ekoparty CTF rev100, rev300


This challenge asks for a password. It's called count. So I started by counting the number of instructions executed and it seems it's vulnerable to a side-channel-attack[1]. Meaning we can recover the password by counting the instructions executed.

1: https://en.wikipedia.org/wiki/Side-channel_attack

pintool is used for counting and a simple script, we run this it returns the character that caused the most instructions to be executed, redo this until flag is recovered.


This challenge called Dreamer it's an ELF written for SuperH/SH (who uses this shit?). The main function looks like


In the main function we don't control any inputs, it starts by looping and doing some SHA stuff, and then does sprintf a bunch of times then prints 'flag generated'. I set up a SuperH Linux emulated in qemu. The problem gdb started to crash qemu whenever I hit a breakpoint due to a bug in qemu. So I used LD_PRELOAD and hooked sprintf function to dump the flag while running.

Proxied content from gemini://0x80.org/gemlog/2015-10-24-ekoparty-rev100-rev300-writeup.gmi.
Get a proper gemini browser and visit!

Gemini request details:

Original URL
Status code