Authorization
Description:
Reverse
Difficulty:
easy
Flag:
Flag: AtHackCTF{s3cur1ty_95295a20f4a48485}
Solve
● At first, when analyzing the behavior of the binary we can see that it’s actually running
● Decompiling the executable main function with IDA
● At first, it will check the username length to be “8” and the password to be “95295a20f4a48485”. ● Running with the new information in mind shows different results as expected. ● After the password is checked, it will encrypt the username and compare it to the password.
● The encryption routine will just xor-encrypt the username using a key of a sequence rand() function after a fixed seed of 0x1337:
● Since the seed is fixed, the generated sequence of random numbers with rand() will be the same, in other words, we have the key and the password.
● Notice that you won’t get the same sequence on different OS/Platforms, but on the same operating system and platform, srand with a specific seed followed by rand will provide the same answer.
● So, the right sequence will only be generated on a windows machine. This code will give you the right username:
1
2
3
4
5
6
7
8
9
10
11
12
13
#include <stdlib.h>
#include <stdio.h>
int main()
{
srand(0x1337);
char password[] = {
0x95, 0x29, 0x5a, 0x20, 0xf4, 0xa4, 0x84, 0x85
};
for (int index = 0;
index < sizeof(password);
index++) printf("%c", password[index] ^ rand());
puts("");
};
To run this code you need to put it on a file and run it with a Linux (gcc reverse.c –output reverse) And by running ./output in your terminal you’ll get the username which is “s3cur1ty”
and i got the flag :D
AtHackCTF{s3cur1ty_95295a20f4a48485}