ptr-yudai/steak.c

## steak.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

char cmpdata[0x28] = "\x62\x31\xaa\x85\xbd\xbf\x9f\xf3\x8a\x02\x0c\x75\xac\x23\xab\xe4\x82\xc5\x25\x7a\xef\xbd\xc9\x61\x00\x54\x68\x61";
/* 0x400da6 */
char key[0x28];    /* 0x6020e0 */
char output[0x28];    /* 0x602120 */
unsigned char state[0x100];    /* 0x602160 */

/*
  Initialize RC4 Crypt
 */
void rc4_init()
{
  int len;    /* rbp-0x4 */
  int i;    /* rbp-0x8 */
  unsigned char tmp;    /* rbp-0x9 */
  unsigned char j;    /* rbp-0xa */

  for(i = 0; i <= 0xff; i++) {
    state[i] = (unsigned char)i;
  }

  len = strlen(key);

  for(j = i = 0; i <= 0xff; i++) {
    j += state[i];
    j += key[i % len];
    /* swap */
    tmp = state[i];
    state[i] = state[j];
    state[j] = tmp;
  }

}

/*
  Encrypt data with RC4
 */
void rc4_encrypt(char in[], char out[], int in_len)
{
  int buflen = strlen(in);    /* rbp-0x4 */
  int i;    /* rbp-0x8 */
  unsigned char tmp;
  unsigned char index1, index2;    /* rbp-0xa, rbp-0xb*/
  unsigned char j;

  for(i = 0; i < buflen; i++) {
    index1++;
    index2 += state[index1];

    tmp = state[index1];
    state[index1] = state[index2];
    state[index2] = tmp;

    j = state[index1] + state[index2];
    out[i] = in[i] ^ state[j];
  }
}

/*
  MAIN ROUTINE
 */
int main()
{
  FILE *fp;    /* rbp-0x38 */
  char input[0x40];    /* rbp-0x30 */
  int counter;    /* rbp-0x3c */

  chdir("/home/steak");

  /*
    Read 0x28(40) bytes from /home/steak/flag
   */
  fp = fopen("/home/steak/flag", "r");
  fgets(key, 0x28, fp);
  fclose(fp);

  /*
    Initialize RC4 and remove 'key'
   */
  rc4_init();
  memset(key, 0, 0x28);

  /*
    Get input
   */
  puts("What's your favirite food?");
  fflush(stdout);
  fgets(input, 0x200, stdin);

  /*
    Encrypt data
   */
  rc4_encrypt(input, output, strlen(input)-1);
  printf("Hmm...");
  fflush(stdout);

  /*
    Time spends...
   */
  for(counter = 0; counter <= 4; counter++) {
    sleep(1);
    putchar(0x2e);
    fflush(stdout);
  }

  /*
    check
   */
  if ( strcmp(output, cmpdata) == 0 ) {
    puts("That's my favorite!");
    puts("You may leave a message");
    fflush(stdout);
    system("/bin/cat > ./message");
  } else {
    puts("I don't like that!");
  }

  memset(output, 0, 0x28);

}
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <unistd.h>

	char cmpdata[0x28] = "\x62\x31\xaa\x85\xbd\xbf\x9f\xf3\x8a\x02\x0c\x75\xac\x23\xab\xe4\x82\xc5\x25\x7a\xef\xbd\xc9\x61\x00\x54\x68\x61";
	/* 0x400da6 */
	char key[0x28]; /* 0x6020e0 */
	char output[0x28]; /* 0x602120 */
	unsigned char state[0x100]; /* 0x602160 */

	/*
	Initialize RC4 Crypt
	*/
	void rc4_init()
	{
	int len; /* rbp-0x4 */
	int i; /* rbp-0x8 */
	unsigned char tmp; /* rbp-0x9 */
	unsigned char j; /* rbp-0xa */

	for(i = 0; i <= 0xff; i++) {
	state[i] = (unsigned char)i;
	}

	len = strlen(key);

	for(j = i = 0; i <= 0xff; i++) {
	j += state[i];
	j += key[i % len];
	/* swap */
	tmp = state[i];
	state[i] = state[j];
	state[j] = tmp;
	}

	}

	/*
	Encrypt data with RC4
	*/
	void rc4_encrypt(char in[], char out[], int in_len)
	{
	int buflen = strlen(in); /* rbp-0x4 */
	int i; /* rbp-0x8 */
	unsigned char tmp;
	unsigned char index1, index2; /* rbp-0xa, rbp-0xb*/
	unsigned char j;

	for(i = 0; i < buflen; i++) {
	index1++;
	index2 += state[index1];

	tmp = state[index1];
	state[index1] = state[index2];
	state[index2] = tmp;

	j = state[index1] + state[index2];
	out[i] = in[i] ^ state[j];
	}
	}

	/*
	MAIN ROUTINE
	*/
	int main()
	{
	FILE fp; / rbp-0x38 */
	char input[0x40]; /* rbp-0x30 */
	int counter; /* rbp-0x3c */

	chdir("/home/steak");

	/*
	Read 0x28(40) bytes from /home/steak/flag
	*/
	fp = fopen("/home/steak/flag", "r");
	fgets(key, 0x28, fp);
	fclose(fp);

	/*
	Initialize RC4 and remove 'key'
	*/
	rc4_init();
	memset(key, 0, 0x28);

	/*
	Get input
	*/
	puts("What's your favirite food?");
	fflush(stdout);
	fgets(input, 0x200, stdin);

	/*
	Encrypt data
	*/
	rc4_encrypt(input, output, strlen(input)-1);
	printf("Hmm...");
	fflush(stdout);

	/*
	Time spends...
	*/
	for(counter = 0; counter <= 4; counter++) {
	sleep(1);
	putchar(0x2e);
	fflush(stdout);
	}

	/*
	check
	*/
	if ( strcmp(output, cmpdata) == 0 ) {
	puts("That's my favorite!");
	puts("You may leave a message");
	fflush(stdout);
	system("/bin/cat > ./message");
	} else {
	puts("I don't like that!");
	}

	memset(output, 0, 0x28);

	}