ker2x's guild hall adventure Ch.1



3:58 PM 06/23/2019


Unix/linux etc.


Friendly greetings ! It *should* be very easy (hopefully). It's a 2 step adventure. I didn't hide anything, didn't try to obfuscate anything. The code might be a little confusing with some branching and a bunch of check and verbosity. But it's good old C that's not trying anything tricky. I'm planning to write a full text adventure that's impossible to solve without disassembling, for fun. =^_^= Please let me know what you think. it's hard to evaluate the difficulty of disassembling when you already know the C source ...

ker2x on 7:53 PM 06/25/2019: chapter 2 is almost completed :)

ze3lex on 4:07 PM 06/26/2019: Nice one, I liked it :)

ker2x on 4:34 PM 06/26/2019: thx

ker2x on 3:59 PM 07/01/2019: Thx to everyone who posted a solution. the chapter 2 is still planned of course. Almost done (but i just discovered this game dota underlords...)

ker2x on 6:49 PM 07/04/2019: Chapter 2 is online and include the chapter 1 (because it was missing a challenge, i uploaded the wrong binary version)

csgo on 8:22 PM 07/08/2019: what are the passwords

ker2x on 5:29 PM 07/09/2019: Yay ! 4 solutions

ker2x on 5:29 PM 07/09/2019: Chapter 2 and 3 are online and i already have the main challenge idea for chapter 4 :]

NichtBesondres on 4:36 PM 09/02/2019: Yo! Just wanted to say I had a super fun time with this challenge! I am still a novice so playing with gdb to solve this made for an excellent time! Please keep up the work! This was a lot of fun! :)

Sili on 4:06 PM 09/16/2019: Yeah actually, pretty easy to bypass the verification first place. SPOILER !! I did it pretty quickly so i don't know all the algo behind it, but, first, lets just do: ~$ strings ./adventure We can see some strings, and also some called functions wrote in plain text. And we can note the use of "strlen" and "strncmp" Then it check if the argv length is 5 (expecting "hello"). // Here is the use of STRLEN function Then, we can see, it check if the string is good with "strncmp" function, but i don't know what with, and i will see later. (I'm at work, so, no time to go deep) We can also see that the "strncmp" func it's call at least 2 times when we run the bin in GDB or something. I try to rewrite the STRNCMP function and inject it, so: int strncmp(char *str1, char *str2, size_t size) { return 0; } Compile with GCC, Inject it with LD_PRELOAD, and Then: ~$ LD_PRELOAD=./ ./adventure 12345 Friendly greetings to you, hacker from another world ! So, why are you here ? : whatever_you_want_it_wont_verify_it whatever_you_want_it_wont_verify_it ? good, good, welcome to the guild hall!

Senken on 11:06 PM 11/07/2019: Uni student here, this is the first reverse engineering experience of mine ever. I have a few questions: Is the goal getting the good, good message? I understand using 2 arguments the second being hello are the requirements for verification. So do i just need to change the final jump condition from jnz to jn in IDA ?

Senken on 11:07 PM 11/07/2019: from jnz to jz *

Senken on 11:35 PM 11/07/2019: it worked! but can i change the first ever jump: jz short loc_84E to jz short loc_935 which is the wanted output ?

BitFriends on 4:57 PM 11/11/2019: Thanks for the good adventure! Got confused at the second check cuz im a beginner, but then i solved it