Gemastik Quals 2016 Power Plant (125 Points)

Masalah

Diberikan dua buah file, powerplant dan powerplant-redacted.c serta layanan yang dapat diakses di nc target.netsec.gemastik.ui.ac.id 13340.

Isi powerplant-redacted.c.

#include <stdio.h>
#include <stdlib.h>

int is_access_code_correct(char input[32]) {
  /*
   * REDACTED
  */
  return 0;
}

void enter_power_plant_system() {
  FILE *fp;
  char flag[64];
  fp = fopen("PowerPlant.flag", "r");
  fread(&flag, 1, 64, fp);
  fclose(fp);
  printf("       %s\n\n", flag);
}

int main() {
  printf("\n");
  printf(" __          ________ _      _____ ____  __  __ ______              ,/\n");
  printf(" \\ \\        / /  ____| |    / ____/ __ \\|  \\/  |  ____|           ,'/\n");
  printf("  \\ \\  /\\  / /| |__  | |   | |   | |  | | \\  / | |__            ,' /\n");
  printf("   \\ \\/  \\/ / |  __| | |   | |   | |  | | |\\/| |  __|         ,'  /_____,\n");
  printf("    \\  /\\  /  | |____| |___| |___| |__| | |  | | |____      .'____    ,' \n");
  printf("     \\/  \\/   |______|______\\_____\\____/|_|  |_|______|          /  ,'\n");
  printf("                                                                / ,'\n");
  printf("  =====================================================        /,'\n");
  printf("           - Power Plant Control System v1.0 -                /'\n");                                        
  printf("\n\n\n");
  printf("       SECRET ACCESS CODE : ");

  char input[32];
  scanf("%s", input);

  printf("\n\n");

  if (is_access_code_correct(input)) {
      printf("       ACCESS GRANTED\n\n");
      enter_power_plant_system();
  } else { 
    printf("       ACCESS DENIED\n\n");
  }

  return 0;
}

Penyelesaian

Untuk menyelesaikan tantangan ini, gunakan GDB || IDA || Hopper. Lakukan Reverse Engineering secara perlahan.

Anda akan mendapatkan solver.py.

import string

"""Gunakan GDB Tricks

:: Looping
set var $i = 1

while $i < 10
    print $i
    set $i = $i + 1
end

# Melakukan perulangan untuk memeriksa semua isi stack `ebp+eax*4-0x70`.

set var $i = 0

while $i < 21
    x $ebp+$i*4-0x70
    set $i = $i + 1
end
"""

green = [0x40,0x4a,0x49,0x55,0x4a,0x4f,0x4b,0x3a,0x38,0x49,0x3a,0x36,0x38,0x3e,0x40,0x3e,0x36,0x42,0x3c,0x41,0x3e] # ebp+eax*4-0x70

password = []
for i in xrange(0x15):
    for bforce in string.uppercase:
        edx = 0xffffffff - i # not edx 
        blue = (ord(bforce) + edx) & 0xff
        if blue == green[i]:
            password.append(bforce)
            break
print ''.join(password)

ALLYOURBASEBELONGTOUS.

Masukan string tersebut ke dalam layanan.

Anda akan mendapatkan flag ini.

GEMASTIK{_______________all_ur_c0de_belong_2_us}

results matching ""

    No results matching ""