dctf r300

This challenge asks for username and password, we need to get the username for 'Administrator'. The binary has code that does not allow you to do that. Let's find it and patch it first.

This is the first one, it checks if we have 'A' and quits.

we patch the je to jmp. Another one is found in get_product, it has the following psudeo-code

We remove the ones mentioned above. We change the jump in 401B44 from jnz to jmp. Also change the jump in 401B18 from jnz to jmp. Now we can continue.

Here we know we need to reach the two calls set_bit_field, and first_prime, and to do so wee need a password of length 12 bytes. To know the password we set a break point at all the comparisions in cbc_check_password.

everytime we break we know a character, the password is #y1y3#y1y3##

Proxied content from gemini://0x80.org/gemlog/2015-10-05-dctf-r300.gmi.
Get a proper gemini browser and visit!

Gemini request details:

Original URL
Status code