
Screencap of test run and submission.
Challenge 6 is a GoLang challenge. Have to enter 4 keys
Here are some potentially interesting functions:
main.check_key1
main.verify_key2
main.check_key2
main.verify_key3
main.check_key3
main.verify_key4
main.check_key4
Put a break at strconv.init 0x6f9f (right after strings.init) and looked at $rdi (2568>?Qufqr at address 1D9BE3)
The string was the port number I connected through. It has been output by the time I hit the ret instruction at 0x8b367.
Don't need any breaks before 28a3 which is just after writeline(" Entered Key 1: abcde")
At 28b0 the first test of the key is made. Length must be 3. Analyzing the code, it looks at char 2, char 1, char 3. Key should be 3at and that works!
The second key is verified in main.verify_key2 instead of main.check_key2 (1st was in main.check_key1) starting at address 0x2fa0 (break there for analysis).
So, analyzing the code, there are two rounds (and more, two worked to extract the key) that require:
round 1: the first letter plus each succeeding letter ord values must add up to a check value
round 2: the second letter plus each succeeding letter ord values must add up to a check value
I extracted the check values into a couple of arrays and brute forced the answer:
a1=[0xcb,0xac,0xd1,0xc6,0xcb,0x94,0xcf,0xcf,0xa3,0xdd]
a2=[0xb1,0xd6,0xcb,0xd0,0x99,0xd4,0xd4,0xa8,0xe2]
for i in range(0x61,0x7e):
b1 = [i]
b2 = [i]
b3 = [i]
for j in range(0,len(a1)):
b1.append(a1[j]-i)
s1 = ""
for j in b1:
s1 += chr(j)
b2.append(b1[1])
for j in range(0,len(a2)):
b2.append(a2[j]-b2[1])
s2 = ""
for j in b2:
s2 += chr(j)
if s1 == s2:
print 'SUCCESS: s1 = ',s1,' and s2 = ',s2
Downloads/panw_hacking/GoLang/brute.py
SUCCESS: s1 = chInch1ll@z and s2 = chInch1ll@z
So,
key1 = 3at
key2 = chInch1ll@z
Key 3 is 4 characters long (0x58ac). It needs to be integer value (atoi is called), and we're using leet speak so I'll try 1337 first.
2nd character must be a 1 for the imul test at 0x5955
4th - 1st ascii values = 0x20 for the sub test at 0x5938
4th - 3rd ascii values = 0x01 for the sub test at 0x598c
rbp - 3rd ascii value = 0x383d3cdd at 0x59b1 yields
key3 = H1gh
Work on key 4:
len(key4) = 5 (0x643c)
key4[1]-key4[3] are integers and equal 183
key4[0] = 'F' and key4[4] = 'r'
key4 = F183r