| nice and easy |
==> |
| Cool challenge! I wrote a keygen! Take a look: https://pastebin.com/givqQMHe |
==> |
| @nm you don't have to worry about the address, because it's already on the stack. Just write to it with using the format string vuln |
==> |
| This should be a level 2 crackme. passwd is flag{2020_sana_sa3ida:)} |
==> |
| Ok I got it. The "date" is "10/1/100" |
==> |
| Hello I am stuck at this challenge. At the line 0x85c, is it possible to pass this check? Because jg does compare signed integers. Please help me |
==> |
| On the stack at least |
==> |
| Firstly, aslr is on, which you have to defeat somehow. Secondly, NX is also on, which means no shellcode can be executed. |
==> |
| ignore the "amp;" its from the website |
==> |
| also v7 contains an address |
==> |
| And if I set rax(&dword_201020[20]) and r13(v7) through gdb to the exact same address I pass... |
==> |
| But there is a & in front of it |
==> |
| hey jeff, I'm stuck with this crackme. Are at the compare which leads to "Well done!" if true (&dword_201020[20] == v7) two addresses compared? |
==> |
| I think that the crackme should be level 2 |
==> |
| Its easy. The character is where to write, and the amount of characters is what to write. |
==> |
| Cool crackme!
[root@acer-a515 Downloads]# ./ZED-Frequency.bin keyfile
the generated key is: 01234567890123456789012345
you succeed!! |
==> |
| Still waiting for a correct solution guys! |
==> |
| Hint: Ever heard of signals? |
==> |
| Hey, can someone give me a hint? Cant find a way to get to the go_on function. |
==> |
| Yeah it is intended. It is not as easy as a normal buffer overflow. |
==> |
| The Null Byte at the end is for tricking fgets. Place the format parameters before the address you want to write to. So it doesn't matter if printf stops at a null byte, because you have entered everything you need. |
==> |
| Tipp: Place a NULL byte at the end of your input |
==> |
| fgets adds a \x00 byte at the end of the input everytime. |
==> |
| Hint: "send" and "connect" might be useful commands |
==> |
| @Heinzeen Maybe you dumped values from the wrong address? Notice that aslr is on. Also notice, that gdb turns off aslr, and activates it on runtime. Try searching for the right addresses |
==> |
| @l0ma thank you for your solution. That is a way to solve it, but you should exploit it via format string and heap overflow. I am waiting for another solution, which does that. The difficulty of this challenge should be aslr, but you did not mention that in your solution. And I forgot to say, that it is not intended to solve the challenge with a debugger or something. You should only use it to calculate offsets. You can easily set $rip= in gdb to gain code redirection, but that would be too easy. But anyways, thank you for your solution. |
==> |
| And why cant you do that? |
==> |
| There is another vulnerability (which is the main vulnerability), but the format string vulnerability is also important.
|
==> |
| It is not exactly a buffer overflow |
==> |
| @tim0tei please submit a solution when you got it. Don't spoil |
==> |
| Hint: %p does NOT write to memory. |
==> |
| @_sam try objdump -t ;) |
==> |
| If you read the solution, the content of the .so file shold be:
#include
#include
enum __ptrace_request
{
/* Indicate that the process making this request should be traced.
All signals received by this process can be intercepted by its
parent, and its parent can use the other `ptrace' requests. */
PTRACE_TRACEME = 0,
#define PT_TRACE_ME PTRACE_TRACEME
/* Return the word in the process's text space at address ADDR. */
PTRACE_PEEKTEXT = 1,
#define PT_READ_I PTRACE_PEEKTEXT
/* Return the word in the process's data space at address ADDR. */
PTRACE_PEEKDATA = 2,
#define PT_READ_D PTRACE_PEEKDATA
/* Return the word in the process's user area at offset ADDR. */
PTRACE_PEEKUSER = 3,
#define PT_READ_U PTRACE_PEEKUSER
/* Write the word DATA into the process's text space at address ADDR. */
PTRACE_POKETEXT = 4,
#define PT_WRITE_I PTRACE_POKETEXT
/* Write the word DATA into the process's data space at address ADDR. */
PTRACE_POKEDATA = 5,
#define PT_WRITE_D PTRACE_POKEDATA
/* Write the word DATA into the process's user area at offset ADDR. */
PTRACE_POKEUSER = 6,
#define PT_WRITE_U PTRACE_POKEUSER
/* Continue the process. */
PTRACE_CONT = 7,
#define PT_CONTINUE PTRACE_CONT
/* Kill the process. */
PTRACE_KILL = 8,
#define PT_KILL PTRACE_KILL
/* Single step the process.
