This weekend we participated in the defcon quals and I'd like to share some of my solutions.
After downloading the file and extracting the archive we can see that there are two files.
The first one is a linux binary:
The second one is a sqlite3 database:
When you try to run it you'll see that the user "retro300" is needed to launch the binary.
Let's have a quick look what data is available in the sqlite3 database:
Ok nice we have some authentication credentials handy.
Now let's run the binary and connect to it:
nothing happens, no login procedure so it's waiting for some other input first.
If we look in IDA we can see that before the login window is displayed the input is compared to "letmenpls"
let's try again:
Good we can access the login now, so let's see if we can use the informations retrieved from the auth.db file.
I wanted to strace the program, to see what's happening, but was stopped by a small antidebugging measurement:
If we look in IDA what's happening after the first input is read, we can find a ptrace anti debugging mechanism:
Just patch the trace call with nops and all is fine.
Now we can try again to login with the credentials we got from auth.db:
as we can see the login was not successful, so another check must be implemented.
If we look at the login check function, we can see it checks if the input is 14:
so we can check and see what happens if we enter 14 characters.
This time you can see that it goes further:
therefore the passcode input needs to be 14, but we don't know what the other 10 characters need to be.
If we analyse the code further we will see one function doing some time computation and a strcmp, I checked by single stepping through the code that this function is the correct function to check for the 10 additional numbers :)
Add a break point at 0xa and run it again:
now we can check what our input is compared to:
our string "1111111111" and expected was "3407789347".
now we can run the binary again and use "3407789347" as the second part.
there we go, now we have access to the menu.
The only part missing is to figure out how to get the key.
If you look further in IDA you will see that there's a function that will read the key for you:
If we look at the menu handling function, we can see that if we choose something that's not there we get a "please select from the options present".
which is handled here:
we can look at off_804A918 to see a list of available options:
We have 9 options to select from and if we go through the ones that are not printed to the console we will find that option 8 will lead to:
and this will lead you to our special function:
so we can have our key printed.
Let's try it out:
I enjoyed this challenge and hope that this write up can help some other guys to understand what was going on.