hsctf 2019 A-Byte

Let's take a look at the binary:

$	file a-byte 
a-byte: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=88fe0ee8aed1a070d6555c7e9866e364a40f686c, stripped
$	./a-byte 159
u do not know da wae

So we can see that we are dealing with a 64 bit function, that takes in data by passing arguments to the program. Looking through the functions, we find FUN_0010073a which appears to hold most of the code that is relevant to us.

undefined8 FUN_0010073a(int argc,long argv)

  long lVar1;
  int iVar2;
  undefined8 uVar3;
  size_t inputLen;
  long in_FS_OFFSET;
  int i;
  char desiredOutput;
  char *inputPtr;
  lVar1 = *(long *)(in_FS_OFFSET + 0x28);
  if (argc == 2) {
    inputPtr = *(char **)(argv + 8);
    inputLen = strlen(inputPtr);
    if ((int)inputLen == 0x23) {
      i = 0;
      while (i < 0x23) {
        inputPtr[(long)i] = inputPtr[(long)i] ^ 1;
        i = i + 1;
      desiredOutput = 'i';
      iVar2 = strcmp(&desiredOutput,inputPtr);
      if (iVar2 == 0) {
        puts("Oof, ur too good");
        uVar3 = 0;
        goto LAB_00100891;
  puts("u do not know da wae");
  uVar3 = 0xffffffff;
  if (lVar1 == *(long *)(in_FS_OFFSET + 0x28)) {
    return uVar3;
                    /* WARNING: Subroutine does not return */

So we can see that it only wants a single argument in addition to the program name (argc has to be two). Then it checks to see if our input that we gave it via and argument is 0x23 bytes long. If so it will then go through and set all of the bytes equal to the byte xored by 1. It then checks to see if our input is equal to desiredOutput, and if it is it looks like we solved the challenge. Looking at the decompiled code, it looks like desiredOutput is set equal to just the character i. The decompilation got that wrong, and looking at the assembly code shows us what it is actually set equal to:

        001007d5 c6 45 d0 69     MOV        byte ptr [RBP + desiredOutput],0x69
        001007d9 c6 45 d1 72     MOV        byte ptr [RBP + local_37],0x72
        001007dd c6 45 d2 62     MOV        byte ptr [RBP + local_36],0x62
        001007e1 c6 45 d3 75     MOV        byte ptr [RBP + local_35],0x75
        001007e5 c6 45 d4 67     MOV        byte ptr [RBP + local_34],0x67
        001007e9 c6 45 d5 7a     MOV        byte ptr [RBP + local_33],0x7a
        001007ed c6 45 d6 76     MOV        byte ptr [RBP + local_32],0x76
        001007f1 c6 45 d7 31     MOV        byte ptr [RBP + local_31],0x31
        001007f5 c6 45 d8 76     MOV        byte ptr [RBP + local_30],0x76
        001007f9 c6 45 d9 5e     MOV        byte ptr [RBP + local_2f],0x5e
        001007fd c6 45 da 78     MOV        byte ptr [RBP + local_2e],0x78
        00100801 c6 45 db 31     MOV        byte ptr [RBP + local_2d],0x31
        00100805 c6 45 dc 74     MOV        byte ptr [RBP + local_2c],0x74
        00100809 c6 45 dd 5e     MOV        byte ptr [RBP + local_2b],0x5e
        0010080d c6 45 de 6a     MOV        byte ptr [RBP + local_2a],0x6a
        00100811 c6 45 df 6f     MOV        byte ptr [RBP + local_29],0x6f
        00100815 c6 45 e0 31     MOV        byte ptr [RBP + local_28],0x31
        00100819 c6 45 e1 76     MOV        byte ptr [RBP + local_27],0x76
        0010081d c6 45 e2 5e     MOV        byte ptr [RBP + local_26],0x5e
        00100821 c6 45 e3 65     MOV        byte ptr [RBP + local_25],0x65
        00100825 c6 45 e4 35     MOV        byte ptr [RBP + local_24],0x35
        00100829 c6 45 e5 5e     MOV        byte ptr [RBP + local_23],0x5e
        0010082d c6 45 e6 76     MOV        byte ptr [RBP + local_22],0x76
        00100831 c6 45 e7 40     MOV        byte ptr [RBP + local_21],0x40
        00100835 c6 45 e8 32     MOV        byte ptr [RBP + local_20],0x32
        00100839 c6 45 e9 5e     MOV        byte ptr [RBP + local_1f],0x5e
        0010083d c6 45 ea 39     MOV        byte ptr [RBP + local_1e],0x39
        00100841 c6 45 eb 69     MOV        byte ptr [RBP + local_1d],0x69
        00100845 c6 45 ec 33     MOV        byte ptr [RBP + local_1c],0x33
        00100849 c6 45 ed 63     MOV        byte ptr [RBP + local_1b],0x63
        0010084d c6 45 ee 40     MOV        byte ptr [RBP + local_1a],0x40
        00100851 c6 45 ef 31     MOV        byte ptr [RBP + local_19],0x31
        00100855 c6 45 f0 33     MOV        byte ptr [RBP + local_18],0x33
        00100859 c6 45 f1 38     MOV        byte ptr [RBP + local_17],0x38
        0010085d c6 45 f2 7c     MOV        byte ptr [RBP + local_16],0x7c
        00100861 c6 45 f3 00     MOV        byte ptr [RBP + local_15],0x0

So we can see that we are dealing with a char array on the stack, that it moves in input one byte at a time. We can see that the amount of bytes it moves in is 35 (excluding the null byte terminator at the end), the same amount for the length of the data we pass in as an argument. So we know what input we control, we know the algorithm that it is passed through, and we know what the end result will need to be. This is everything we need to make a simple Z3 script to find the solution for us:

from z3 import *

# Designate the desired output
desiredOutput = [0x69, 0x72, 0x62, 0x75, 0x67, 0x7a, 0x76, 0x31, 0x76, 0x5e, 0x78, 0x31, 0x74, 0x5e, 0x6a, 0x6f, 0x31, 0x76, 0x5e, 0x65, 0x35, 0x5e, 0x76, 0x40, 0x32, 0x5e, 0x39, 0x69, 0x33, 0x63, 0x40, 0x31, 0x33, 0x38, 0x7c]

# Designate the input z3 will have control of
inp = []
for i in xrange(0x23):
	byte = BitVec("%s" % i, 8)

z = Solver()

for i in xrange(0x23):
	z.add((inp[i] ^ 1) == desiredOutput[i])

#Check if z3 can solve it, and if it can print out the solution
if z.check() == sat:
#	print z
	print "Condition is satisfied, would still recommend crying: " + str(z.check())
	solution = z.model()
	flag = ""
	for i in range(0, 0x23):
		flag += chr(int(str(solution[inp[i]])))
	print flag

#Check if z3 can't solve it
elif z.check() == unsat:
	print "Condition is not satisfied, would recommend crying: " + str(z.check())

When we run it:

$	python reverent.py 
Condition is satisfied, would still recommend crying: sat
$	./a-byte hsctf{w0w_y0u_kn0w_d4_wA3_8h2bA029}
Oof, ur too good

Just like that, we solved the challenge!