wget https://hackinparis.com/data/chall2016/step-4/dump.pdf
binwalk ./dump.pdf
DECIMAL | HEXADECIMAL | DESCRIPTION |
---|---|---|
0 | 0x0 | ELF, 32-bit LSB executable, Intel 80386, version 1 (SYSV) |
716 | 0x2CC | PDF document, version: "1.4" |
... | ... | ... |
842635 | 0xCDB8B | Zip archive data, encrypted at least v1.0 to extract, compressed size: 57, uncompressed size: 45, name: README.txt |
842776 | 0xCDC18 | Zip archive data, encrypted at least v2.0 to extract, compressed size: 14476, uncompressed size: 17920, name: pass.png |
857334 | 0xD14F6 | Zip archive data, encrypted at least v1.0 to extract, compressed size: 15269, uncompressed size: 15257, name: a.zip |
872915 | 0xD51D3 | End of Zip archive |
dd if=./dump.pdf of=./data.bin bs=716 count=1
dd if=./dump.pdf of=./chall.zip bs=1 skip=842635
readelf --segments ./data.bin
Type de fichier ELF est EXEC (fichier exécutable)
Point d'entrée 0x80480c0
Il y a 3 en-têtes de programme, débutant à l'adresse de décalage52
En-têtes de programme :
Type Décalage Adr. vir. Adr.phys. T.Fich. T.Mém. Fan Alignement
LOAD 0x000000 0x08048000 0x08048000 0x001c5 0x001c5 R E 0x1000
LOAD 0x0001c8 0x080491c8 0x080491c8 0x00011 0x00011 RW 0x1000
NOTE 0x000094 0x08048094 0x08048094 0x00024 0x00024 R 0x4
Correspondance section/segment :
Sections de segment...
00 .note.gnu.build-id .text
01 .data
02 .note.gnu.build-id
readelf --file-header ./data.bin | grep "Entry" | grep -Eo "0x[a-fA-F0-9].+"
0x80480c0
radare2 ./data.bin
[0x080480c0]> pD
;-- entry0:
;-- section..text:
0x080480c0 680a0a0a0a push 0xa0a0a0a ; "\n\n\n\n" +-> %esp
0x080480c5 686173733f push 0x3f737361 ; "ass?" +-> %esp
;-- eip:
0x080480ca 6868652070 push 0x70206568 ; "he p" +-> %esp
0x080480cf 6827732074 push 0x74207327 ; "'s t" +-> %esp
0x080480d4 6857686174 push 0x74616857 ; "What" +-> %esp
0x080480d9 89e1 mov ecx, esp ; %esp ("What's the pass?\n\n\n\n\001") ~-> %ecx
0x080480db ba11000000 mov edx, 0x11 ; 0x11 -> %edx
0x080480e0 bb01000000 mov ebx, 1 ; 0x1 -> %ebx
0x080480e5 b804000000 mov eax, 4 ; 0x4 -> %eax
0x080480ea cd80 int 0x80 ; syscall write (op 0x4, %eax) "What's the pass?\n\n\n\n\001" (%ecx) | %edx -> %eax
0x080480ec 58 pop eax ; "What" (%esp) [-]> %eax
0x080480ed 58 pop eax ; "'s t" (%esp) [-]> %eax
0x080480ee 58 pop eax ; "he p" (%esp) [-]> %eax
0x080480ef 58 pop eax ; "ass?" (%esp) [-]> %eax
0x080480f0 58 pop eax ; "\n\n\n\n" (%esp) [-]> %eax
0x080480f1 bb01000000 mov ebx, 1 ; 0x1 -> %ebx
0x080480f6 b803000000 mov eax, 3 ; 0x3 -> %eax
0x080480fb 89e1 mov ecx, esp ; %esp (0x1) ~-> %ecx
0x080480fd ba64000000 mov edx, 0x64 ; 0x64 -> %edx
0x08048102 cd80 int 0x80 ; syscall read (op 0x3, %eax) -> %ecx | %ecx size (w/ '\n') -> %eax
0x08048104 83f80c cmp eax, 0xc ; %eax == 12 (11 char w/ '\n', eg, abcdefghijk) ?
,=< 0x08048107 0f858a000000 jne 0x8048197 ; no ? jump to 0x8048197
| 0x0804810d 89e2 mov edx, esp ; %esp ("abcdefghijk\n") ~-> %edx
| 0x0804810f 8b02 mov eax, dword [edx] ; dword %edx (0x64636261 <-> "abcd") -> %eax
| 0x08048111 3d466b6f70 cmp eax, 0x706f6b46 ; %eax (0x64636261 <-> "abcd") == 0x706f6b46 <-> "Fkop" ? --> Password = "Fkop"
,==< 0x08048116 757f jne 0x8048197 ; no ? jump to 0x8048197
|| 0x08048118 83c204 add edx, 4 ; %esp ("efghijk\n") ~-> %edx
|| 0x0804811b 8b1a mov ebx, dword [edx] ; dword %edx (0x68676665 <-> "efgh") -> %ebx
|| 0x0804811d 31d8 xor eax, ebx ; xor(%eax, %ebx) <-> xor("Fkop", "efgh") -> %eax
|| 0x0804811f 3d724a0000 cmp eax, 0x4a72 ; %eax == 0x4a72 ? --> Password += xor(0x706f6b46, 0x4a72) = 0x706f2134 = "4!op"
,===< 0x08048124 7571 jne 0x8048197 ; no ? jump to 0x8048197
||| 0x08048126 83c204 add edx, 4 ; %esp ("ijk\n") ~-> %edx
||| 0x08048129 8b1a mov ebx, dword [edx] ; dword %edx (0x0a6b6a69 <-> "ijk\n") -> %ebx
||| 0x0804812b 31d8 xor eax, ebx ; xor(%eax, %ebx) <-> xor(0x4a72, 0x0a6b6a69) -> %eax
||| 0x0804812d 3d3e27390a cmp eax, 0xa39273e ; %eax == 0xa39273e ? --> Password += xor(0x4a72, 0xa39273e) = 0xa396d4c = "Lm9\n"
,====< 0x08048132 7563 jne 0x8048197 ; no ? jump to 0x8048197
|||| 0x08048134 6872642e0a push 0xa2e6472 ; "rd.\n" +-> %esp
|||| 0x08048139 687373776f push 0x6f777373 ; "sswo" +-> %esp
|||| 0x0804813e 6873207061 push 0x61702073 ; "s pa" +-> %esp
|||| 0x08048143 6820746869 push 0x69687420 ; " thi" +-> %esp
|||| 0x08048148 6820757365 push 0x65737520 ; " use" +-> %esp
|||| 0x0804814d 6820616e64 push 0x646e6120 ; " and" +-> %esp
|||| 0x08048152 682e7a6970 push 0x70697a2e ; ".zip" +-> %esp
|||| 0x08048157 6868616c6c push 0x6c6c6168 ; "hall" +-> %esp
|||| 0x0804815c 68696e2063 push 0x63206e69 ; "in c" +-> %esp
|||| 0x08048161 68696c6520 push 0x20656c69 ; "ile " +-> %esp
|||| 0x08048166 6868652066 push 0x66206568 ; "he f" +-> %esp
|||| 0x0804816b 686d652074 push 0x7420656d ; "me t" +-> %esp
|||| 0x08048170 6852656e61 push 0x616e6552 ; "Rena" +-> %esp
|||| 0x08048175 89e1 mov ecx, esp ; %esp ("Rename the file in chall.zip and use this password.\n") ~-> %ecx
|||| 0x08048177 ba34000000 mov edx, 0x34 ; 0x34 -> %edx
|||| 0x0804817c bb01000000 mov ebx, 1 ; 0x1 -> %ebx
|||| 0x08048181 b804000000 mov eax, 4 ; 0x4 -> %eax
|||| 0x08048186 cd80 int 0x80 ; syscall write (op 0x4, %eax) "Rename the file in chall.zip and use this password.\n" (%ecx) | %edx -> %eax
|||| 0x08048188 58 pop eax ; "Rena" (%esp) [-]> %eax
|||| 0x08048189 58 pop eax ; "me t" (%esp) [-]> %eax
|||| 0x0804818a 58 pop eax ; "he f" (%esp) [-]> %eax
|||| 0x0804818b 58 pop eax ; "ile " (%esp) [-]> %eax
|||| 0x0804818c 58 pop eax ; "in c" (%esp) [-]> %eax
|||| 0x0804818d 58 pop eax ; "hall" (%esp) [-]> %eax
|||| 0x0804818e 58 pop eax ; ".zip" (%esp) [-]> %eax
|||| 0x0804818f 58 pop eax ; " and" (%esp) [-]> %eax
|||| 0x08048190 58 pop eax ; " use" (%esp) [-]> %eax
|||| 0x08048191 58 pop eax ; " thi" (%esp) [-]> %eax
|||| 0x08048192 58 pop eax ; "s pa" (%esp) [-]> %eax
|||| 0x08048193 58 pop eax ; "sswo" (%esp) [-]> %eax
|||| 0x08048194 58 pop eax ; "rd.\n" [-]> %esp
,=====< 0x08048195 eb27 jmp 0x80481be ; jump to 0x8048197 (END)
|````-> 0x08048197 686e210a0a push 0xa0a216e ; "n!\n\n" +-> %esp
| 0x0804819c 6861676169 push 0x69616761 ; "agai" +-> %esp
| 0x080481a1 6854727920 push 0x20797254 ; "Try " +-> %esp
| 0x080481a6 89e1 mov ecx, esp ; %esp ("Try again!\n\n\n") ~-> %ecx
| 0x080481a8 ba0b000000 mov edx, 0xb ; 0xb -> %edx
| 0x080481ad bb01000000 mov ebx, 1 ; 0x1 -> %ebx
| 0x080481b2 b804000000 mov eax, 4 ; 0x4 -> %eax
| 0x080481b7 cd80 int 0x80 ; syscall write (op 0x4, %eax) "Try again!\n\n\n" (%ecx) | %edx -> %eax
| 0x080481b9 58 pop eax ; "Try " (%esp) [-]> %eax
| 0x080481ba 58 pop eax ; "agai" (%esp) [-]> %eax
| 0x080481bb 58 pop eax ; "n!\n\n" (%esp) [-]> %eax
| 0x080481bc eb00 jmp 0x80481be ; jump to 0x8048197 (END)
`-----> 0x080481be b801000000 mov eax, 0x1 ; 0x1 -> %eax
0x080481bf cd80 int 0x80 ; syscall exit
;-- section_end..text:
Finnally, the first password is: Fkop4!opLm9
unzip chall.zip
Archive: chall.zip
[chall.zip] README.txt password:Fkop4!opLm9
extracting: README.txt
inflating: pass.png
extracting: a.zip