Free Flag (280 pts)

Mr. Shock is feeling generous today, so here's an attached program that will give you the flag. Just in case you don't know who this generous person is.

Author: Lurifos

Kita diberikan sebuah file ELF executable x86-64. Awalnya, saya mencoba untuk langsung membuka file ini menggunakan Ghidra. Akan tetapi, decompilernya gagal membaca fungsi utama entry() dengan benar, dan yang kita dapatkan adalah fungsi berantakan ini.

Setelah iseng mencoba melakukan strings pada file, saya menemukan bahwa file ini telah di-pack menggunakan UPX versi 5.00.

Merujuk pada write-up ini, kita perlu meng-unpack file dengan UPX yang versinya sesuai. UPX versi terbaru dapat di-download di sini.

Untuk unpack-nya sendiri cukup menjalankan ./upx -d <file> .

Setelah ini, kita decompile file yang baru menggunakan Ghidra. Sekarang, fungsi entry() tampak lebih jelas.

Fungsi ini memanggil fungsi lainnya yakni FUN_00401080() yang intinya adalah sebuah flag checker. Jika inputnya sama dengan flag, maka outputnya adalah benar.

undefined8 FUN_00401080(void)

{
  char *__s;
  size_t sVar1;
  char *__dest;
  ulong uVar2;
  ulong uVar3;
  bool bVar4;
  char local_41b;
  char local_41a;
  char acStack_419 [1025];
  
  puts("I\'m so sorry, I forgot what the flag is, could you please try to guess it first?");
  __s = acStack_419 + 1;
  printf("flag: ");
  fgets(__s,0x400,stdin);
  sVar1 = strlen(__s);
  if ((sVar1 != 0) && (acStack_419[sVar1] == '\n')) {
    acStack_419[sVar1] = '\0';
  }
  sVar1 = strlen(__s);
  __dest = &local_41b;
  bVar4 = sVar1 == 0x46;
  for (uVar3 = 0; uVar3 < sVar1; uVar3 = uVar3 + 2) {
    if (!bVar4) goto LAB_0040115f;
    __dest = strncpy(__dest,__s + uVar3,2);
    uVar2 = 0;
    if ((local_41b != '\0') && (local_41a != '\0')) {
      uVar2 = (uVar3 + 1) * ((long)local_41a + (long)local_41b * 0x100);
    }
    bVar4 = *(uint *)((long)&DAT_00402360 + uVar3 * 2) == uVar2;
  }
  if (bVar4) {
    puts("\n Wow congrats, that is indeed the correct flag");
  }
  else {
LAB_0040115f:
    puts("\n Uhmm, I\'m afraid that\'s wrong");
  }
  return 0;
}

Kalau dirapihkan, hasilnya akan seperti ini.

int check_flag() {
    char input[0x401];             // acStack_419 + 1
    size_t len;
    bool correct;
    uint16_t lo_hi;                // packed local_41b (low byte) and local_41a (high byte)
    uint32_t expected, computed;

    puts("I'm so sorry, I forgot what the flag is, could you please try to guess it first?");
    printf("flag: ");
    fgets(input, 0x400, stdin);

    // strip trailing newline if present
    len = strlen(input);
    if (len > 0 && input[len-1] == '\n') {
        input[len-1] = '\0';
        len--;
    }

    // Must be exactly 0x46 (70) characters long
    correct = (len == 0x46);

    // For each pair of characters in the input...
    for (size_t i = 0; i < len; i += 2) {
        if (!correct) break;

        // copy two chars into lo_hi: low byte = input[i], high byte = input[i+1]
        uint8_t b0 = input[i];
        uint8_t b1 = input[i+1];
        lo_hi = b0 | (b1 << 8);

        // compute value = (position_index+1) * lo_hi
        // note: position_index = i/2, so (i+1) in code = 2*(index)+1, but since they use (uVar2+1) with
        // uVar2=0,2,4,..., it effectively counts bytes: (byte_offset+1) * lo_hi
        computed = (uint32_t)(i + 1) * (uint32_t)lo_hi;

        // load the expected 32-bit value from the FLAG table at offset i*2
        // (they cast &FLAG + uVar2*2 to a uint*)
        expected = *((uint32_t*)((uint8_t*)&FLAG + i*2));

        if (computed != expected) {
            correct = false;
        }
    }

    if (correct) {
        puts("\n Wow congrats, that is indeed the correct flag");
    } else {
        puts("\n Uhmm, I'm afraid that's wrong");
    }

    return 0;
}

Value "FLAG" adalah DAT_00402360 yang tampak seperti ini pada Ghidra.

Bytes yang ada pada DAT_00402360 , jika dijalankan pada algoritma yang sama dengan fungsi flag checker di atas, tentunya akan menghasilkan flag. Oleh karena itu, berikut adalah script yang saya gunakan.

FLAG_bytes = bytes([
    0x46,0x49,0x00,0x00,0xF9,0xCF,0x00,0x00,0xF5,0xA4,0x01,0x00,
    0x5D,0x68,0x01,0x00,0xCB,0x30,0x04,0x00,0xA4,0xA8,0x04,0x00,
    0x96,0xD8,0x04,0x00,0x39,0xD3,0x02,0x00,0x41,0xEB,0x06,0x00,
    0x3B,0x2E,0x08,0x00,0x05,0xCF,0x07,0x00,0x89,0xFE,0x0A,0x00,
    0x22,0x01,0x0A,0x00,0x61,0x66,0x05,0x00,0x8D,0xC8,0x0A,0x00,
    0x81,0x5D,0x0D,0x00,0x51,0xF2,0x0D,0x00,0xF9,0xF8,0x0D,0x00,
    0x9F,0xCB,0x0D,0x00,0x79,0x5E,0x07,0x00,0xA8,0xDF,0x08,0x00,
    0xE7,0x43,0x08,0x00,0x9D,0xBB,0x10,0x00,0x71,0x77,0x16,0x00,
    0x30,0x17,0x15,0x00,0xED,0x07,0x0B,0x00,0xF0,0xD8,0x17,0x00,
    0xEA,0x7E,0x14,0x00,0x5B,0x6D,0x19,0x00,0xE5,0xD6,0x0B,0x00,
    0x4E,0x7C,0x0C,0x00,0x8D,0x95,0x0D,0x00,0x1F,0x0A,0x1D,0x00,
    0x44,0xB8,0x0D,0x00,0xB1,0x3D,0x1D,0x00
])

flag_chars = []
for k in range(35):
    offset_bytes = 4 * k
    expected = int.from_bytes(FLAG_bytes[offset_bytes:offset_bytes+4], 'little')
    multiplier = 2 * k + 1
    packed = expected // multiplier
    
    # sanity check: integer division exact
    assert expected == packed * multiplier

    high = (packed >> 8) & 0xFF
    low  = packed & 0xFF
    flag_chars.extend([high, low])

flag = bytes(flag_chars).decode('latin1')
print("Recovered flag:", flag)

Flag: IFEST13{w3ll_n07h1n9_1z_fr33_1n_l1f3_s0_7h15_1z_n07_s0_fr33_4f73r_4ll}