ekoparty CTF rev100, rev300
This challenge asks for a password. It's called count. So I started by counting the number of instructions executed and it seems it's vulnerable to a side-channel-attack. Meaning we can recover the password by counting the instructions executed.
pintool is used for counting and a simple script, we run this it returns the character that caused the most instructions to be executed, redo this until flag is recovered.
This challenge called Dreamer it's an ELF written for SuperH/SH (who uses this shit?). The main function looks like
In the main function we don't control any inputs, it starts by looping and doing some SHA stuff, and then does sprintf a bunch of times then prints 'flag generated'. I set up a SuperH Linux emulated in qemu. The problem gdb started to crash qemu whenever I hit a breakpoint due to a bug in qemu. So I used LD_PRELOAD and hooked sprintf function to dump the flag while running.