| Flare-On 2018 challenge #6 - Magic | |
| ================================== | |
| It's not much, but this is how I brute forced the problem. | |
| Starting at 0x00402F0C (with .text starting at 0x00400AD0), I patched code with the following bytes. | |
| 0: c6 45 bb 00 mov BYTE PTR [rbp-0x45],0x0 // The third function has a static variable used in the CRC table that needs to be reset. | |
| 4: 48 8b 07 mov rax,QWORD PTR [rdi] // Move our key into a register so we can work with it. | |
| 7: 3c 7e cmp al,0x7e // Anything above 127 in ASCII is not going to be part of the key, so need to rollover bits. | |
| 9: 0f 85 0f 00 00 00 jne 0x1e // If not 127, just increment normally. | |
| f: b0 ff mov al,0xff // If 127, set it to 255, so that when we increment it rolls over to the next character in the key. | |
| 11: 48 ff c0 inc rax // Increment | |
| 14: b0 20 mov al,0x20 // Reset to 32 - in ASCII this is the space character. | |
| 16: 48 89 07 mov QWORD PTR [rdi],rax // Put our next key back so we can attempt again | |
| 19: e9 65 ff ff ff jmp 0xffffffffffffff83 // Jump 0x83 back - this is where we re-run the previous algorithm. | |
| 1e: 48 ff c0 inc rax // Increment for the rollover. | |
| 21: 48 89 07 mov QWORD PTR [rdi],rax // Store key again -- I was tired and couldn't think how to combine this with #16 | |
| 24: e9 5a ff ff ff jmp 0xffffffffffffff83 // Jump back to re-run the previous algorithm -- probably could be optimized better. | |
| Here is some python code to run. Note that `sendline` is 69 space characters: | |
| > import pexpect | |
| > from pexpect import * | |
| > child = pexpect.spawn('./magic_mushroom') | |
| > child.logfile = open('log.txt', 'w') | |
| > for i in range(0, 666): | |
| > child.expect("Enter key: ") | |
| > child.sendline(" ") | |
| > child.before |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment