Plaid Parliament of Pwning
Mitre STEM CTF 2012 — bin500
Overview
bin500 is an arm binary that de-obfuscates and prints a key by xor-ing it with a stack address. Writeup After opening up this binary, we see that it puts 4 strings onto the stack attempts to decrypt each of them into a valid key. We look at the decryption function and it merely xors a byte (chosen from a stack address) against each byte of the input. Rather figuring out how to run this (or waiting for ASLR to give us the right byte), we write a simple program to try every byte on all 4 strings.1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#include <stdio.h>
void crypt(char* input, char byte, char* output) {
size_t i;
for (i = 0; i < 12; i++) {
output[i] = byte ^ input[i];
}
}
void check_data(char* data) {
char output[80];
size_t byte;
for (byte = 0; byte < 256; byte++) {
crypt(data, byte, output);
if (!strncmp(output, "MCA", 3)) {
printf("%s\n", output);
}
}
}
int main(int argc, char** argv) {
char* a = "\x3F\x3E\x21\x5C\x25\x23\x28\x30\x36\x30\x38\x3F";
char* b= "\x2C\x22\x20\x4C\x57\x51\x52\x57\x56\x27\x27\x25";
char* c = "\x34\x21\x38\x5C\x32\x37\x30\x38\x3D\x4B\x56\x59";
check_data(a);
check_data(b);
check_data(c);
}
1
2
3
% gcc bin500.c
% ./a.out
MCA-60367FFD
Mitre STEM CTF 2012 — bin400
Overview
Continue Reading →Mitre STEM CTF 2012 — bin300
bin300 is an x86 binary that, at first glance, does nothing but print out some strings. Disassembly confirms that this is, in fact, the case:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
080483b4 <main>:
80483b4: 55 push %ebp
80483b5: 89 e5 mov %esp,%ebp
80483b7: 83 e4 f0 and $0xfffffff0,%esp
80483ba: 83 ec 10 sub $0x10,%esp
80483bd: c7 04 24 a0 84 04 08 movl $0x80484a0,(%esp)
80483c4: e8 27 ff ff ff call 80482f0 <puts@plt>
80483c9: c7 04 24 d8 84 04 08 movl $0x80484d8,(%esp)
80483d0: e8 1b ff ff ff call 80482f0 <puts@plt>
80483d5: b8 00 00 00 00 mov $0x0,%eax
80483da: c9 leave
80483db: c3 ret
80483dc: 90 nop
80483dd: 90 nop
80483de: 90 nop
80483df: 90 nop
1
2
3
4
5
6
7
8
9
Contents of section .comment:
0000 4743433a 20285562 756e7475 2f4c696e GCC: (Ubuntu/Lin
0010 61726f20 342e352e 322d3875 62756e74 aro 4.5.2-8ubunt
0020 75342920 342e352e 3200584f 52204b65 u4) 4.5.2.XOR Ke
0030 79732027 30783037 30343137 37362720 ys '0x07041776'
0040 27307830 38313431 39343527 20616e64 '0x08141945' and
0050 20273078 30343135 31393437 272c206f '0x04151947', o
0060 6e652066 6f722065 61636820 61727261 ne for each arra
0070 7920656c 656d656e 7400 y element.
1
2
3
4
5
Contents of section .data:
804a020 00000000 00000000 00000000 00000000 ................
804a030 00000000 00000000 00000000 00000000 ................
804a040 3b54452a 74212539 045a2332 00000000 ;TE*t!%9.Z#2....
804a050 00000000 00000000 00000000 00000000 ................
1
2
3
4
5
6
7
8
9
10
11
12
13
#include <stdio.h>
int b[] = { 0x2a45543b, 0x39252174, 0x32235a04 };
int a[] = { 0x07041776, 0x08141945, 0x04151947 };
int c[] = { 0, 0, 0, 0 };
int main() {
for (int i = 0; i < 3; i++) {
c[i] = a[i] ^ b[i];
}
puts((char *)c);
return 0;
}
1
2
3
% gcc -std=c99 solution.c -o solution
% ./solution
MCA-1811CC66
Mitre STEM CTF 2012 — bin200
Overview
Continue Reading →Mitre STEM CTF 2012 — bin100
Overview
Continue Reading →Defcon 2012 Quals — bin200
Overview
Continue Reading →Defcon 2012 Quals — bin100
Overview
Continue Reading →pCTF 2012 Statistics
As many of you know, PPP recently ran its own CTF: PlaidCTF. As running a CTF tends to produce a lot of data, we thought it might be interesting to have a look at some of the statistics related to this data.
Continue Reading →jit source and writeup
This is the third of a series of posts where we’ll give our solutions (as well as source code) for some problems from Plaid CTF 2012.
Continue Reading →sfs source and writeup
This is the second of a series of posts where we’ll give our solutions (as well as source code) for some problems from Plaid CTF 2012.
Continue Reading →