Nuit-du-hack-2016/Matriochka/Step-1
Jump to navigation
Jump to search
| You are here: | Matriochka (step 1)
|
Description
The challenge is described as follows:
Can you help me? Recently, I found an executable binary. As I'm a true newbie, Certainly, to solve it, I will have difficulties. Keep in mind, the first step is quite easy. Maybe the last one will be quite tricky. Emulating it could be a good idea.
The challenge is available at:
- (main) http://static.quals.nuitduhack.com/stage1.bin
- (mirror) https://github.com/sebastiendamaye/public/raw/master/crackme/817d561f02a0cf42097812f4ce39fc34
File:
| MD5 | 817d561f02a0cf42097812f4ce39fc34 |
|---|---|
| SHA1 | f6bb4fd2192845ac6b65271fd1e02fcc67f9f449 |
| SHA256 | ed0093922d7b3f42a34610a3dd3d09f92c42ef8647a514a7cce8dea7fecbf116 |
Analysis
Running the executable
$ file stage1.bin stage1.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=d023239e2bf37734ba5a67401a092ba6273c37b6, not stripped
The executable is a 64bit ELF that seems to be expecting an argument:
$ ./stage1.bin Usage: ./stage1.bin <pass> $ ./stage1.bin oops Try again...
Call to strcmp
This stage is really easy to solve. As shown on the below extrac, there is a strcmp function (at offset 0x40069A) that compares the user input with the string "Much_secure__So_safe__Wow".
.text:0000000000400687 loc_400687:
.text:0000000000400687 mov rax, [rbp+pass] ; rax = user input
.text:000000000040068B add rax, 8
.text:000000000040068F mov rax, [rax]
.text:0000000000400692 mov esi, offset s2 ; "Much_secure__So_safe__Wow"
.text:0000000000400697 mov rdi, rax ; s1
.text:000000000040069A call _strcmp
.text:000000000040069F test eax, eax
.text:00000000004006A1 jnz loc_400773
.text:00000000004006A7 mov rax, cs:stdout@@GLIBC_2_2_5
.text:00000000004006AE mov rcx, rax ; s
.text:00000000004006B1 mov edx, 0Bh ; n
.text:00000000004006B6 mov esi, 1 ; size
.text:00000000004006BB mov edi, offset aGoodGood ; "Good good!\n"
.text:00000000004006C0 call _fwrite
.text:00000000004006C5 mov [rbp+var_8], 0
.text:00000000004006CC mov [rbp+var_4], 0
.text:00000000004006D3 jmp loc_400764
Solution
Providing the right answer outputs a long base64 encoded string:
$ ./stage1.bin Much_secure__So_safe__Wow Good good! c3RhZ2UyLmJpbgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAwMDA3NTUAMDAwMTc1 MAAwMDAxNzUwADAwMDAwMTA0MjQwADEyNjU1MTAwNzc2ADAxMjMwMgAgMAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB1c3RhciAgAGpoZXJ2ZQAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAamhlcnZlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB/ RUxGAgEBAAAAAAAAAAAAAgA+AAEAAABgBUAAAAAAAEAAAAAAAAAAoIEAAAAAAAAAAAAAQAA4AAkA QAAcABsABgAAAAUAAABAAAAAAAAAAEAAQAAAAAAAQABAAAAAAAD4AQAAAAAAAPgBAAAAAAAACAAA [...SNIP...] AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
If we export this string (first remove the "Good work!") to a file (stage1.base64) and decode it, it produces a second executable which will be the second stage.
$ cat stage1.base64 | base64 -d > stage2 $ file stage2 stage2: POSIX tar archive (GNU)
Comments
Keywords: nuit-du-hack-2016 NDH2K16 challenge reversing