Reverse Engineering - Linux RE Easy

Written by jakesss ``` Here's a Linux 64-bit binary to sharpen your teeth on - examine it in your favorite disassembler/debugger, and find the flag. ``` --- ### Understand the Program Note: Some function and variable names have been changed to enhance the reader's understanding of the program flow. **main** ```c __int64 __fastcall main(int a1, char **a2, char **a3) { __int64 result; // rax if ( a1 == 2 ) { if ( win(a2[1]) ) { printf("[+] You achieved level 3!\r\n"); result = 0LL; } else { printf("[*] You are not leet enough.\r\n"); result = 1LL; } } else { printf("[!] %s <password>", *a2); result = 1LL; } return result; } ``` The user inputs a flag as a command line argument, and it is passed into the `win` function **win** ```c _BOOL8 __fastcall win(const char *a1) { char enc_flag[48]; // [rsp+10h] [rbp-30h] BYREF enc_flag[0] = 0xA2; enc_flag[1] = -88; enc_flag[2] = -91; enc_flag[3] = -93; enc_flag[4] = -101; enc_flag[5] = -65; enc_flag[6] = -3; enc_flag[7] = -16; enc_flag[8] = -3; enc_flag[9] = -90; enc_flag[10] = -3; enc_flag[11] = -11; enc_flag[12] = -11; enc_flag[13] = -96; enc_flag[14] = -13; enc_flag[15] = -89; enc_flag[16] = -94; enc_flag[17] = -12; enc_flag[18] = -16; enc_flag[19] = -9; enc_flag[20] = -3; enc_flag[21] = -96; enc_flag[22] = -91; enc_flag[23] = -12; enc_flag[24] = -11; enc_flag[25] = -16; enc_flag[26] = -90; enc_flag[27] = -90; enc_flag[28] = -4; enc_flag[29] = -3; enc_flag[30] = -13; enc_flag[31] = -96; enc_flag[32] = -14; enc_flag[33] = -4; enc_flag[34] = -89; enc_flag[35] = -90; enc_flag[36] = -16; enc_flag[37] = -15; enc_flag[38] = -71; enc_flag[39] = 0; xor(enc_flag, 0x27, 0xC4); return strcmp(a1, enc_flag) == 0; } ``` The encrypted flag is passed into the xor function, which xor's each byte of `enc_flag` with `0xC4`. **xor** ```c __int64 __fastcall xor(__int64 a1, int arr_len, char a3) { __int64 result; // rax int i; // [rsp+1Ch] [rbp-4h] for ( i = 0; ; ++i ) { result = i; if ( i >= arr_len ) break; *(i + a1) ^= a3; } return result; } ``` --- ### Retrieve the Flag Set a breakpoint on the `strcmp` function call on line 46. This will catch the program after the xor decryption has happened, and before the program terminates: ![[images/Pasted image 20230809000503.png]] Hit `F9` to start the debugging process. `RDI` seems to be pointing to the location of the flag on the stack: ![[images/Pasted image 20230808235024.png]] Flag: `flag_{949b911d7cf0439da014bb897d68cb45}`