Simple Reverse - 0x03(Lab - Why)

Posted on 2024-01-31 | Post modified | In Security/Course/NTU CS/Reverse |

Simple Reverse - 0x03(Lab - Why)

Background

Source Code

:::spoiler IDA main function

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int i; // [rsp+Ch] [rbp-4h]

  printf("Give me flag: ");
  __isoc99_scanf("%25s", buf);
  for ( i = 0; i <= 24; ++i )
  {
    if ( buf[i] - 10 != enc_flag[i] )
      return 0;
  }
  pass = 1;
  return 0;
}

:::

:::spoiler .init_array & .fini_array Byte Code

.init_array:0000000000003DB0   __frame_dummy_init_array_entry dq offset frame_dummy
.init_array:0000000000003DB0                                           ; DATA XREF: LOAD:0000000000000168↑o
.init_array:0000000000003DB0                                           ; LOAD:00000000000002F0↑o
.init_array:0000000000003DB0                                           ; __libc_csu_init+2↑o
.init_array:0000000000003DB0                                           ; __libc_csu_init+41↑r
.init_array:0000000000003DB0                                           ; Alternative name is '__init_array_start'
.init_array:0000000000003DB8   dq offset _sub_1169
.init_array:0000000000003DC0   dq offset _sub_119d
.init_array:0000000000003DC8   dq offset _sub_10d8
.init_array:0000000000003DC8   _init_array ends
.init_array:0000000000003DC8
.fini_array:0000000000003DD0   ; ELF Termination Function Table
.fini_array:0000000000003DD0   ; ===========================================================================
.fini_array:0000000000003DD0
.fini_array:0000000000003DD0   ; Segment type: Pure data
.fini_array:0000000000003DD0   ; Segment permissions: Read/Write
.fini_array:0000000000003DD0   _fini_array segment qword public 'DATA' use64
.fini_array:0000000000003DD0   assume cs:_fini_array
.fini_array:0000000000003DD0   ;org 3DD0h
.fini_array:0000000000003DD0   __do_global_dtors_aux_fini_array_entry dq offset __do_global_dtors_aux
.fini_array:0000000000003DD0                                           ; DATA XREF: __libc_csu_init+19↑o
.fini_array:0000000000003DD0                                           ; Alternative name is '__init_array_end'
.fini_array:0000000000003DD8   dq offset _sub_11f8
.fini_array:0000000000003DD8   _fini_array ends

:::

:::spoiler IDA Disassembly sub_11f8

int sub_11f8()
{
  if ( pass )
    return puts("Correct :)");
  else
    return puts("Wrong :(");
}

:::

Recon

這一題如果以解題的觀點來說的話，其實很簡單，但他想要傳達的概念很重要，也就是.init和.fini的事情

先執行看看，發現有兩種字串可以先注意，一個是Give me flag: 和Wrong :(
1
2
3

$ ./why_be9d4253a27b1d44 Give me flag: 123456 Wrong :(
再用IDA看一下整體的架構(如上) 可以發現整體的流程很簡單，他就是叫user輸入25個char，然後每次取一個位元減10再和env_flag的相對字元比較，如果都是對的，pass = 1;，但看起來這一段程式並沒有剛剛提到的Wrong :(，所以我們用Strings Windows和Xrefs跟一下誰用了這個data，並擷取出code如上(第二和第三的source code)
繼續往上追一下會發現sub_11f8這個function是定義在.fini_array的區段，代表是在main function結束的時候才會執行的

Exploit

>>> flag = [0x50, 0x56, 0x4B, 0x51, 0x85, 0x73, 0x78, 0x73, 0x7E, 0x69, 0x70, 0x73, 0x78, 0x73, 0x69, 0x77, 0x7A, 0x7C, 0x79, 0x7E, 0x6F, 0x6D, 0x7E, 0x2B, 0x87]
>>> for i in range(len(flag)):
...     flag[i] -= 10
...
>>> FLAG = []
>>> for i in range(len(flag)):
...     FLAG.append(bytes.fromhex('{:x}'.format(flag[i])).decode('cp437'))
...
>>> "".join(FLAG)
'FLAG{init_fini_mprotect!}'
>>> exit()
$ ./why_be9d4253a27b1d44
Give me flag: FLAG{init_fini_mprotect!}
Correct :)

Post author: SBK6401
Post link: https://bernie6401.github.io/security/course/ntu%20cs/reverse/2024/01/31/Simple-Reverse-0x03(Lab-Why)/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.