Challenge #4, Looks like they sacked their previous developers. Poor buggers, they just needed some more professional development.
Just a note... So after the null password, I continue through and of course get CPUOFF flag.
RESET
Break Main
Continue
Looks like Main calls two functions, function enc, and whatever is at 2400. I'll set a break point for each and then step through the first one.
However 4490 through 449a is a loop where it is messing around with bytes 247c bytes past r13. (Which is routinely incremented during the loop).
I set a break point after the loop, and reviewing the memory location after, we have a nice lineup of every possible byte.
Afterwards we have another loop from 449c to 44d4. This appears to be changing the bytes that the first loop just set up. I'll set a break point to right after the second loop and continue past it. Looking at the memory location afterwards, it looks like gibberish now.
44dc to 450e appears to be a third loop, that is modifying the same address space as the previous two loops. Set break point to right after the jnz at 450e and continue past it. Reviewing the memory space after the loop and it still looks like nonsense. No human readable strings or anything that I notice.
The rest of that function pops a bunch of registers and then returns. Nothing too enlightening there, so back to main. And the next call is to 0x2400, which is right before the space that was mangled up by the enc function.
This part was very confusing to me, and I struggled with this for a long while. But the program was clearly executing instructions however I had no disassembly view of what was happening. Current instruction was changing, and the registers were changing, but nothing in disassembly.
I resorted to Google here, and I was thinking that the challenge was broken. I tried avoiding writeups, and I was able to find the following notes on my issue, this is sort of a write up, so I cheated a little bit I guess :'( But luckily its only a write up on the part I was stumped on. https://rakshacks.wordpress.com/2016/08/18/microcorruption-reykjavik/
So this is how I notice the link to the disassembler that micro corruption makes available...
So here I had up the disassembler and the challenge side by side. I stared at the disassembly for a good while until I decide that I would ctl + f for cmp and take a look at those. I saw two cmp, one was cmp and the other cmp.b. The first cmp was executing the instruction b490 5714 dcff which I looked for the address of, and it looked like it was at 244b.
I stepped through execution to get to that instruction, and it went right past the instruction, so my assumption is that one of the jmps executed. Unfortunately I wasn't following along closely enough to see what caused the jump, so I hit c to run it out to the password prompt.
and then right off the bat, it was at the cmp statement I wanted to be at earlier.
This cmp is checking 24 byte prior to r4 to see if it is \x1457, so looking at r4, it is set to 43fe currently, and 24 bytes puts me at 43DA, checking 43DA in memory, I see that is the location where my password is located. And it is not \x1457 so this cmp will fail.
It does fail, it jmps pass the push and call, and then returns out of this code and back into main.
So this behavior leads me to believe I need to set the first two bytes of my password to \x1457
RESET
Continue through to password input:
This input failed, so I tried again for endianness
Hit send and then continue
Notes:
I wish the tutorial told you about the assembler/disassembler page. I spent a decent amount of time googling around for that. I even started writing the instructions down on paper in the disassembler format so that I could better visualize what was happening, but it was waaaay too long to keep it up.
Even though I have the instruction in the other window, it was still an odd way to work stepping through in the primary disassembler and comparing it to the list of instructions. I do wish I could have had interactive capability to set break points. Really made me appreciate the primary disassembler.
0 comments:
Post a Comment