{"id":1202,"date":"2015-09-22T02:41:19","date_gmt":"2015-09-22T00:41:19","guid":{"rendered":"https:\/\/0x90r00t.com\/fr\/?p=1202"},"modified":"2015-09-23T02:28:12","modified_gmt":"2015-09-23T00:28:12","slug":"ekoparty-pre-ctf-2015-reverse-50-decode-it-write-up","status":"publish","type":"post","link":"https:\/\/0x90r00t.com\/fr\/2015\/09\/22\/ekoparty-pre-ctf-2015-reverse-50-decode-it-write-up\/","title":{"rendered":"[EKOPARTY PRE-CTF 2015] [Rev50 &#8211; Decode it] Write up"},"content":{"rendered":"<h2>Description<\/h2>\n<blockquote><p>Decode it.<\/p>\n<p>Description: A not so known decoding algorithm.<\/p>\n<p>Hints: Do not trust symbols! they are lying. Check the algorithm.<\/p>\n<p>Attachment: <a href=\"https:\/\/0x90r00t.com\/wp-content\/uploads\/2015\/09\/reversing50.zip\">reversing50.zip<\/a><\/p><\/blockquote>\n<p><!--more--><\/p>\n<h2>Resolution<\/h2>\n<p>Au d\u00e9but, on voit ce qui doit \u00eatre un crackme, la particularit\u00e9 c&rsquo;est qu&rsquo;il est compil\u00e9 pour fonctionner sur une architecture arm 32 bits.<\/p>\n<p><code>ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), for GNU\/Linux 2.6.26, BuildID[sha1]=0c1ab16b5f128e614308d2f8c1776d46080a6597, not stripped<\/code><\/p>\n<p>En utilisant l&rsquo;outil \u00ab\u00a0string\u00a0\u00bb nous voyons certains appels syst\u00e8me int\u00e9ressants :<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nmemcmp\r\nmalloc\r\n&#x5B;...]\r\nMD5@@OPENSSL_1.0.0\r\n&#x5B;...]\r\nBase64decode_len\r\n<\/pre>\n<p>Memcmp ? Tiens donc. C&rsquo;est plut\u00f4t utile pour comparer (entre autre) des chaines de caract\u00e8re \u00e7a. md5 pour hasher et base64 pour encoder\/d\u00e9coder.<\/p>\n<p>Jouons avec LD_PRELOAD pour hooker l&rsquo;appel du memcmp :<\/p>\n<pre class=\"brush: cpp; title: ; notranslate\" title=\"\">\r\n#define _GNU_SOURCE\r\n#include &lt;dlfcn.h&gt;\r\n#include &lt;string.h&gt;\r\n#include &lt;stdio.h&gt;\r\n\r\ntypedef int (*omemcmp)(const void *s1, const void *s2, size_t n);\r\n\r\nint memcmp(const void *s1, const void *s2, size_t n) {\r\n    omemcmp omem;\r\n    omem = (int)dlsym(RTLD_NEXT, &quot;memcmp&quot;);\r\n    printf(&quot;s1:%s\\ns2:%s\\ns:%d\\n&quot;, s1, s2, n);\r\n    return omem(s1, s2, n);\r\n}\r\n<\/pre>\n<p>On le lance :<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n$ echo 'a' | LD_PRELOAD=.\/preload.so .\/decoder\r\nPlease, enter your encoded password: s1:\r\ns2:PASS_QIV1qyLR0hFEQU5KCbfm3Hok5V0VmpinCWseVd2X\r\ns:4\r\nAccess denied\r\n<\/pre>\n<p>Nous voyons ici qu&rsquo;il faut que la chaine pass\u00e9e en argument ait la valeur \u00ab\u00a0PASS_QIV1qyLR0hFEQU5KCbfm3Hok5V0VmpinCWseVd2X\u00a0\u00bb une fois arriv\u00e9e au point de comparaison. Mais passer cette chaine ne fonctionne pas.<\/p>\n<p>Apr\u00e8s une analyse plus pouss\u00e9e il s&rsquo;est av\u00e9r\u00e9 qu&rsquo;il faille envoyer cette m\u00eame chaine de caract\u00e8res, mais encod\u00e9e en base64.<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n$ LD_PRELOAD=.\/preload.so .\/decoder\r\nPlease, enter your encoded password: UEFTU19RSVYxcXlMUjBpRkVRVTVLQ2JnbTNIb2s1VjBWbXBobkNXc2VWZDJY\r\ns1:PASS_QIV1qyLR0hFEQU5KCbfm3Hok5V0VmpinCWseVd2X\r\ns2:PASS_QIV1qyLR0hFEQU5KCbfm3Hok5V0VmpinCWseVd2X\r\ns:46\r\nGreat! the flag is EKO{4fa8c8eac431266a25f56a297a73c334}\r\n<\/pre>\n<p><code>Le flag est : EKO{4fa8c8eac431266a25f56a297a73c334}<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description Decode it. Description: A not so known decoding algorithm. Hints: Do not trust symbols! they are lying. Check the algorithm. Attachment: reversing50.zip<\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34,35,70],"tags":[85,75,84,10],"class_list":["post-1202","post","type-post","status-publish","format-standard","hentry","category-2015-fr","category-ctf-fr","category-ekoparty","tag-base64","tag-ekoparty","tag-ld_preload","tag-reverse"],"_links":{"self":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/1202","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/comments?post=1202"}],"version-history":[{"count":8,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/1202\/revisions"}],"predecessor-version":[{"id":1275,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/1202\/revisions\/1275"}],"wp:attachment":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/media?parent=1202"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/categories?post=1202"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/tags?post=1202"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}