From: Ammar Faizi <[email protected]>
To: [email protected]
Subject: Re: [gwml] [Quiz] Reversing Simple Password 2
Date: Fri, 28 May 2021 09:42:34 +0700 [thread overview]
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
Hi everyone,
This is the answer of latest GNU/Weeb quiz.
Lookie here.
...
...
...
.Ldont_cut:
movq $0x0062656557554e47, %rax
xorq %rax, (%rsp) # xor the input with %rax
movq $0x00565c5c66000000, %rax
cmpq %rax, (%rsp) # compare the xor'ed input
jne .Lwrong_password
leaq str3(%rip), %rsi
movl $end_str - str3, %edx
jmp .Lprint_last_str
.Lwrong_password:
leaq str2(%rip), %rsi
movl $str3 - str2, %edx
.Lprint_last_str:
movl $1, %eax
movl $1, %edi
syscall
.Lexit:
movl $60, %eax
xorl %edi, %edi
syscall
The input is located at (%rsp). And then it gets xor'ed with
0x0062656557554e47. It is actually a C string "GNUWeeb\0" in little
endian representation.
Note:
This is just a trick to make `strings -o 002` yields GNUWeeb, so it
looks like the password is found by static analysis. While this is
actually not. The password is not "GNUWeeb".
Next...
And then after the input gets xor'ed with that number, it compares
the result with 0x00565c5c66000000. If it equals, then the password is
correct, otherwise it is wrong password.
Now, consider the nature of XOR operation:
A ^ B = C
B ^ C = A
A ^ C = B
Hence, we have:
0x0062656557554e47 ^ ??? = 0x00565c5c66000000
0x0062656557554e47 ^ 0x00565c5c66000000 = ???
For the easy, use GDB to calculate it:
gef➤ p 0x0062656557554e47 ^ 0x00565c5c66000000
$1 = 0x34393931554e47
Okay, so we know that we have to make the QWORD (%rsp) be
0x34393931554e47. So what kind of input corresponds to that little
endian representation?
We can use PHP hex2bin function for the easy.
ammarfaizi2@integral:/tmp$ php -a
Interactive shell
php > echo hex2bin('34393931554e47');
4991UNG
php >
Oops, we have to make it yields little endian, so we reverse the
string.
php > echo strrev(hex2bin('34393931554e47'));
GNU1994
php >
Finally, we got the password "GNU1994".
ammarfaizi2@integral:/tmp$ ./002
Enter the password: GNU1994
Congratulation, you have solved the quiz!
ammarfaizi2@integral:/tmp$
If you have any question, kindly to reply to this email. Or drop your
question on GNU/Weeb Telegram group.
Happy hacking!
Ammar Faizi
--
GWML mailing list
[email protected]
https://gwml.gnuweeb.org/listinfo/gwml
prev parent reply other threads:[~2021-05-28 2:42 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-27 22:37 [gwml] [Quiz] Reversing Simple Password 2 Ammar Faizi
2021-05-27 22:39 ` Ammar Faizi
2021-05-28 2:42 ` Ammar Faizi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
[email protected] \
[email protected] \
[email protected] \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox