WRITEUP – DEFCAMP2015 – Reversing 100

We get a file called r100, let’s check it out:

h0rst@ctf:rev100$ file r100
 r100: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0f464824cc8ee321ef9a80a799c70b1b6aec8168, stripped

When we execute it, it asks us for a password:

h0rst@ctf:rev100$ ./r100
Enter the password: AAAA
Incorrect password!

Let’s fire up IDApro and decompile it:

r100_main_c

After asking us for the password a function is called to validate our input.

r100_validate_passwd_c

From the range of the for-loop in line 9 we can tell that the password is 12 characters long.
In line 11 each of the 12 characters then is checked and if we entered the correct password, 0 is returned and the challenge is solved.
So every character of the password has to solve:

v3[(i % 3)*8 + 2 * (i / 3)] - password[i] == 1)

Which is equivalent to:

v3[(i % 3)*8 + 2 * (i / 3)] - 1 == password[i]) // -1 // + password[i]

So with knowing v3 we can simply print out the password:

v3 = 'Dufhbmf\0pG`imos\0ewUglpt\0'
flag = ''
for i in range(0,12):
   flag += chr(ord(v3[(i % 3)*8 + 2 * (i / 3)]) - 1)
print flag

h0rst@ctf:rev100$ python r100_solver.py
Code_Talkers