English [Internetwache CTF 2016] [Reverse 70 – ServerfARM] Write Up

Description

Internetwache CTF 2016 : ServerfARM
Category: Reversing Points: 70 Solves: 156 Description:

Description: Someone handed me this and told me that to pass the exam, I have to extract a secret string. I know cheating is bad, but once does not count. So are you willing to help me?

Attachment: rev70.zip

Resolution

We start by launching a file on the binary:

laxa:Challenges:00:28:45$ file serverfarm 
serverfarm: ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=0xa0f66f9d4bcb99d0102ce6b6bb838f84098b1023, not stripped

Then we fire IDA to see that the program is executhing that method:

int __fastcall handle_task(int result, char *a2)
{
  size_t v2; // ST0C_4@5
  char *s; // [sp+0h] [bp-1Ch]@1
  int v4; // [sp+4h] [bp-18h]@1
  size_t i; // [sp+8h] [bp-14h]@2
  unsigned int v6; // [sp+Ch] [bp-10h]@1

  v4 = result;
  s = a2;
  v6 = 0;
  switch ( result )
  {
    case 0:
      for ( i = 0; strlen(s) > i; ++i )
        v6 += (unsigned __int8)s[i];
      v2 = v6 / strlen(s);
      printf("%s", "Here's your 1. block:");
      if ( (signed int)v2 <= 35 )
      {
        printf("%s", "IW{");
        putchar(83);
        result = printf("%c%c\n", 46, 69);
      }
      else
      {
        result = puts("I{WAQ3");
      }
      break;
    case 1:
      printf("%s", "Here's your 2. block:");
      if ( (unsigned __int8)*s % (signed int)(unsigned __int8)s[1] == 65 )
      {
        printf("%s", ".R.");
        putchar(86);
        result = printf("%c%c\n", 46, 69);
      }
      else
      {
        result = puts("WI{QA3");
      }
      break;
    case 2:
      printf("%s", "Here's your 3. block:");
      if ( !strcmp(s, "1337") )
        result = puts(".R>=F:");
      else
        result = printf("%c%s%c\n", 46, "Q.D.Q", 33, s, v4);
      break;
    case 3:
      if ( *a2 )
        result = printf("%c%s%c\n", 65, ":R:M", 125, a2, result);
      break;
    default:
      return result;
  }
  return result;
}

From there, it’s pretty straighforward, given that the flag is this format: IW{xxxxx} we only have one possibilty for the flag to be.

Flag is: IW{S.E.R.V.E.R>=F:A:R:M}

Leave a Reply

Your email address will not be published.