The Evil Bit Blog: 9447 CTF 2014 Writeup

I played as part of the Hungarian reTEK team. Here are my solutions for the Reversing 1,25,100 challenges.

Reversing 1 - insanity_check

This was a very simple challenge, which could be solved with a simple "strings" command.

The flag was "9447{This_is_a_flag}".

Reversing 25 - no_strings_attached

This was also wasn't that hard, simply running the application in debugger revealed the solution, I used EDB in Kali. When we get to the following function, we had to step-into it (F7):

Then single step (F7 or F8) until the following point:

At this time EAX was pointing to the flag:

The flag was "9447{you_are_an_international_mystery}".

Reversing 100 - rolling

This one was a bit trickier. I used 64 bit Kali to debug it again, and in order to be able to run the code I had to install a new libc6, otherwise I got the following error:

root@kali:~# ./rolling

./rolling: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.14' not found (required by ./rolling)

To solve it, add the following line to the sources.list:

deb http://ftp.debian.org/debian sid main

Then install a new linbc:

apt-get update

apt-get -t sid install libc6-dev

Then I could run the app:

root@kali:~# ./rolling

Fynd i mewn i cyfrinair

root@kali:~# ./rolling ddd

Nac oes. Ceisiwch eto.

It expected a string as an argument, and if it was correct it printed another one, not "Nac oes....". I started EDB with a custom argument:

After playing around, I found that the following function call will "decide" the output:

We had to step into it.

The input string was compared to something, which was started with ASCII decimal 57 102 108. The full string was "57 102 108 97 103 115 115 116 97 114 116 119 105 116 104 57", which is "9flagsstartwith9". I changed the argument to this, and started debug again (this wasn't the required string).

Once stepping in again to the same function, it turned out the the compare actually changed, so this time it started with "57 52 52 55", which is "9447".