Hidden in plain sight [IceCTF][Reverse] [45pts]

Hidden in plain sight est un challenge de type Reverse engineering du CTF IceCTF 2016.

Voici la description de ce challenge :

Make sure you take a real close look at it, it should be right there!

Désassemblons le fichier :

neolex@neolex-pc> hiden_in_plain_sight_REVERSE_45pt$objdump -d -M intel plain_sight

plain_sight:     format de fichier elf32-i386
[..]
080484ab <main>:
 80484ab:    8d 4c 24 04              lea    ecx,[esp+0x4]
 80484af:    83 e4 f0                 and    esp,0xfffffff0
 80484b2:    ff 71 fc                 push   DWORD PTR [ecx-0x4]
 80484b5:    55                       push   ebp
 80484b6:    89 e5                    mov    ebp,esp
 80484b8:    51                       push   ecx
 80484b9:    83 ec 14                 sub    esp,0x14
 80484bc:    83 ec 0c                 sub    esp,0xc
 80484bf:    68 40 86 04 08           push   0x8048640
 80484c4:    e8 a7 fe ff ff           call   8048370 <puts@plt>
 80484c9:    83 c4 10                 add    esp,0x10
 80484cc:    83 ec 0c                 sub    esp,0xc
 80484cf:    68 63 86 04 08           push   0x8048663
 80484d4:    e8 97 fe ff ff           call   8048370 <puts@plt>
 80484d9:    83 c4 10                 add    esp,0x10
 80484dc:    a1 c0 98 04 08           mov    eax,ds:0x80498c0
 80484e1:    83 ec 0c                 sub    esp,0xc
 80484e4:    50                       push   eax
 80484e5:    e8 66 fe ff ff           call   8048350 <fflush@plt>
 80484ea:    83 c4 10                 add    esp,0x10
 80484ed:    83 ec 0c                 sub    esp,0xc
 80484f0:    6a 01                    push   0x1
 80484f2:    e8 69 fe ff ff           call   8048360 <sleep@plt>
 80484f7:    83 c4 10                 add    esp,0x10
 80484fa:    83 ec 0c                 sub    esp,0xc
 80484fd:    68 76 86 04 08           push   0x8048676
 8048502:    e8 69 fe ff ff           call   8048370 <puts@plt>
 8048507:    83 c4 10                 add    esp,0x10
 804850a:    a1 c0 98 04 08           mov    eax,ds:0x80498c0
 804850f:    83 ec 0c                 sub    esp,0xc
 8048512:    50                       push   eax
 8048513:    e8 38 fe ff ff           call   8048350 <fflush@plt>
 8048518:    83 c4 10                 add    esp,0x10
 804851b:    b0 49                    mov    al,0x49
 804851d:    b0 63                    mov    al,0x63
 804851f:    b0 65                    mov    al,0x65
 8048521:    b0 43                    mov    al,0x43
 8048523:    b0 54                    mov    al,0x54
 8048525:    b0 46                    mov    al,0x46
 8048527:    b0 7b                    mov    al,0x7b
 8048529:    b0 6c                    mov    al,0x6c
 804852b:    b0 6f                    mov    al,0x6f
 804852d:    b0 6f                    mov    al,0x6f
 804852f:    b0 6b                    mov    al,0x6b
 8048531:    b0 5f                    mov    al,0x5f
 8048533:    b0 6d                    mov    al,0x6d
 8048535:    b0 6f                    mov    al,0x6f
 8048537:    b0 6d                    mov    al,0x6d
 8048539:    b0 5f                    mov    al,0x5f
 804853b:    b0 49                    mov    al,0x49
 804853d:    b0 5f                    mov    al,0x5f
 804853f:    b0 66                    mov    al,0x66
 8048541:    b0 6f                    mov    al,0x6f
 8048543:    b0 75                    mov    al,0x75
 8048545:    b0 6e                    mov    al,0x6e
 8048547:    b0 64                    mov    al,0x64
 8048549:    b0 5f                    mov    al,0x5f
 804854b:    b0 69                    mov    al,0x69
 804854d:    b0 74                    mov    al,0x74
 804854f:    b0 7d                    mov    al,0x7d
[...]

Nous pouvons voir que le flag est caché dans le code assembleur nous le mettons dans un fichier flag et utilisont cut et xxd pour traduire le code hexadecimal du flag en ascii :

neolex@neolex-pc> hiden_in_plain_sight_REVERSE_45pt$cat flag 
 804851b:    b0 49                    mov    al,0x49
 804851d:    b0 63                    mov    al,0x63
 804851f:    b0 65                    mov    al,0x65
 8048521:    b0 43                    mov    al,0x43
 8048523:    b0 54                    mov    al,0x54
 8048525:    b0 46                    mov    al,0x46
 8048527:    b0 7b                    mov    al,0x7b
 8048529:    b0 6c                    mov    al,0x6c
 804852b:    b0 6f                    mov    al,0x6f
 804852d:    b0 6f                    mov    al,0x6f
 804852f:    b0 6b                    mov    al,0x6b
 8048531:    b0 5f                    mov    al,0x5f
 8048533:    b0 6d                    mov    al,0x6d
 8048535:    b0 6f                    mov    al,0x6f
 8048537:    b0 6d                    mov    al,0x6d
 8048539:    b0 5f                    mov    al,0x5f
 804853b:    b0 49                    mov    al,0x49
 804853d:    b0 5f                    mov    al,0x5f
 804853f:    b0 66                    mov    al,0x66
 8048541:    b0 6f                    mov    al,0x6f
 8048543:    b0 75                    mov    al,0x75
 8048545:    b0 6e                    mov    al,0x6e
 8048547:    b0 64                    mov    al,0x64
 8048549:    b0 5f                    mov    al,0x5f
 804854b:    b0 69                    mov    al,0x69
 804854d:    b0 74                    mov    al,0x74
 804854f:    b0 7d                    mov    al,0x7d
neolex@neolex-pc> hiden_in_plain_sight_REVERSE_45pt$cat flag | cut -dx -f2 | xxd -r
IceCTF{look_mom_Ifound_it}
Flag !

Le flag de ce challenge est donc : IceCTF{look_mom_Ifound_it} !

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée.