* [gwml] [Quiz] Reversing Simple Password 2
@ 2021-05-27 22:37 Ammar Faizi
2021-05-27 22:39 ` Ammar Faizi
0 siblings, 1 reply; 3+ messages in thread
From: Ammar Faizi @ 2021-05-27 22:37 UTC (permalink / raw)
To: gwml
Hi everyone,
We have another reversing challenge to play.
#quiz #endianess #xor
Find the password
https://www.gnuweeb.org/quiz/002
002: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically
linked, BuildID[sha1]=cb1dcfe619ded0d6051c712739204dfbd02da347, not stripped
Ammar Faizi
--
GWML mailing list
[email protected]
https://gwml.gnuweeb.org/listinfo/gwml
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gwml] [Quiz] Reversing Simple Password 2
2021-05-27 22:37 [gwml] [Quiz] Reversing Simple Password 2 Ammar Faizi
@ 2021-05-27 22:39 ` Ammar Faizi
2021-05-28 2:42 ` Ammar Faizi
0 siblings, 1 reply; 3+ messages in thread
From: Ammar Faizi @ 2021-05-27 22:39 UTC (permalink / raw)
To: gwml
Don't forget to post your solution on Telegram group when you solve it.
Ammar Faizi
--
GWML mailing list
[email protected]
https://gwml.gnuweeb.org/listinfo/gwml
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gwml] [Quiz] Reversing Simple Password 2
2021-05-27 22:39 ` Ammar Faizi
@ 2021-05-28 2:42 ` Ammar Faizi
0 siblings, 0 replies; 3+ messages in thread
From: Ammar Faizi @ 2021-05-28 2:42 UTC (permalink / raw)
To: gwml
Hi everyone,
This is the answer of latest GNU/Weeb quiz.
Lookie here.
...
...
...
.Ldont_cut:
movq $0x0062656557554e47, %rax
xorq %rax, (%rsp) # xor the input with %rax
movq $0x00565c5c66000000, %rax
cmpq %rax, (%rsp) # compare the xor'ed input
jne .Lwrong_password
leaq str3(%rip), %rsi
movl $end_str - str3, %edx
jmp .Lprint_last_str
.Lwrong_password:
leaq str2(%rip), %rsi
movl $str3 - str2, %edx
.Lprint_last_str:
movl $1, %eax
movl $1, %edi
syscall
.Lexit:
movl $60, %eax
xorl %edi, %edi
syscall
The input is located at (%rsp). And then it gets xor'ed with
0x0062656557554e47. It is actually a C string "GNUWeeb\0" in little
endian representation.
Note:
This is just a trick to make `strings -o 002` yields GNUWeeb, so it
looks like the password is found by static analysis. While this is
actually not. The password is not "GNUWeeb".
Next...
And then after the input gets xor'ed with that number, it compares
the result with 0x00565c5c66000000. If it equals, then the password is
correct, otherwise it is wrong password.
Now, consider the nature of XOR operation:
A ^ B = C
B ^ C = A
A ^ C = B
Hence, we have:
0x0062656557554e47 ^ ??? = 0x00565c5c66000000
0x0062656557554e47 ^ 0x00565c5c66000000 = ???
For the easy, use GDB to calculate it:
gef➤ p 0x0062656557554e47 ^ 0x00565c5c66000000
$1 = 0x34393931554e47
Okay, so we know that we have to make the QWORD (%rsp) be
0x34393931554e47. So what kind of input corresponds to that little
endian representation?
We can use PHP hex2bin function for the easy.
ammarfaizi2@integral:/tmp$ php -a
Interactive shell
php > echo hex2bin('34393931554e47');
4991UNG
php >
Oops, we have to make it yields little endian, so we reverse the
string.
php > echo strrev(hex2bin('34393931554e47'));
GNU1994
php >
Finally, we got the password "GNU1994".
ammarfaizi2@integral:/tmp$ ./002
Enter the password: GNU1994
Congratulation, you have solved the quiz!
ammarfaizi2@integral:/tmp$
If you have any question, kindly to reply to this email. Or drop your
question on GNU/Weeb Telegram group.
Happy hacking!
Ammar Faizi
--
GWML mailing list
[email protected]
https://gwml.gnuweeb.org/listinfo/gwml
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-05-28 2:42 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-05-27 22:37 [gwml] [Quiz] Reversing Simple Password 2 Ammar Faizi
2021-05-27 22:39 ` Ammar Faizi
2021-05-28 2:42 ` Ammar Faizi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox