catch-me asis-ctf-quals-2016
There are two key comparison program
First place:
Here dynamic debugging obtain v3 = 0xB11924E1, byte_6012AB [] = B1 19 04 A1
The second key point comparison:
Key process:
Mr. Cheng Xu began to become a number v3, ---> number_6012A8 [] to save v3 0 after a specific location data, ---> key comparative 1 if (getenv ( "ASIS") && (* (_ DWORD *) getenv ( " CTF ") ^ v3) == 0xFEEBFEEB)
Can be obtained getenv ( "CTF") correct value: 0xB11924E1 ^ 0xFEEBFEEB = 0x4ff2da0a
The key data dword_6012AC = * (_ DWORD *) getenv ( "ASIS"); i.e. number_6012A8 [4: 7] = getenv ( "ASIS")
Range of actions on the back number_6012A8 [0x20] are summed at a second critical comparison, the summation result is equal to 0x954
We can know the right getenv ( "CTF"), but do not know getenv ( "ASIS"), guess they value the same
authenticating:
1 haystack=[ 0x87, 0x29, 0x34, 0xC5, 0x55, 0xB0, 0xC2, 0x2D, 0xEE, 0x60,0x34, 0xD4, 0x55, 0xEE, 0x80, 0x7C, 2 0xEE, 0x2F, 0x37, 0x96,0x3D, 0xEB, 0x9C, 0x79, 0xEE, 0x2C, 0x33, 0x95, 0x78, 0xED,0xC1, 0x2B] 3 v3=0xB11924E1 4 target=0xFEEBFEEB 5 t=v3^target 6 print(hex(t)) 7 ctf=(t).to_bytes(4,'little') 8 9 number=[0xb1,0x19,0x04,0xa1]+(list(ctf)) 10 11 for i in range(0x20): 12 haystack[i]^=number[i&7] 13 h=sum(haystack) 14 print(hex(h)) 15 print(''.join(map(chr,haystack)))
Output:
0x4ff2da0a
0x954
600d_j0b_y0u_4r3_63771n6_574r73d
number_6012A8 sum equals 0x954, verified by
{} Th 600d_j0b_y0u_4r3_63771n6_574r73d