2.0 KiB
Difficulty
medium - 300/500 punten (here you have to change binaries and understand how they work. This seems a little harder for most)
How To Solve
There are probably many ways to solve this challenge, this is my solution.
I'm assuming you already have some knowledge about the binary from the previous challenge
I personally used GDB for this but other tools like ghidra that decompile your code might make your life easier.
All the code that I patched was in the app_start function.
The code tries to open a file called .keystore. If it fails it continues to the popup immediately So we need to make sure it thinks the .keystore exists. When reversing the code we see the c code probably looked like this:
...
FILE* fp = fopen(".keystore", "r");
if (fp == NULL)
{
goto popup
}
...
To bypass this if statement, I chose to change the "r" to "w". This way the fopen call will return a valid file pointer because it just created the .keystore to write to it. Another approach might be to change the if statement to jump to the popup if the fp is equal to 1 instead of equal 0. In GDB I can easily see the offset of the string so I simply changed the 'r' character to a 'w' with hexedit
offset: 0x5004 0x72 to 0x77
Now the rest of the code reads from the opened file (which will fail cause
we just tricked it into thinking it exists) and checks if the key inside
is valid. Again there are multiple ways to tackle this problem. I attacked
the cmpl $0x0,-0x1c(%rbp)
line. This checks if the return code of the
check_is_key_valid is 0. If it is the code shows the popup. I changed this
line to cmpl $0x1,-0x1c(%rbp)
. Again with GDB I got the offset of the
instruction and then I got the actual instruction by using as
to compile
_start: cmpl $0x1,-0x1c(%rbp)
and reading the output with GDB.
offset: 0x36da 0x00e47d83 to 0x01e47d83
After that the program is successfully patched and runs without asking for a license check so we can give it to grandma and she will draw our key for us.
Flag
IGCTF{AY_4Y_C4PT4IN}