Suninatas Game 20

Posted on Edited on In Views: Disqus: Word count in article: 233 Reading time ≈ 1 mins.

challenges

Game 20

1
2
❯ file reverseme
reverseme: ELF 32-bit LSB executable, Intel i386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.24, BuildID[sha1]=edca29004a6470ffe6b43bf22c6c842c1dbb5900, not stripped
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4; // [esp+4h] [ebp-40h]
  int v5; // [esp+10h] [ebp-34h] BYREF
  _BYTE s[30]; // [esp+16h] [ebp-2Eh] BYREF
  unsigned int v7; // [esp+34h] [ebp-10h]
  unsigned int j; // [esp+38h] [ebp-Ch]
  int i; // [esp+3Ch] [ebp-8h]

  memset(s, 0, sizeof(s));
  if ( argc > 1 || strcmp(*argv, "./suninatas") ) <- only one arg and need to be suninatas
    return 0;
  for ( i = 0; envp[i]; ++i )
  {
    for ( j = 0; j < strlen(envp[i]); ++j )
      envp[i][j] = 0;
  }
  _printf("Authenticate : ", v4);
  _isoc99_scanf("%30s", s); <- what is the size
  memset(&input, 0, 0xCu);
  v5 = 0;
  v7 = Base64Decode(s, &v5);
  if ( v7 <= 0xC ) <- int 13
  {
    memcpy(&input, v5, v7);
    if ( auth(v7) == 1 )
      correct();   <- !!!!
  }
  return 0;
}

_BOOL4 __cdecl auth(int a1)
{
  _BYTE v2[8]; // [esp+14h] [ebp-14h] BYREF
  char *s2; // [esp+1Ch] [ebp-Ch]
  int v4; // [esp+20h] [ebp-8h] BYREF

  memcpy(&v4, &input, a1);
  s2 = (char *)calc_md5((int)v2, 12); <- 12 bytes
  _printf("hash : %s
", s2);
  return strcmp("f87cd601aa7fedca99018a8be88eda34", s2) == 0;
}

void __noreturn correct()
{
  if ( input == -559038737 ) <- cmp     eax, 0DEADBEEFh
    IO_puts("Congratulation! you are good!");
  exit(0);
}

Stack Pivot (栈迁移) btw

surrender pwn

i will come back orz