# Riscure hack me 2 (quals)


Download

# wget https://github.com/Riscure/Rhme-2016/raw/master/RHme2_prequalification_challenge
# file RHme2_prequalification_challenge
RHme2_prequalification_challenge: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=d2e181c26c49dbf067beaba93387f7ef75bc3a91, not stripped

Option 1: Hopper and gdb

# strings RHme2_prequalification_challenge | grep Well
Well done! You found the secret password!

1. Load the binary using hopper.
2. Search the previous string.
3. Go to the address where is referenced (0x400855).
4. Do a decompilation:

int main() {
    stack[2047] = rbx;
    rsp = rsp - 0x8 - 0x1b0;
    rbx = arg_32;
    rax = 0x0;
    asm{ rep stosq  qword [ds:rdi], rax };
    do {
            rsi = sign_extend_64(rax);
            rdx = rax << 0x4 | rax;
            rax = rax + 0x1;
            *(int8_t *)(rsi + 0x601080) = rdx ^ *(int8_t *)(rsi + 0x601080) & 0xff;
    } while (rax != 0x20);
    AES_set_decrypt_key(0x601080, 0x100, var_4);
    AES_decrypt(arg_30, rbx, var_4);
    puts("What is the secret password?");
    fgets(arg_42, 0x50, *__TMC_END__);
    if (memcmp(arg_42, rbx, 0x10) != 0x0) {
            __printf_chk(0x1, "\nThat is not correct!");
    }
    else {
            __printf_chk(0x1, "\nWell done! You found the secret password!");
    }
    rax = 0x0;
    rbx = stack[1993] ^ *0x28;
    COND = rbx != 0x0;
    if (COND) {
            rax = __stack_chk_fail();
    }
    return rax;
}
5. Find the address where memcmp is called:
000000000040081d         call       j_memcmp
# gdb ./RHme2_prequalification_challenge
(gdb) b *0x40081d
(gdb) run
What is the secret password?
IDONTKNOW

Breakpoint 1, 0x000000000040081d in main ()
(gdb) x/s $rbx
0x7fffffffe508: "TH1S 1s s3cr3t!!"

Option 2: LD_PRELOAD

# cat mylib.c
int memcmp(const void *s1, const void *s2, int n){
    printf("%s\n", s1);
    printf("%s\n", s2);
}
# gcc -fPIC -shared mylib.c -o mylib.dylib
# LD_PRELOAD=/tmp/mylib.dylib ./RHme2_prequalification_challenge
What is the secret password?
IDONTKNOW
IDONTKNOW

TH1S 1s s3cr3t!!

That is not correct!

Option 3: Frida

# cat hook.py
import frida
import sys

process = sys.argv[1]
address = str(int(sys.argv[2], 16))

session = frida.attach(process)
script = session.create_script('''
Interceptor.attach(ptr("''' + address + '''"), {
    onEnter: function(args) {
        // User password
        send(Memory.readCString(args[0]));
        // Secret password
        send(Memory.readCString(args[1]));
    }
});
''')

def on_message(message, data):
    print message['payload'].strip()

script.on('message', on_message)
script.load()
sys.stdin.read()

# ./RHme2_prequalification_challenge
What is the secret password?
IDONTKNOW

That is not correct!

# python hook.py RHme2_prequalification_challenge 0x400730
IDONTKNOW
TH1S 1s s3cr3t!!

Option 4: Radare

# r2 -d ./RHme2_prequalification_challenge
Process with PID 31679 started...
attach 31679 31679
bin.baddr 0x00400000
Assuming filepath ./RHme2_prequalification_challenge
asm.bits 64
[0x7f6fa0ec02d0]> dcu sym.imp.memcmp
Continue until 0x00400730 using 1 bpsize
What is the secret password?
IDONTKNOW
hit breakpoint at: 400730
attach 31679 1
[0x00400730]> ps @ rbx
TH1S 1s s3cr3t!!

Reference

https://www.riscure.com/challenge

No comments: