After running the executable we assumed that the challenge was to find the password that would output a ": )".The next step was inspect the program in IdaPro and see if our assumptions were true. Some findings from examining the executable in IdaPro included:
The program fires up prints “Password” to the screen, then waits for user input. Once the user has entered the password the first check the executable does is to verify that the length of the password is 28 characters long.
Then the executable makes a second call to _strlen once again to verify that the length of the password is 28 characters long.
The program then calls the keygen function and falls into the call to the wrong function if keygen returns zero and the call to the valid function if keygen returns one. It looks like the function that will need to be reversed is the keygen function.
After some inspection and remote debugging we were able to figure out some important information about the keygen function. The keygen function works as follows:
- Pull eight bytes from the user input and store the result in RAX
- Use the bottom four bytes of RAX as input to _srandom
- Call the _random function, and compare the return value to a number
- Increment r12 to grab the next four bytes of the user input
This entire algorithm is repeated a total of seven times. The first seven numbers that are compared after each reseeding of the random function were:
2. 0x34d8c3b53. 0x1f49456c
5. 0x4e81abc76. 0x683d3f5d
7. 0x28c9a8feTherefore to find the key all we need to do is write a program that generates all possible four character printable ASCII values. Use those values as input to srandom, call random, and finally compare the result to each of the previous seven numbers to find a match. This will tell us what four characters were used as the seed at that particular point in the program. Once all seven seeds are found we should have the flag:). The solution program that we used is as follows:
Link to solution code: https://github.com/IAryan/CTFSolutions/blob/master/randySolution.c
The output of the bruteforce program reveals the flag: n0t s0 r4nd0m0 4ft3r a11!!!!
Solution write-up by Ryan