Tuesday, August 6, 2013

ebCTF 2013 :: BIN100 (100 points)

The challenge for BIN100 is almost identical to the teaser challenge (except this is a linux executable) so we shall not go into details on what the executable does. In summary, we need to roll out 3-1-3-3-7 with a dice. Oh yes, we need to a roll a 7 with a dice. That's awesome, isn't it?

There are two ways to tackle this challenge, either by patching with NOPS or changing the instructions from JNE to JE. With the latter, you have to throw a number that is NOT wanted at that checkpoint - on your 1st throw, you have to throw any number except 3 in order to proceed to the next checkpoint.

Step 1: Identify the conditional checks for the 5 throws to be made and patch them according.

If you prefer to patch the executable with NOPS, these are the addresses to do so:
00000F8C: 75 90
00000F8D: 4E 90
00001199: 75 90
0000119A: 4F 90
000013A7: 75 90
000013A8: 6D 90
000015AA: 0F 90
000015AB: 85 90
000015AC: 82 90
000015AD: 00 90
000015AE: 00 90
000015AF: 00 90
0000180A: 0F 90
0000180B: 85 90
0000180C: C1 90
0000180D: 00 90
0000180E: 00 90
0000180F: 00 90

If you prefer to reverse the flow at each of the 5 conditional checkpoints, these are the addresses where the instructions are to be changed:
00000F8C: 75 74
00001199: 75 74
000013A7: 75 74
000015AB: 85 84
0000180B: 85 84

Step 2: Save the executable.

Step 3: Run the executable to obtain the flag.



Flag captured! 100 points in the bag!! Yay!!!

Cheers,
Braeburn Ladny

No comments:

Post a Comment