Reverse Engineering Series — 3
part 1 : https://gowthamaraj-rajendran.medium.com/reverse-engineering-series-1-1a40eba00bc
part 1 : https://gowthamaraj-rajendran.medium.com/reverse-engineering-series-1-1a40eba00bc
Part 2 : https://gowthamaraj-rajendran.medium.com/reverse-engineering-series-2-cba872d5dc1e
This is going to be a series on Reverse Engineering. Let’s learn RE together. Any suggestion is appreciated.
binary is provided at the end.
Tools:
- file
- ltrace
- strings
- gdb
- ida64
- Ghidra
- readelf
Binary Analysis
we can find out that the binary uses printf, fdopen, fclose, memset, exit, fgetc
IDA PRO & Ghidra Analysis
we are now going to shift the gear and start using IDA PRO and ghidra to analyse it.
let me summarise the assembly:
- print “? “, create a stdin stream and pass it to sub_4006c0.
- if sub_4006c0 make rdx to be zero, then go the next block.
- do the step 1 twice.
- store the output of the calls sub_4006c0 in a dword variable.
- if fun_checker passes 0 to rax, we can get the flag
we need to solve the linear equations to get the value of a,b,c
The function sub_4006c0 should give -8, -3, 13 as the output.
Since it is complex the understand the logic, let’s use the help of ghidra
The above function basically checks for hex values in the input.
Crack the Binary
we need to convert -8, -3, 13 to hex.
- -8 -> FFFFFFF8
- -3 -> FFFFFFFD
- 13 -> D
Please give a clap if you found it to be useful and follow me to get more hacking knowledge.
use the below command to reconstruct
base64 -d x3.base64 > viewuser
Filef0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAIARAAAAAAABAAAAAAAAAAHAUAAAAAAAAAAAAAEAAOAAGAEAAEwASAAYAAAAEAAAAQAAAAAAAAABAAEAAAAAAAEAAQAAAAAAAUAEAAAAAAABQAQAAAAAAAAgAAAAAAAAAAwAAAAQAAACQAQAAAAAAAJABQAAAAAAAkAFAAAAAAAAcAAAAAAAAABwAAAAAAAAAAQAAAAAAAAABAAAABQAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAADAHAAAAAAAAMAcAAAAAAAAAACAAAAAAAAEAAAAGAAAAsA4AAAAAAACwDmAAAAAAALAOYAAAAAAA3QEAAAAAAAAYAgAAAAAAAAAAIAAAAAAAAgAAAAYAAACwDgAAAAAAALAOYAAAAAAAsA5gAAAAAABQAQAAAAAAAFABAAAAAAAACAAAAAAAAABS5XRkBAAAALAOAAAAAAAAsA5gAAAAAACwDmAAAAAAAFABAAAAAAAAUAEAAAAAAAABAAAAAAAAAC9saWI2NC9sZC1saW51eC14ODYtNjQuc28uMgAAAAAAAwAAAAcAAAAFAAAABgAAAAQAAAAAAAAAAAAAAAAAAAABAAAAAgAAAAMAAAAAAAAAAQAAAAEAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAALAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAAsAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAASAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAAnAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAAAbGliYy5zby42AHByaW50ZgBmZG9wZW4AZmNsb3NlAG1lbXNldABleGl0AGZnZXRjAEdMSUJDXzIuMi41AAAAAgACAAIAAgACAAIAAAAAAAEAAQABAAAAEAAAAAAAAAB1GmkJAAACADIAAAAAAAAAGBBgAAAAAAAHAAAAAQAAAAAAAAAAAAAAIBBgAAAAAAAHAAAAAgAAAAAAAAAAAAAAKBBgAAAAAAAHAAAAAwAAAAAAAAAAAAAAMBBgAAAAAAAHAAAABAAAAAAAAAAAAAAAOBBgAAAAAAAHAAAABQAAAAAAAAAAAAAAQBBgAAAAAAAHAAAABgAAAAAAAAAAAAAAAAAAAAAAAAD/NVIMIAD/JVQMIAAPH0AA/yVSDCAAaAAAAADp4P////8lSgwgAGgBAAAA6dD/////JUIMIABoAgAAAOnA/////yU6DCAAaAMAAADpsP////8lMgwgAGgEAAAA6aD/////JSoMIABoBQAAAOmQ////SL9KEGAAAAAAADHA6J////9Ix8cAAAAASL5IEGAAAAAAAOi5////SIkFQgwgAEiLPTsMIADoZgIAAEiF0nVyiQUzDCAASL9KEGAAAAAAADHA6Fr///9Iiz0TDCAA6D4CAABIhdJ1SokFDwwgAEi/ShBgAAAAAAAxwOgy////SIs96wsgAOgWAgAASIXSdSKJBesLIACLPd0LIACLNdsLIACLFdkLIADoXQAAAEiFwHQaSL9SEGAAAAAAADHA6O7+//9Jx8QBAAAA6ypIv00QYAAAAAAAMcDo1P7//0i/mBBgAAAAAABIx8YMAAAA6EYAAABNMeRIiz10CyAA6J/+//9Miefo5/7//2eNDBcB8QHJAfHiH2eNDH4B0QHJAdHiE2eNDBcB8cHhAwH5KdEp8Snx4gBIicjDQVRBVUFVSYn8SYn1SL+kEGAAAAAAAEgx9kjHwiAAAADoY/7//0i/pBBgAAAAAABMieZMieroFgAAAEi/pBBgAAAAAADovQAAAEFdQV1BXMNBVEFVQVZJifxJifVJidZMiedJD7Z1AOgPAAAASf/FSf/OdetBXkFdQVzDTIsHTItPCEyLVxBMi18YSMfBAAEAAEgPtvZIuHuFbeJQwRCwSTHASQHwSQ/IScHAB0i4MpB5bW3nJkVJMcFNAcFJD8lJwcEXSLjD4LCtaSB8okkxwk0BykkPyknBwilIuLZysf1l6tbwSTHDTQHTSQ/LScHDL0yJ3uKfTAEHTAFPCEwBVxBMAV8Yw0FUSYn8TInnSMfGIAAAAOgWAAAASL+AEGAAAAAAADHA6E39//9BXMNmkEFUQVVBVUmJ/EmJ9Ui/iBBgAAAAAABJD7Y0JDHA6Cb9//9J/8RJ/8114kFdQV1BXMMPH4AAAAAAQVRBVUFWSYn8TTHtTTH2SIPK/0yJ5+gV/f//SIXAfDZIg/gKdDBJ/8VJg/0QdzNIg8ggSI1I0EiD+Ql3AusOSI1In0iD+QVIjUkKdxVJweYESQnO671Nhe10BzHSTInw6wRIg8r/QV5BXUFcwwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAEAAAAAAAAALABQAAAAAAA9f7/bwAAAADgAUAAAAAAAAUAAAAAAAAAqAJAAAAAAAAGAAAAAAAAAAACQAAAAAAACgAAAAAAAAA+AAAAAAAAAAsAAAAAAAAAGAAAAAAAAAAVAAAAAAAAAAAAAAAAAAAAAwAAAAAAAAAAEGAAAAAAAAIAAAAAAAAAkAAAAAAAAAAUAAAAAAAAAAcAAAAAAAAAFwAAAAAAAAAYA0AAAAAAAP7//28AAAAA+AJAAAAAAAD///9vAAAAAAEAAAAAAAAA8P//bwAAAADmAkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALAOYAAAAAAAAAAAAAAAAAAAAAAAAAAAAMYDQAAAAAAA1gNAAAAAAADmA0AAAAAAAPYDQAAAAAAABgRAAAAAAAAWBEAAAAAAAHIAPyAAISArIAAhIC0KAFJldmVyc2luZ0hlcm8A+SW5XQAAAAB3d3cueG9ycGQubmV0AAAAAAAACgAAAAAAAAAlMDJYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAEAkAFAAAAAAAAAAAAAAAAAAAAAAAADAAIAsAFAAAAAAAAAAAAAAAAAAAAAAAADAAMA4AFAAAAAAAAAAAAAAAAAAAAAAAADAAQAAAJAAAAAAAAAAAAAAAAAAAAAAAADAAUAqAJAAAAAAAAAAAAAAAAAAAAAAAADAAYA5gJAAAAAAAAAAAAAAAAAAAAAAAADAAcA+AJAAAAAAAAAAAAAAAAAAAAAAAADAAgAGANAAAAAAAAAAAAAAAAAAAAAAAADAAkAsANAAAAAAAAAAAAAAAAAAAAAAAADAAoAIARAAAAAAAAAAAAAAAAAAAAAAAADAAsAMAdAAAAAAAAAAAAAAAAAAAAAAAADAAwAsA5gAAAAAAAAAAAAAAAAAAAAAAADAA0AABBgAAAAAAAAAAAAAAAAAAAAAAADAA4ASBBgAAAAAAAAAAAAAAAAAAAAAAADAA8AkBBgAAAAAAAAAAAAAAAAAAEAAAABAAwAsA5gAAAAAAAAAAAAAAAAAAoAAAABAA0AABBgAAAAAAAAAAAAAAAAACAAAAAQAA4AjRBgAAAAAAAAAAAAAAAAACcAAAASAAAAAAAAAAAAAAAAAAAAAAAAADsAAAASAAAAAAAAAAAAAAAAAAAAAAAAAE8AAAASAAAAAAAAAAAAAAAAAAAAAAAAAGMAAAASAAAAAAAAAAAAAAAAAAAAAAAAAHYAAAAQAA8AyBBgAAAAAAAAAAAAAAAAAJQAAAASAAoAIARAAAAAAAAAAAAAAAAAAHsAAAASAAAAAAAAAAAAAAAAAAAAAAAAAI8AAAAQAA8AjRBgAAAAAAAAAAAAAAAAAJsAAAASAAAAAAAAAAAAAAAAAAAAAAAAAABfRFlOQU1JQwBfR0xPQkFMX09GRlNFVF9UQUJMRV8AX2VkYXRhAGZjbG9zZUBAR0xJQkNfMi4yLjUAcHJpbnRmQEBHTElCQ18yLjIuNQBtZW1zZXRAQEdMSUJDXzIuMi41AGZnZXRjQEBHTElCQ18yLjIuNQBfZW5kAGZkb3BlbkBAR0xJQkNfMi4yLjUAX19ic3Nfc3RhcnQAZXhpdEBAR0xJQkNfMi4yLjUAAC5zeW10YWIALnN0cnRhYgAuc2hzdHJ0YWIALmludGVycAAuZ251Lmhhc2gALmR5bnN5bQAuZHluc3RyAC5nbnUudmVyc2lvbgAuZ251LnZlcnNpb25fcgAucmVsYS5wbHQALnRleHQALmVoX2ZyYW1lAC5keW5hbWljAC5nb3QucGx0AC5kYXRhAC5ic3MAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABsAAAABAAAAAgAAAAAAAACQAUAAAAAAAJABAAAAAAAAHAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAnAAAABQAAAAIAAAAAAAAAsAFAAAAAAACwAQAAAAAAADAAAAAAAAAABAAAAAAAAAAIAAAAAAAAAAQAAAAAAAAAIwAAAPb//28CAAAAAAAAAOABQAAAAAAA4AEAAAAAAAAcAAAAAAAAAAQAAAAAAAAACAAAAAAAAAAAAAAAAAAAAC0AAAALAAAAAgAAAAAAAAAAAkAAAAAAAAACAAAAAAAAqAAAAAAAAAAFAAAAAQAAAAgAAAAAAAAAGAAAAAAAAAA1AAAAAwAAAAIAAAAAAAAAqAJAAAAAAACoAgAAAAAAAD4AAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAPQAAAP///28CAAAAAAAAAOYCQAAAAAAA5gIAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAgAAAAAAAAACAAAAAAAAAEoAAAD+//9vAgAAAAAAAAD4AkAAAAAAAPgCAAAAAAAAIAAAAAAAAAAFAAAAAQAAAAgAAAAAAAAAAAAAAAAAAABZAAAABAAAAEIAAAAAAAAAGANAAAAAAAAYAwAAAAAAAJAAAAAAAAAABAAAAA0AAAAIAAAAAAAAABgAAAAAAAAAXgAAAAEAAAAGAAAAAAAAALADQAAAAAAAsAMAAAAAAABwAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAGMAAAABAAAABgAAAAAAAAAgBEAAAAAAACAEAAAAAAAADQMAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAABpAAAAAQAAAAIAAAAAAAAAMAdAAAAAAAAwBwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAcwAAAAYAAAADAAAAAAAAALAOYAAAAAAAsA4AAAAAAABQAQAAAAAAAAUAAAAAAAAACAAAAAAAAAAQAAAAAAAAAHwAAAABAAAAAwAAAAAAAAAAEGAAAAAAAAAQAAAAAAAASAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAACFAAAAAQAAAAMAAAAAAAAASBBgAAAAAABIEAAAAAAAAEUAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAiwAAAAgAAAADAAAAAAAAAJAQYAAAAAAAjRAAAAAAAAA4AAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAAAAAAAAAJAQAAAAAAAAoAIAAAAAAAARAAAAEgAAAAgAAAAAAAAAGAAAAAAAAAAJAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAwEwAAAAAAAK0AAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAEQAAAAMAAAAAAAAAAAAAAAAAAAAAAAAA3RMAAAAAAACQAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAA==