impossible password

OK wow that was strange. I got the flag, though Iā€™m not completely sure how what I did worked.

So I played a bit around on stage ** and i found out that abc", ā€œdefā€ will be read as abc",
So I wondered if there is a way to inject something like 1==1 into strcmp. Can someone PM me and give me a hint whether Iā€™m thinking in the right direction

Bringing this back from the dead. Iā€™m completely new in this field of reversals. Iā€™ve dove straight in and believe Im on ā€œstep 2ā€. To solve the rest of this, would my time be better spent learning how to read/write assembly or should I be looking for tools that can decompile elf/convert assembly to C.

In the few hours iā€™ve spent using rabin2 and learning some more common assembly operands like cmp and lea, I feel like im progressing in the puzzle - but is this really the most efficient method in 2019?

@ytho I just solved it using the NSA tool Ghidra (https://ghidra-sre.org/); it works similar to tools like IDA, Hopper or Radare.

Step 1 should be very obvious if you know the basic libc functions, step 2 requires you to figure out what that unknown function does (grab an ASCII table) and step3 is what happens after you pass the check.

As mentioned above, maybe you can skip step 2 since that would be rather hard?

! By doing step 3 in python or similar?

I donā€™t feel like much assembly knowledge is needed here. Maybe just a Ghidra hint:
Start at ā€œentryā€ in the function browser on the left after opening and analyzing the file (tutorials are available), the first argument in __libc_start_main is your ā€œmainā€ function

Awesome tool recommendation. Was bashing my head against the wall trying to find something that did this. Working on step 3 recreation now :slight_smile:

Thanks to this one, I learnt how to debug in radare2 and also change a condition to get the flag.

PM me Discord me if you need help

Stage 1 was super easy, passed in about 30 seconds. Step 2 was a bit harder but only because I lack any experience in reversing (started a day ago). I have experience in programming in different languages so I understand how programs run.

Step 2 was a bit hard only because I had to get used to the app. I knew what I wanted to do (modify the code) but didnā€™t know how to. So I just played around with the app, finally managed to change something. Saved the modified bin and rerun it to get the flag.

@S7uXN37 No need for ASCII tables if you can decompile.

ps. I hope this info is useful yet not a spoiler.

Excellent challenge once I took the name literally and started paying attention.
Also just went back and did it via patching, pretty easy once you spot it!

Already knew the tricks used in this challenge, but a good application anyway to gain practice with radare2 =D
If someone needs help just let me know

stoked, learned a lot with this one.
thanks @decoder for the challenge
thanks @MarioOlofo for the convo
and thanks to you at home for reading this. :wink:

My ā€˜hintā€™ is, donā€™t make it hard on yourself and READ the code.

ok ā€¦ will start this challenge ā€¦ am new to these things. I will use Cutter and see how it goes. Will post back!

Iā€™m on step 2, but it looks like the string it compares it to is always random? am I looking at the right thing? iā€™m new to binary RE

Iā€™m stuck at the ** part. Been trying to study and debug the decompiled code generated from ghidra for hours and Iā€™m not making any progress. Can anybody give me a hint?

edit: Got it, had to use a combination of ghidra + radare (ghidra wasnā€™t 100% necessary but the decompiled code helps). Learned some really cool things on this one.

Itā€™s funny and fine task.
Iā€™ve solved with Radare2 only ?
Thanks @decoder for fun

Iā€™m not sure what to do next. I have something in the HTB{} format, but it doesnā€™t work when I submit it

I got to this place by first analyzing the code in Ghidra, then just simply messing with a jump in a hex editor

Update: Iā€™m stupid. I was putting the flag into the wrong challenge :stuck_out_tongue:

Solved it using ghidraā€™s decompiler, and some gdb debugging for register values manipulation :wink: I also solved it with binary patching, so that you get the flag by just executing the binary. Though, by bypassing the 2 ā€œpasswordsā€, you miss the whole point. Reverse engineering is not about to get some flag, but rather to understand the underlying logic. The flag is just to verify that you followed a correct methodology

SPOILERAssume the bin is gonna display on screen your flag.
Locate such calls, exclude those whose arg is way too short to be your flag.
Between that one remaining call and the creation of its stack frame, it's the assembly that assembles your flag (no pun intended).

But yeah I totally followed the execution flow from start to finish for days before I realize this. And the most delight of this whole process is editing the theme color config file of Cutter the UI of Radare2 hehehehe.

Was a good challenge, was the first time that I cut a file :slight_smile:

Great challenge, I was sitting there for around 2 hrs in front of my screen, not realizing that the answer was right in front of me. COMPLETED IN IDA.