ekoparty CTF rev100, rev300

rev100

This challenge asks for a password. It's called count. So I started by counting the number of instructions executed and it seems it's vulnerable to a side-channel-attack[1]. Meaning we can recover the password by counting the instructions executed.

1: https://en.wikipedia.org/wiki/Side-channel_attack

pintool is used for counting and a simple script, we run this it returns the character that caused the most instructions to be executed, redo this until flag is recovered.

rev300

This challenge called Dreamer it's an ELF written for SuperH/SH (who uses this shit?). The main function looks like

image

In the main function we don't control any inputs, it starts by looping and doing some SHA stuff, and then does sprintf a bunch of times then prints 'flag generated'. I set up a SuperH Linux emulated in qemu. The problem gdb started to crash qemu whenever I hit a breakpoint due to a bug in qemu. So I used LD_PRELOAD and hooked sprintf function to dump the flag while running.

Proxied content from gemini://0x80.org/gemlog/2015-10-24-ekoparty-rev100-rev300-writeup.gmi.
Get a proper gemini browser and visit!

Gemini request details:

Original URL
gemini://0x80.org/gemlog/2015-10-24-ekoparty-rev100-rev300-writeup.gmi
Status code
20
Meta
text/gemini;lang=en-US