Thursday, October 25, 2012

Hack.Lu CTF: TUX BOMB Writeup

This challenge was a reverse engineering problem with the goal of inputting a correct user and product key. We are given an executable and we start going.

Running file, we get:     tux_bomb.exe: PE32 executable for MS Windows (console) Intel 80386

Next, lets run run it in windows and see what it wants:

It seems to be looking for a username and product key. On to Hexrays!

1. It reads in and stores Username and ProductKey

2. It loops through every character in the Username, multiplies the ascii value of that character by 3, and adds it to a continuous sum.

3. It creates a new value (which I have called modVal) that is equal to usernameSum % 667. It then compares this value to 666, and sets our result string to either “You are Admin!” or “You are not Admin!”.

a. Assuming that it's probably a good idea for us to be admin, we need to create a username string such that usernameSum % 667 = 666. I did this by hand. Realizing that each character is being multiplied by 3, the sum of all characters should be 222. Looking at an ascii chart, lowercase '0' = 111 in decimal, so we'll use 'username = oo'.

4. Next, it checks again to see if our modVal is 666 and also checks if argc = 23. From this code, we also see that the program copies each byte of the 18th argument and puts it into a separate buffer for later use...

5. It then compares that buffer (the 18th argument) to our product key. If they match, it yields a pdf file.

I'm sure the rest of the program is interesting, but this is where I stopped reading. Using these steps got me here:

6. Opening this pdf gives us:

Yay! Calculus!
Running a quick python script gives us x = 1165.
flux = 'Fluxfingers'
ans = 0
for i in xrange(len(flux)):
    ans += ord(flux[i])
print ans
Sage Math solved the integral to be 2
1165*2-993 = 1337 (fitting right?)
md5(1337) = FLAG = e48e13207341b6bffb7fb1622282247b

-- d1r3w0lf

1 comment:

  1. Has anyone noticed the typo in pdf? One of atoi is aoti. And the proper input to atoi is an string representing number so x should be 0 in fact.