This is not supported on all machines. */
PTRACE_SINGLESTEP = 9,
#define PT_STEP PTRACE_SINGLESTEP
/* Get all general purpose registers used by a processes.
This is not supported on all machines. */
PTRACE_GETREGS = 12,
#define PT_GETREGS PTRACE_GETREGS
/* Set all general purpose registers used by a processes.
This is not supported on all machines. */
PTRACE_SETREGS = 13,
#define PT_SETREGS PTRACE_SETREGS
/* Get all floating point registers used by a processes.
This is not supported on all machines. */
PTRACE_GETFPREGS = 14,
#define PT_GETFPREGS PTRACE_GETFPREGS
/* Set all floating point registers used by a processes.
This is not supported on all machines. */
PTRACE_SETFPREGS = 15,
#define PT_SETFPREGS PTRACE_SETFPREGS
/* Attach to a process that is already running. */
PTRACE_ATTACH = 16,
#define PT_ATTACH PTRACE_ATTACH
/* Detach from a process attached to with PTRACE_ATTACH. */
PTRACE_DETACH = 17,
#define PT_DETACH PTRACE_DETACH
/* Get all extended floating point registers used by a processes.
This is not supported on all machines. */
PTRACE_GETFPXREGS = 18,
#define PT_GETFPXREGS PTRACE_GETFPXREGS
/* Set all extended floating point registers used by a processes.
This is not supported on all machines. */
PTRACE_SETFPXREGS = 19,
#define PT_SETFPXREGS PTRACE_SETFPXREGS
/* Continue and stop at the next (return from) syscall. */
PTRACE_SYSCALL = 24,
#define PT_SYSCALL PTRACE_SYSCALL
/* Set ptrace filter options. */
PTRACE_SETOPTIONS = 0x4200,
#define PT_SETOPTIONS PTRACE_SETOPTIONS
/* Get last ptrace message. */
PTRACE_GETEVENTMSG = 0x4201,
#define PT_GETEVENTMSG PTRACE_GETEVENTMSG
/* Get siginfo for process. */
PTRACE_GETSIGINFO = 0x4202,
#define PT_GETSIGINFO PTRACE_GETSIGINFO
/* Set new siginfo for process. */
PTRACE_SETSIGINFO = 0x4203
#define PT_SETSIGINFO PTRACE_SETSIGINFO
};
long ptrace(enum __ptrace_request request, pid_t pid, void *addr, void *data) {
return 1337;
}
Thank you for the crackme! |
==> |
| The solution from sys_v is not working. It should be removed also because of missing information. |
==> |
| @inxaneninja what? This was the easiest asm challenge! And patching is a bit lazy... |
==> |
| Cool crackme with the right difficulty! |
==> |
| It took me a while to find the secret function, but it was fun. |
==> |
| Thanks for the good adventure! Got confused at the second check cuz im a beginner, but then i solved it
|
==> |
| This is not very easy. My decompiler displays the key_validate funtion like this:
int validate_key(int arg0) {
if (arg0 == ((SAR(HIDWORD(arg0 * 0x1acb0aad), 0x7)) - (SAR(arg0, 0x1f))) * "_registerTMCloneTable") {
rax = 0x1;
}
else {
rax = 0x0;
}
return rax;
}
Please help me. |
==> |