cscg24-rev1

CSCG 2024 Challenge 'Intro Reverse Engineering 1'
git clone https://git.sinitax.com/sinitax/cscg24-rev1
Log | Files | Refs | sfeed.txt
commit ce9cec2342ea6e64edc7d45c2e0baf274f38b33f
Author: Louis Burda <quent.burda@gmail.com>
Date:   Sat, 30 Mar 2024 16:01:19 +0100

Add solution

Diffstat:

Achall/intro-rev-1.zip | 0


Asolve/Dockerfile | 18++++++++++++++++++


Asolve/README.pdf | 0


Asolve/README_german.pdf | 0


Asolve/flag.txt | 1+


Asolve/notes | 23+++++++++++++++++++++++


Asolve/rev1 | 0


7 files changed, 42 insertions(+), 0 deletions(-)

diff --git a/chall/intro-rev-1.zip b/chall/intro-rev-1.zip
Binary files differ.
diff --git a/solve/Dockerfile b/solve/Dockerfile
@@ -0,0 +1,17 @@
+# run via docker compose :)
+
+FROM ubuntu:22.04
+
+RUN apt-get update
+
+RUN apt-get -y install socat 
+RUN useradd -d /home/ctf/ -m -p ctf -s /bin/bash ctf
+RUN echo "ctf:ctf" | chpasswd
+
+WORKDIR /home/ctf
+
+COPY rev1 .
+COPY flag.txt .
+
+USER ctf
+CMD socat -ddd TCP4-LISTEN:1024,fork,reuseaddr exec:./rev1,pty,echo=0,raw,iexten=0
+\ No newline at end of file
diff --git a/solve/README.pdf b/solve/README.pdf
Binary files differ.
diff --git a/solve/README_german.pdf b/solve/README_german.pdf
Binary files differ.
diff --git a/solve/flag.txt b/solve/flag.txt
@@ -0,0 +1 @@
+CSCG{congrats_t0_y0ur_(maybe?)_f1rst_r3versing_task}
diff --git a/solve/notes b/solve/notes
@@ -0,0 +1,23 @@
+Open the binary in your favorite reverse engineering tool, using R2 here since its free.
+
+R2:
+
+aaa: **a**nalyze **a**ll functions & symbols (**a**hh!)
+s main: **s**eek to main function
+pdf: **p**rint **d**isassembly of current **f**unction
+
+we see the function calls initialize_flag, then puts
+
+then `read`s is called with arguments `read(0: rdi, buf: rsi, 0x1f: rdx)`
+
+In the x86_64 caling convetion the arguments are stored first in the
+registers `rdi`, `rsi`, `rdx`, `rcx` then `r8` to `r15` and any
+further arguments on the stack. Such a calling convention is defined
+to allow interoperability between e.g. dynamically loaded libraries.
+Theoretically, the binary could choose to call internal functions differently,
+and some do (e.g. via stack variables directly).
+
+If a strcmp on the result from `read` yields 0 (meaning they are the same)
+the program outputs "Thats the right password!" else "Thats not the password!".
+
+We can inspect the arguments to strcmp to find that the password is `m4gic_passw0rd`.
diff --git a/solve/rev1 b/solve/rev1
Binary files differ.