[CTF] SquareCTF2019 Write-up— Aesni (Challenge#2)
Hello! Over the weekend and a couple of the past days, I had a chance to participate in SquareCTF2019 with my co-workers at work. It was our first time ganging up together to do CTF together. Our team was placed in 28th out of 223 teams by solving 6 out of 10 challenges. We realized that there are many things we need to build up, but in fact it was our first one, I am very proud of our team and everyone who participated in did such an awesome job!
I solved one of the binary challenges, Aesni — Challenge#2, and here I will be showing how I cracked this challenge. Honestly, it wasn’t too complicated one and simple to solve; however, it was taking a bit to figure out how to fit all the puzzles to get the flag.
Challenge
So the challenge seems to be working a binary. By clicking the link you can download the binary.
Binary (Aesni)
Quick look up on the binary shows that it is a 32-bit (x86) executable file. When I simply ran it, it exited after displaying this no entry ⛔ emoji. And throwing 10 “A” as an argument doesn’t seem doing anything but at least we can tell it can take an argument. I also tried to throw like over 5,000 “A” to see if it crashes, but no luck. Time to do some static analysis.
Static Analysis
Once running the binary through gdb (I use gdb-peda in case you wonder), I checked the security and attempted to set a breakpoint at a main function. Most securities are disabled except for NX (non-executable), which is making all writable address non-executable to prevent attacks like buffer overflow from happening. But the main function seemed to be stripped off.
I used the “info file” command to find the entry point at 0x8048060 in order to proceed my analysis.
And I set that entry point as a breakpoint and began analysis.
When I do static analysis, I usually look for some interesting instructions such as cmp or jmp. I reached the first cmp function and it basically compare EAX string as 0x2. And if cmp shows that the two values are equal, je will jump to the specified label (0x80482110). If not, it will keep execution flowing.
Looks interesting and maybe I can now chime in to see what if I modify the at that point of EAX to 0x2 instead of 0x1. (I also recommend to just run the program as-is when you do the static analysis at the first time, but this is for my walkthrough, so I just go ahead and make changes :})
Then, I continued through it. And I got a crash at the location 0x80480bc.
I did some research on what repz cmps BYTE PTR ds:[esi],BYTE PTR es:[edi] instructions does. It turned out to be the repz means to increment esi and edi then repeat cmps as long as [esi] and [edi] compare equal. And somehow our modification made the program crashes; however, we looks like a “secret” string pointing at ESI location = “ThIs-iS-fInE”
Run the program specifying the secret sauce as the argument. It gives us the flag!
Conclusion
Honestly, I am 100% sure it wasn’t an intended or elegant way to solve the puzzle. I am sure it has to do with finding a right key to decode encoded strings to find the secret sauce type of challenge. But well there is not always a right way to solve the problem. :) Thanks for reading!
