[EN] Rev C 3

tags: `Writeup` `Reverse` `English`

FlyDragon

Step 1

Using IDA to examine main(), we can see that it first processes check_access().















// main()
printf("Please enter your name: ");
scanf("%s", name);
if (check_access(name) == 1)
{
    printf("Permission accepted.\nPlease enter your password: ");
    scanf("%s", password);
    verify(password);
    for (i = 0; i <= 9; ++i)
        putchar(flag[i]);
}
else
{
    printf("Permission denied.");
}

Step 2

Examiningcheck_access(), we can see that it is a simple string comparison.









// check_access
strcpy(secret, "OrWt[~{[{3rRQqQ");
while (i <= 14)
{
    if (((unsigned __int8)(str[i] + 1) ^ 2) != secret[i])
        return 0;
    ++i;
}

Writing a program to find a matching string based on the comparison:







enc = "OrWt[~{[{3rRQqQ"
dec = ""
for c in enc:
    num = ord(c) ^ 2
    dec += chr(num - 1)

print(dec)

Step.3

Examining verify() , we find the password and after entering the password, multiple processes are executed.





strcpy(password, "super_secret_pw");
if (!strcmp(str, password))
    process_01();
else
    printf("Permission denied.");

Step.4

Examining each process, we find that they modify the flag, but sleep() prevents the flag from being output.

Replace all instances of sleep() with sleep(0).

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

Step.5

Please enter your name : <flag_1>
Permission accept.
Please enter your password : super_secret_pw
<flag_2>

[EN] Rev C 3

tags: Writeup Reverse English

Step 1

Step 2

Step.3

Step.4

Step.5

Read more

[CH] Cookie Stealer

[EN] Cookie Stealer

LoTuX CTF 投稿說明

[EN] Rev C 2

tags: `Writeup` `Reverse` `English`