Writeup – sleeper_cell

During the pwn2win CTF, the “sleeper_cell” binary caught my attention, as the second challenge I tackled.

pwn2win_file

$ file sleeper_cell

The file is a Linux binary, which takes input from stdin – if you enter the correct key, it prints “OK”, otherwise, it spits back what you put in.

Opening this up in IDA reveals a relatively simple binary, albeit with a bit of C++ to make life difficultannoying:

All the important code, right up the top!

All the important code, right up the top!

A little bit of initial debugging (i.e. 0x400E64) showed that the input had to be 0x27 characters in length, after which it took it to some function at 0x400E83, and performed a memory comparison against a known value (“FYM-OI}olte_zi_wdqedd_djrzuj_shgmEDFqo{” – breakpoint memcmp for this). I initially attempted to analyse this function:

motherfucker

motherfucker.

I quickly gave up, in favor of a potentially easier solution (or at least a solution which would give me more information with which to tackle the problem).

I noted that at 0x400EA8, it would print whatever string you entered (from the stack) if the answer was wrong. Fortunately, the “encrypted” version of what you entered is also on the stack (ida labels this ‘s1’, at 0x400E88). From 0x400F18, we know that this output function takes the input string from ESI, so it’s simply a matter of pointing this function to print the encrypted version, instead of what you put in, if you got the answer wrong.

halfway!

halfway!

Given the “target string” is “FYM-OI}olte_zi_wdqedd_djrzuj_shgmEDFqo{“, and knowing the flag format is “CTF-BR{?}”, I assumed that special characters would be processed differently by the encryption function, and tried some basic manual cryptanalysis:

super basic cryptanalysis

super basic cryptanalysis

This quickly revealed the “encryption” function to be nothing more than a Caesar shift with a different-for-each-character-but-nonetheless-static key. I figured it would be easier to simply manually brute-force the answer from here: 10 minutes of guessing characters results in the key:

“CTF-BR{riot_in_public_square_vgzdLIEjd}”

Good times!

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Uncategorized. Bookmark the permalink.

One Response to Writeup – sleeper_cell

  1. Pingback: 2017世安杯CTF writeup详解 – 安百科技

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s