Writeup 9447 – Rolling

Writeup by Michael Tröger@Brutewoorse

Challenge Name: Rolling

Value: 100 points

This challenge contained a stripped 64-Bit ELF Executable. When executing this program the string “Fynd I mewn I cyfrinair” will be printed. This is Welsh for “Please input a password”.
If you give the program some password as command line argument the program prints the Welsh equivalent of “wrong password”. This password is the flag.
I used the debugger EDB for this challenge. Any other debugger would have worked as well.
The next screenshot shows the most important parts of the program, which I found after some playing around with the debugger.
rolling_1

At first the number of commandline arguments is determined. It must be two, one for the programname and one for the password. After this, a function is called which returns a pointer on a function which will be later executed by jumping to RAX.

After this call in position 0x400781 it will be checked if EAX is zero. If it is zero the program jumps away and “congratulations” won’t be printed. EAX is probably the returnvalue of the previous call. Therefore, this call must be the code which checks the password.

But RAX must point to the correct code. The beginning of the function which determines RAX is shown in the next screenshot:

rolling_2

You can see that something happens when the first byte 57 is. This is the ASCII Value of “9”. I checked what happens if the first character of the password is “9”. Luckily, this makes the function return the correct pointer to the password checking function. This function is shown in the next screenshot.

rolling_3

The first four comparisons are simple. They just check some ASCII values. The first characters of the password are therefore “9447”. You can see nicely how RAX is used to iterate through the string.
After this, the comparisons get more complex. The code references previous characters in the password such that we cannot just NOP all the jumps and look what is inside the registers which are compared. We could now understand completely what this part of the program does. But we can also debug the progamm multiple times. Everytime we find a new character of the password we restart the debugger with this new knowledge. I used this “stupid” way.
Doing this multiple times we can extract the password and therefore the flag. It is 9447rollingisfun.