From 247683ead3c714b5869b5fa2fb62c03dc2b00f0d Mon Sep 17 00:00:00 2001 From: dusoleil Date: Sun, 1 Aug 2021 23:19:55 -0400 Subject: Writeups from Imaginary CTF 2021 Adding Dusoleil's writeups from Imaginary CTF 2021 Signed-off-by: dusoleil --- docs/writeups/ImaginaryCTF_2021/stings.txt | 35 ++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 docs/writeups/ImaginaryCTF_2021/stings.txt (limited to 'docs/writeups/ImaginaryCTF_2021/stings.txt') diff --git a/docs/writeups/ImaginaryCTF_2021/stings.txt b/docs/writeups/ImaginaryCTF_2021/stings.txt new file mode 100644 index 0000000..906dc21 --- /dev/null +++ b/docs/writeups/ImaginaryCTF_2021/stings.txt @@ -0,0 +1,35 @@ +The Service +----------- +we're given an executable + +when run, a picture of a bee is printed out and it asks us for a password + +if we're wrong, it exits + +if we're right, it also exits, but what we entered is the flag + + + +Reversing +--------- +looking at the disassembly... + +there is a massive string which, after examining, seems to be the bee picture + +there are real stack canaries and the addresses change after first run in gdb, so pwn protections + +the bee picture is brought onto the stack + +a bunch of processing with it is done + +at some point it asks for input + +there is a loop that compares each character of the input to each character of the resulting buffer after the processing earlier + +it expects each character of the input to be -1 from the character in the buffer (you enter "ictf", but the buffer contains "jdug") + + + +Getting the flag from runtime memory +------------------------------------ +we can just run the program in gdb, break before inputting, check the status of the buffer, do the character shift in python, and then we have the input it wants (and the flag) -- cgit v1.2.3