write-ups-challenges-2022-2023/super-hightech-paint/super-hightech-paint-2/SOLUTION.md

## Difficulty
medium - 300/500 punten
(here you have to change binaries and understand how they work. This seems a little harder for most)

## How To Solve
There are probably many ways to solve this challenge, this is my solution.

I'm assuming you already have some knowledge about the binary from the previous challenge

I personally used GDB for this but other tools like ghidra that
decompile your code might make your life easier.

All the code that I patched was in the app_start function.

The code tries to open a file called .keystore.
If it fails it continues to the popup immediately
So we need to make sure it thinks the .keystore exists.
When reversing the code we see the c code probably looked like this:

	...
	FILE* fp = fopen(".keystore", "r");
	if (fp == NULL)
	{
		goto popup
	}
	...
	
To bypass this if statement, I chose to change the "r" to "w". This way
the fopen call will return a valid file pointer because it just created 
the .keystore to write to it. Another approach might be to change the if
statement to jump to the popup if the fp is equal to 1 instead of equal 0.
In GDB I can easily see the offset of the string so I simply changed the 'r'
character to a 'w' with hexedit

	offset: 0x5004 	0x72 to 0x77

Now the rest of the code reads from the opened file (which will fail cause
we just tricked it into thinking it exists) and checks if the key inside
is valid. Again there are multiple ways to tackle this problem. I attacked 
the `cmpl   $0x0,-0x1c(%rbp)` line. This checks if the return code of the 
check_is_key_valid is 0. If it is the code shows the popup. I changed this
line to `cmpl   $0x1,-0x1c(%rbp)`. Again with GDB I got the offset of the 
instruction and then I got the actual instruction by using `as` to compile
`_start: cmpl   $0x1,-0x1c(%rbp)` and reading the output with GDB.

	offset: 0x36da  0x00e47d83 to 0x01e47d83

After that the program is successfully patched and runs without asking for a 
license check so we can give it to grandma and she will draw our key for us.

## Flag
IGCTF{AY_4Y_C4PT4IN}
initial commit 2022-11-24 21:59:22 +00:00			`## Difficulty`
			`medium - 300/500 punten`
			`(here you have to change binaries and understand how they work. This seems a little harder for most)`

			`## How To Solve`
			`There are probably many ways to solve this challenge, this is my solution.`

			`I'm assuming you already have some knowledge about the binary from the previous challenge`

			`I personally used GDB for this but other tools like ghidra that`
			`decompile your code might make your life easier.`

			`All the code that I patched was in the app_start function.`

			`The code tries to open a file called .keystore.`
			`If it fails it continues to the popup immediately`
			`So we need to make sure it thinks the .keystore exists.`
			`When reversing the code we see the c code probably looked like this:`

			`...`
			`FILE* fp = fopen(".keystore", "r");`
			`if (fp == NULL)`
			`{`
			`goto popup`
			`}`
			`...`

			`To bypass this if statement, I chose to change the "r" to "w". This way`
			`the fopen call will return a valid file pointer because it just created`
			`the .keystore to write to it. Another approach might be to change the if`
			`statement to jump to the popup if the fp is equal to 1 instead of equal 0.`
			`In GDB I can easily see the offset of the string so I simply changed the 'r'`
			`character to a 'w' with hexedit`

			`offset: 0x5004 0x72 to 0x77`

			`Now the rest of the code reads from the opened file (which will fail cause`
			`we just tricked it into thinking it exists) and checks if the key inside`
			`is valid. Again there are multiple ways to tackle this problem. I attacked`
			the `cmpl $0x0,-0x1c(%rbp)` line. This checks if the return code of the
			`check_is_key_valid is 0. If it is the code shows the popup. I changed this`
			line to `cmpl $0x1,-0x1c(%rbp)`. Again with GDB I got the offset of the
			instruction and then I got the actual instruction by using `as` to compile
			`_start: cmpl $0x1,-0x1c(%rbp)` and reading the output with GDB.

			`offset: 0x36da 0x00e47d83 to 0x01e47d83`

			`After that the program is successfully patched and runs without asking for a`
			`license check so we can give it to grandma and she will draw our key for us.`

			`## Flag`
			`IGCTF{AY_4Y_C4PT4IN}`