diff options
| author | Marvin Borner | 2024-06-03 22:54:35 +0200 |
|---|---|---|
| committer | Marvin Borner | 2024-06-03 22:54:35 +0200 |
| commit | 06e1e737a5eeae22d725fba01c44eabc86d6ee99 (patch) | |
| tree | 2bb14074a3cb15b959e2c5af66b8a21f87069237 | |
| parent | bcaae7797b1f2d1990b0a8ff5c7117d7362163a0 (diff) | |
never gonna run around and reverse you
| -rw-r--r-- | never-gonna-run-around-and-reverse-you.md | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/never-gonna-run-around-and-reverse-you.md b/never-gonna-run-around-and-reverse-you.md new file mode 100644 index 0000000..08959a7 --- /dev/null +++ b/never-gonna-run-around-and-reverse-you.md @@ -0,0 +1,74 @@ +# Never gonna run around and reverse you + +## First look + +We are given a `hash` file consisting of a hexadecimal string and a +`hasher` file that appears to be the compiled program that produced the +`hash`. + +For futher analysis we run `strings hasher` and confirm that it contains +strings that indicate a C-like origin. + +## Decompilation + +We decompile the program using BinaryNinja on the +[https://dogbolt.org](dogbolt) decompiler explorer: + +``` c +int32_t main(int32_t argc, char** argv, char** envp) +{ + if (argc <= 1) + { + printf("Please provide a flag as an argu…"); + exit(1); + /* no return */ + } + char* rax_2 = argv[1]; + int32_t rax_4 = strlen(rax_2); + void* rax_8 = malloc((rax_4 + 2)); + strcpy((rax_8 + 1), rax_2); + for (int32_t i = 1; rax_4 >= i; i = (i + 1)) + { + *(rax_8 + i) = (*(rax_8 + i) ^ *(rax_8 + (i - 1))); + printf("%02x", *(rax_8 + i)); + } + putchar(0xa); + return 0; +} +``` + +Further clean-up of the code is done manually in order to better +understand the used hashing scheme: + +``` c +void hash(char *input) +{ + int input_len = strlen(input); + void* buffer = malloc(input_len + 2); + strcpy((buffer + 1), input_len); + for (int i = 1; input_len >= i; i += 1) + { + buffer[i] = buffer[i] ^ buffer[i - 1]; + printf("%02x", buffer[i]); + } + printf('\n'); +} +``` + +## Exploit + +The exploit can now simply be achieved by reversing the given hash +function. We (ab)use the fact that XOR is a reversible operation. +Therefore, the following Python script decodes the provided `hash`. + +``` python +hash = "...<hash>..." +hash_bytes = b"\0" + bytes.fromhex(hash) + +for i in range(1, len(hash_bytes)): + print(chr(hash_bytes[i] ^ hash_bytes[i - 1]), end="") +``` + +``` bash +> GPNCTF{...} +``` |