blob: defdd9f27e4e3b86cc7b75d836b7cd148c3d942b (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
# Never gonna run around and reverse you
## First look
We are given a `hash` file consisting of a hexadecimal string and a
`hasher` file that appears to be the compiled program that produced the
`hash`.
For futher analysis we run `strings hasher` and confirm that it contains
strings that indicate a C-like origin.
## Decompilation
We decompile the program using BinaryNinja on the
[dogbolt](https://dogbolt.org) decompiler explorer:
``` c
int32_t main(int32_t argc, char** argv, char** envp)
{
if (argc <= 1)
{
printf("Please provide a flag as an argu…");
exit(1);
/* no return */
}
char* rax_2 = argv[1];
int32_t rax_4 = strlen(rax_2);
void* rax_8 = malloc((rax_4 + 2));
strcpy((rax_8 + 1), rax_2);
for (int32_t i = 1; rax_4 >= i; i = (i + 1))
{
*(rax_8 + i) = (*(rax_8 + i) ^ *(rax_8 + (i - 1)));
printf("%02x", *(rax_8 + i));
}
putchar(0xa);
return 0;
}
```
Further clean-up of the code is done manually in order to better
understand the used hashing scheme:
``` c
void hash(char *input)
{
int input_len = strlen(input);
void* buffer = malloc(input_len + 2);
strcpy((buffer + 1), input_len);
for (int i = 1; input_len >= i; i += 1)
{
buffer[i] = buffer[i] ^ buffer[i - 1];
printf("%02x", buffer[i]);
}
printf('\n');
}
```
## Exploit
The exploit can now simply be achieved by reversing the given hash
function. We (ab)use the fact that XOR is a reversible operation.
Therefore, the following Python script decodes the provided `hash`.
``` python
hash = "...<hash>..."
hash_bytes = b"\0" + bytes.fromhex(hash)
for i in range(1, len(hash_bytes)):
print(chr(hash_bytes[i] ^ hash_bytes[i - 1]), end="")
```
``` bash
> GPNCTF{...}
```
|
