Hidden in plain sight est un challenge de type Reverse engineering du CTF IceCTF 2016.
Voici la description de ce challenge :
Make sure you take a real close look at it, it should be right there!
Désassemblons le fichier :
neolex@neolex-pc> hiden_in_plain_sight_REVERSE_45pt$objdump -d -M intel plain_sight
plain_sight: format de fichier elf32-i386
[..]
080484ab <main>:
80484ab: 8d 4c 24 04 lea ecx,[esp+0x4]
80484af: 83 e4 f0 and esp,0xfffffff0
80484b2: ff 71 fc push DWORD PTR [ecx-0x4]
80484b5: 55 push ebp
80484b6: 89 e5 mov ebp,esp
80484b8: 51 push ecx
80484b9: 83 ec 14 sub esp,0x14
80484bc: 83 ec 0c sub esp,0xc
80484bf: 68 40 86 04 08 push 0x8048640
80484c4: e8 a7 fe ff ff call 8048370 <puts@plt>
80484c9: 83 c4 10 add esp,0x10
80484cc: 83 ec 0c sub esp,0xc
80484cf: 68 63 86 04 08 push 0x8048663
80484d4: e8 97 fe ff ff call 8048370 <puts@plt>
80484d9: 83 c4 10 add esp,0x10
80484dc: a1 c0 98 04 08 mov eax,ds:0x80498c0
80484e1: 83 ec 0c sub esp,0xc
80484e4: 50 push eax
80484e5: e8 66 fe ff ff call 8048350 <fflush@plt>
80484ea: 83 c4 10 add esp,0x10
80484ed: 83 ec 0c sub esp,0xc
80484f0: 6a 01 push 0x1
80484f2: e8 69 fe ff ff call 8048360 <sleep@plt>
80484f7: 83 c4 10 add esp,0x10
80484fa: 83 ec 0c sub esp,0xc
80484fd: 68 76 86 04 08 push 0x8048676
8048502: e8 69 fe ff ff call 8048370 <puts@plt>
8048507: 83 c4 10 add esp,0x10
804850a: a1 c0 98 04 08 mov eax,ds:0x80498c0
804850f: 83 ec 0c sub esp,0xc
8048512: 50 push eax
8048513: e8 38 fe ff ff call 8048350 <fflush@plt>
8048518: 83 c4 10 add esp,0x10
804851b: b0 49 mov al,0x49
804851d: b0 63 mov al,0x63
804851f: b0 65 mov al,0x65
8048521: b0 43 mov al,0x43
8048523: b0 54 mov al,0x54
8048525: b0 46 mov al,0x46
8048527: b0 7b mov al,0x7b
8048529: b0 6c mov al,0x6c
804852b: b0 6f mov al,0x6f
804852d: b0 6f mov al,0x6f
804852f: b0 6b mov al,0x6b
8048531: b0 5f mov al,0x5f
8048533: b0 6d mov al,0x6d
8048535: b0 6f mov al,0x6f
8048537: b0 6d mov al,0x6d
8048539: b0 5f mov al,0x5f
804853b: b0 49 mov al,0x49
804853d: b0 5f mov al,0x5f
804853f: b0 66 mov al,0x66
8048541: b0 6f mov al,0x6f
8048543: b0 75 mov al,0x75
8048545: b0 6e mov al,0x6e
8048547: b0 64 mov al,0x64
8048549: b0 5f mov al,0x5f
804854b: b0 69 mov al,0x69
804854d: b0 74 mov al,0x74
804854f: b0 7d mov al,0x7d
[...]Nous pouvons voir que le flag est caché dans le code assembleur nous le mettons dans un fichier flag et utilisont cut et xxd pour traduire le code hexadecimal du flag en ascii :
neolex@neolex-pc> hiden_in_plain_sight_REVERSE_45pt$cat flag
804851b: b0 49 mov al,0x49
804851d: b0 63 mov al,0x63
804851f: b0 65 mov al,0x65
8048521: b0 43 mov al,0x43
8048523: b0 54 mov al,0x54
8048525: b0 46 mov al,0x46
8048527: b0 7b mov al,0x7b
8048529: b0 6c mov al,0x6c
804852b: b0 6f mov al,0x6f
804852d: b0 6f mov al,0x6f
804852f: b0 6b mov al,0x6b
8048531: b0 5f mov al,0x5f
8048533: b0 6d mov al,0x6d
8048535: b0 6f mov al,0x6f
8048537: b0 6d mov al,0x6d
8048539: b0 5f mov al,0x5f
804853b: b0 49 mov al,0x49
804853d: b0 5f mov al,0x5f
804853f: b0 66 mov al,0x66
8048541: b0 6f mov al,0x6f
8048543: b0 75 mov al,0x75
8048545: b0 6e mov al,0x6e
8048547: b0 64 mov al,0x64
8048549: b0 5f mov al,0x5f
804854b: b0 69 mov al,0x69
804854d: b0 74 mov al,0x74
804854f: b0 7d mov al,0x7d
neolex@neolex-pc> hiden_in_plain_sight_REVERSE_45pt$cat flag | cut -dx -f2 | xxd -r
IceCTF{look_mom_Ifound_it} Flag !
Le flag de ce challenge est donc : IceCTF{look_mom_Ifound_it} !
