Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Flare-On 2018 challenge #6 - Magic
It's not much, but this is how I brute forced the problem.
Starting at 0x00402F0C (with .text starting at 0x00400AD0), I patched code with the following bytes.
0: c6 45 bb 00 mov BYTE PTR [rbp-0x45],0x0 // The third function has a static variable used in the CRC table that needs to be reset.
4: 48 8b 07 mov rax,QWORD PTR [rdi] // Move our key into a register so we can work with it.
7: 3c 7e cmp al,0x7e // Anything above 127 in ASCII is not going to be part of the key, so need to rollover bits.
9: 0f 85 0f 00 00 00 jne 0x1e // If not 127, just increment normally.
f: b0 ff mov al,0xff // If 127, set it to 255, so that when we increment it rolls over to the next character in the key.
11: 48 ff c0 inc rax // Increment
14: b0 20 mov al,0x20 // Reset to 32 - in ASCII this is the space character.
16: 48 89 07 mov QWORD PTR [rdi],rax // Put our next key back so we can attempt again
19: e9 65 ff ff ff jmp 0xffffffffffffff83 // Jump 0x83 back - this is where we re-run the previous algorithm.
1e: 48 ff c0 inc rax // Increment for the rollover.
21: 48 89 07 mov QWORD PTR [rdi],rax // Store key again -- I was tired and couldn't think how to combine this with #16
24: e9 5a ff ff ff jmp 0xffffffffffffff83 // Jump back to re-run the previous algorithm -- probably could be optimized better.
Here is some python code to run. Note that `sendline` is 69 space characters:
> import pexpect
> from pexpect import *
> child = pexpect.spawn('./magic_mushroom')
> child.logfile = open('log.txt', 'w')
> for i in range(0, 666):
> child.expect("Enter key: ")
> child.sendline(" ")
> child.before
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment