +} + +void l19(char *a0) +{ + char v0; // [bp-0x8] + unsigned long long v2; // rbp + + *(a0) = 0; + v2 = *((long long *)&v0); + return; +} + +void keygen() +{ + char v0; // [bp-0x28] + + l1(&v0); + return; +} + +int main() +{ + keygen(); + return 0; +} + +long long __libc_csu_init(unsigned long long a0, unsigned long long a1, unsigned long long a2) +{ + unsigned long v1; // rax, Other Possible Types: unsigned long long + struct struct_0 **v2; // rbx, Other Possible Types: unsigned long + + v1 = _init(); + if (false) + return v1; + v2 = 0; + do + { + v1 = *((long long *)&(&__init_array_start)[8 * v2])(a0, a1, a2); + v2 += 1; + } while (v2 != 1); + return v1; +} + +long long __libc_csu_fini() +{ + unsigned long v1; // rax + + return v1; +} + +long long _fini() +{ + unsigned long v1; // rax + + return v1; +} +``` + +Functions `frame_dummy`, `__do_global_dtors_aux`, `register_tm_clones`, `deregister_tm_clones`, `_start`, `sub_401030`, `sub_401020`, `_init` can be ignored. + +We can get the flag by extracting the characters' ASCII values from the functions and converting them to characters. + +```python +flag = [117, 116, 102, 108, 97, 103, 123, 105, 95 ,99, 52, 110, 95, 114, 51, 118, 33, 125] + +print(''.join([chr(x) for x in flag])) +``` + +The flag is +``` +utflag{i_c4n_r3v!} +``` \ No newline at end of file diff --git a/writeups b/writeups index 64f8464..3bf32b2 160000 --- a/writeups +++ b/writeups @@ -1 +1 @@ -Subproject commit 64f84640280ce61c0bf2084a21c97c16cc3c0e96 +Subproject commit 3bf32b21f297e4dab9c12d0c832c4e7b7ff9ce32