Challenge Description
To enter in, you’ll need a key, A secret code just meant for thee. Type it right, don’t make a slip, Or you’ll be locked out—oops, that’s it!
Solution
this is a self modyfing rev chal that asks for password. Is not possible to break into main right away because the addresses change, so had to break in mmap first. After that set a break point when it calls rpb and for password check set nops so it bypasses the check and sets to “correct”
Breakpoint 2, 0x00005555555558f9 in ?? () (gdb) set *(unsigned char*)0x7ffff7fbc09e = 0x90 (gdb) set *(unsigned char*)0x7ffff7fbc09d = 0x90 (gdb) set *(unsigned char*)0x7ffff7fbc09c = 0x90 (gdb) set *(unsigned char*)0x7ffff7fbc09b = 0x90 (gdb) set *(unsigned char*)0x7ffff7fbc09a = 0x90 (gdb) set *(unsigned char*)0x7ffff7fbc099 = 0x90 (gdb) (gdb) break *0x7ffff7fbc089is not possible also to see it in memory because it spits it at runtime. so after the pass is set to correct, by breaking at that address in the memory it loops over it and with each loop and decrypts the flag from memory with a character at a time. this is how it looked in r15 encrypted
ݚ\336Ni\341\351,\322N\354\347\030&jVyأUr\274v\304\f\017\233\276Ɓ\342AG\240\364&
so after more analysis it was so that the value from rax had to be xored with the value from r8
and then set to print in gdb the result of each loop (cos radare was crashing the binary)
Breakpoint 2, 0x00007ffff7fbc089 in ?? ()
(gdb) printf "Position %d: al=0x%02x, r8b=0x%02x, char=0x%02x ('%c')\n", $rdx, $al & 0xFF, $r8 & 0xFF, ($al & 0xFF) ^ ($r8 & 0xFF), ($al & 0xFF) ^ ($r8 & 0xFF)
Position 2: al=0xbf, r8b=0xde, char=0x61 ('a')
(gdb) set $char = $al ^ ($r8 & 0xFF)
(gdb) printf "Position %d: al=0x%02x, r8b=0x%02x, char=0x%02x ('%c')\n", $rdx, $al & 0xFF, $r8 & 0xFF, ($al & 0xFF) ^ ($r8 & 0xFF), ($al & 0xFF) ^ ($r8 & 0xFF)
Position 2: al=0xbf, r8b=0xde, char=0x61 ('a')
(gdb) c
Continuing.
Breakpoint 2, 0x00007ffff7fbc089 in ?? ()
(gdb) printf "Position %d: al=0x%02x, r8b=0x%02x, char=0x%02x ('%c')\n", $rdx, $al & 0xFF, $r8 & 0xFF, ($al & 0xFF) ^ ($r8 & 0xFF), ($al & 0xFF) ^ ($r8 & 0xFF)
Position 3: al=0x23, r8b=0x4e, char=0x6d ('m')
(gdb) c
Continuing.
Breakpoint 2, 0x00007ffff7fbc089 in ?? ()
(gdb) printf "Position %d: al=0x%02x, r8b=0x%02x, char=0x%02x ('%c')\n", $rdx, $al & 0xFF, $r8 & 0xFF, ($al & 0xFF) ^ ($r8 & 0xFF), ($al & 0xFF) ^ ($r8 & 0xFF)
Position 4: al=0x19, r8b=0x69, char=0x70 ('p')
(gdb) c
Continuing.
Breakpoint 2, 0x00007ffff7fbc089 in ?? ()
(gdb) printf "Position %d: al=0x%02x, r8b=0x%02x, char=0x%02x ('%c')\n", $rdx, $al & 0xFF, $r8 & 0xFF, ($al & 0xFF) ^ ($r8 & 0xFF), ($al & 0xFF) ^ ($r8 & 0xFF)
Position 5: al=0xa2, r8b=0xe1, char=0x43 ('C')
(gdb) c
Continuing.
Breakpoint 2, 0x00007ffff7fbc089 in ?? ()
(gdb) printf "Position %d: al=0x%02x, r8b=0x%02x, char=0x%02x ('%c')\n", $rdx, $al & 0xFF, $r8 & 0xFF, ($al & 0xFF) ^ ($r8 & 0xFF), ($al & 0xFF) ^ ($r8 & 0xFF)
Position 6: al=0xbd, r8b=0xe9, char=0x54 ('T')
(gdb) c
Continuing.
Breakpoint 2, 0x00007ffff7fbc089 in ?? ()
(gdb) printf "Position %d: al=0x%02x, r8b=0x%02x, char=0x%02x ('%c')\n", $rdx, $al & 0xFF, $r8 & 0xFF, ($al & 0xFF) ^ ($r8 & 0xFF), ($al & 0xFF) ^ ($r8 & 0xFF)
Position 7: al=0x6a, r8b=0x2c, char=0x46 ('F')
(gdb) c
Continuing.
etc got the full flag like that
swampCTF{531F_L0AD1NG_T0TALLY_RUL3Z}
References / Related
Checkout: