DEFCON 2013 CTF Quals - Reverse Engineering 1

But I already typed that…
** http://assets-2013.legitbs.net/liabilities/policebox**
** http://assets-2013.legitbs.net/liabilities/core**

Opening the core file in gdb reveals that it was “dumped” at the 2nd instruction of main.
Reversing policebox gave:

int __cdecl main()
{
  signed int v1; // [sp+1Ch] [bp-4h]@5

  if ( !isatty(ttyfd) )
    perror("not on a tty");
  if ( tcgetattr(ttyfd, &orig_termios) < 0 )
    perror("can't get tty settings");
  atexit(tty_exit);
  tty_raw();
  v1 = 0;
  printf("The key is: ");
  while ( v1 <= 63 )
  {
    if ( (unsigned __int8)getchar() == 13 )
    {
      puts("\r");
      return 0;
    }
    ++v1;
  }
  return 0;
}

This problem probably gave people the most trouble. As you’re looking for the output of getchar().

Eventually we realized that the core file also contained a gdb execution log using the ProcessRecord feature (http://sourceware.org/gdb/onlinedocs/gdb/Process-Record-and-Replay.html). This means that every instruction that was executed and the result was stored in the core file. Simply loading the record file with “record restore core” and then adding a breakpoint after the getchar() call means we can get the input that was typed to the program.

Key:

w0rlds.w0rst.k3yl0gger!
Show Comments