NCS Competition 2021 Writeup
  • HHousen National Cyber Scholarship Competition 2021 Writeup
  • Forensics
    • FE02 - 100pts
    • FE03 - 100pts
    • FH01 - 500pts
    • FE04 - 100pts
    • FM01 - 250pts
    • FM02 - 250pts
    • FM03 - 250pts
    • FE01 - 100pts
  • Crypto
    • CM01 - 250pts
    • CM02 - 250pts
    • CX01 - 1000pts
    • CH01 - 500pts
    • CH02 - 500pts
  • Binary
    • BM01 - 250pts
    • BM02 - 250pts
    • BM03 - 250pts
    • BX01 - 1000pts
    • BX02 - 100pts
    • BE01 - 100pts
    • BE02 - 100pts
    • BH01 - 500pts
  • Networking
    • NM01 - 250pts
    • NE01 - 100pts
  • Web
    • WX01 - 1000pts
    • WE01 - 100pts
    • WE02 - 100pts
    • WH01 - 500pts
    • WH02 - 500pts
    • WM01 - 250pts
    • WM02 - 250pts
    • WM03 - 250pts
    • WM04 - 250pts
    • WM05 - 250pts
  • Challenge Name
Powered by GitBook
On this page
  • Briefing
  • Solution
  • Flag

Was this helpful?

Edit on Git
  1. Binary

BM01 - 250pts

Briefing

Download the file and find a way to get the flag. Contents: program

Challenge Files:

  • bm01.zip

Solution

  1. Running the program shows strange text. We can paste this into Google Translate to find that it is Russian. Какой пароль? translates to What password?. Entering some input produces неверный, which translates to incorrect.

  2. Let's decompile the binary using Ghidra.

    main function:

     undefined8 main(void)

 {
     byte bVar1;
     byte bVar2;
     int iVar3;
     long in_FS_OFFSET;
     uint local_74;
     byte local_67 [15];
     char local_58 [72];
     long local_10;

     local_10 = *(long *)(in_FS_OFFSET + 0x28);
     puts("\x1b[36mКакой пароль?\x1b[0m");
     printf("> ");
     fgets(local_58,0x3c,stdin);
     iVar3 = strcmp("молоток123\n",local_58);
     if (iVar3 == 0) {
         local_67[0] = 0xe4;
         local_67[1] = 100;
         local_67[2] = 0xa6;
         local_67[3] = 0x90;
         local_67[4] = 0x7c;
         local_67[5] = 0xa6;
         local_67[6] = 0x75;
         local_67[7] = 0xb8;
         local_67[8] = 0xa4;
         local_67[9] = 0xd;
         local_67[10] = 0xc;
         local_67[11] = 0x7f;
         local_67[12] = 0x7e;
         local_67[13] = 0xf3;
         local_67[14] = 1;
         local_74 = 0;
         while (local_74 < 0xf) {
         bVar2 = (byte)local_74;
         bVar1 = ~(~(~-((local_67[local_74] ^ 0xa5) - bVar2 ^ bVar2) ^ 0x8d) - 0xb);
         local_67[local_74] = (((bVar1 << 5 | bVar1 >> 3) + 0x37 ^ 0xe5) - 7 ^ bVar2) - 0x39;
         local_74 = local_74 + 1;
         }
         printf("\x1b[32mверный!\x1b[0m\n\n\x1b[33mфлаг: %s\x1b[0m\n",local_67);
     }
     else {
         puts("\x1b[31mневерный.\x1b[0m");
     }
     if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                         /* WARNING: Subroutine does not return */
         __stack_chk_fail();
     }
     return 0;
 }

    The program compares the user input to молоток123, which translates to hammer123.

  3. Running the program and entering молоток123 outputs верный! флаг: wh1te%BluE$R3d (Translation: Right! Flag: wh1te%BluE$R3d), which is the flag.

Flag

wh1te%BluE$R3d

PreviousBinaryNextBM02 - 250pts

Last updated 4 years ago

Was this helpful?