Let's Go - HackMD

# Let's Go This time we will be reversing a golang binary :D! So let's inspect the file we were given. ```bash $ file chall chall: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, Go BuildID=y6A4a-NwXzL94Cj_qOhp/msYAya9vrNn-YlLgUKWi/X7mAsTHwUnrAjfJDnZuR/DMu-wfjhxHr3lMGbL1wq, not stripped ``` Let's try running the program. ```bash $ ./chall Enter The Flag: flag Wrong:( ``` Okay, so it's asking for user input and then figuring out if the input is valid. Let's disassemble the binary and look for the validation. _The disassembler used for this challenge is [IDA freeware](https://hex-rays.com/ida-free/)_ Looking through the graph view we can see that this section is responsible for user input ![hello](https://i.imgur.com/X1KItSX.png) If we scroll down a bit more we can see our 'Wrong:(' message and right next to it is a block calling fmt_Fprintf with a string `aCorrectFlagS`. ![hi](https://i.imgur.com/asRRtzx.png) Okay so what's happening above, how do we get there? The top-most block compares something to 0x20 (32), so i guess that's our input string length. If that's true, the next function that's called is `runtime_memequal` and one of the params is a string `u507rv78qr5t6q99941422uursv94464`. If the return value is not zero the correct flag will be printing. How does `runtime_memequal` work? ![memequal](https://i.imgur.com/4bCIga0.png) It compares the references at `rax` and `rbx`, and if they're the same, then return `1 (true)`, otherwise compare the content inside rax and rbx. Let's input `u507rv78qr5t6q99941422uursv94464` and see what happens. ```bash $ ./chall Enter The Flag: u507rv78qr5t6q99941422uursv94464 Wrong:( ``` Sad :( Let's put a breakpoint before the `runtime_memequal` function and see what's going on. If we inspect the arguments (inside rdi & rsi regs) before the function call, we can see the `u507rv78qr5t6q99941422uursv94464` string being one of them, but the second parameter (our user input) seems different: ![rotated_input](https://i.imgur.com/1baGVCg.png) The letters are different, but the numbers are untouched. Seems like the letters are just rotated, let's check if that's true ```python3 >>> ord('u') - ord('k') 10 >>> ord('r') - ord('h') 10 >>> ord('v') - ord('l') 10 >>> ``` They're all rotated for 10 places back, so [let's rotate our input for 10 places forward and try that](https://rot13.com/). Rotated string: `e507bf78ab5d6a99941422eebcf94464` ```bash $ ./chall Enter The Flag: e507bf78ab5d6a99941422eebcf94464 Correct:) FLAG{e507bf78ab5d6a99941422eebcf94464} ```