Sunday, June 2, 2013

EBCTF Teaser 2013 - Bin 100 - [Team xbios]

For this challenge we were give a PE32 executable. Its a dice game, we have to throw some correct sequence of numbers to get the flag.
```[ctf@renorobert EBCTF]\$ file ebCTF-Teaser-BIN100-Dice.exe
ebCTF-Teaser-BIN100-Dice.exe: PE32 executable for MS Windows (console) Intel 80386 32-bit

[ctf@renorobert EBCTF]\$ wine ebCTF-Teaser-BIN100-Dice.exe

[*] ebCTF 2013 Teaser - BIN100 - Dice Game
To get the flag you will need to throw the correct numbers.

[*] You will first need to throw a three, press enter to throw a dice!

-------
| O   O |
|       |
| O   O |
-------

[*] You rolled a 4 That is not a three :/
[*] Game over!
```
Analysing the binary with IDA, we noticed the following

[*] We have to throw the sequence 3 - 1 - 3 - 3 - 7 to get flag
[*] Binary randomly generates numbers between 1 to 6 and does the comparison

We simply patched the essential JNZ instructions to JZ instruction, such that binary will stop execution only when right numbers are thrown. Here is the IDA dif file we used for patching
```ebCTF-Teaser-BIN100-Dice.exe
00000D2B: 75 74
00000F92: 75 74
00001069: 75 74
000013A5: 75 74
0000163D: 75 74
000016D6: 85 84
00001A29: 75 74
00001A50: 85 84
```
Now execute the binary, we got the flag in the first run
```[*] You rolled a seven, with a six sided dice! How awesome are you?!

[*] You rolled 3-1-3-3-7, what does that make you? ELEET! \o/
[*] Nice job, here is the flag: ebCTF{64ec47ece868ba34a425d90044cd2dec}
```
Flag for the challenge is ebCTF{64ec47ece868ba34a425d90044cd2dec}