#picoctf

Daily sport-exercises:

running the 8.25 in 43.20 

yoga

Working on my education:

Todays TryHackMe Rank : 2588

SMTP, POP3 and Imap... tough topic for the first time.  Also: Signed in with my Team on PicoCTF2021!  This will be fun.

Writing it down:

So Today i was working hard on getting everything right, got my paycheck. My To-do-List and my work done. It was a rewarding day in the sense that the feedback that i got was good.  I also got through the challenge of not getting that extra sugery stuff and avoiding smoking. I’m a litte bit impressed from my self.

What would I have liked to have done differently today?

Finishing my To-do-List

Problem is similar to the first one: make the program run faster.

./be-quick-or-be-dead-2 Be Quick Or Be Dead 2 =====================

Calculating key... You need a faster machine. Bye bye.

Main function is the same:

sym.calculate_key calls sym.fib(passing argument 0x3f7 = int 1015), which seems to be a recursive function doing Fibonacci sequencen calculations.

We can calculate fib(1015) and pass it to make it faster.

and we get 17662975587330736941

The patch is done to sym.get_key. Note rax is used for 64-bit registers. 

We need 10 bytes to write, 0x004007dc to 0x004007e5, and by doing this we are effectively overwriting the call to sym.calculate_key function, which is what I want.

./be-quick-or-be-dead-2-patched Be Quick Or Be Dead 2 =====================

Problem

Can you run it fast enough? --- The key_calculation is too slow and did not run into completion before the timer exits the program.

Main function. Guess we need to optimise sym.get_key to make it run faster. 

sym.get_key in turn calls sym.calculate_key:

sym.calculate_key just adds 1 each time until the loop finishes when [rbp-0x4] = 0xe9a5972c.

To speed it up, lets edit (HOW TO WRITE)

0x0040070a      c745fc96cbd2.  mov dword [var_4h], 0x74d2cb96

to

0x0040070a      c745fc96cbd2.  mov dword [var_4h], 0xe9a5972b 

(final value minus one so that the loop will run only once)

Calculating key...

Can you overflow the right buffer in this program to get the flag? 

Seems like we need to call sigsegv_handler to print the flag. This is done by causing a segmentation fault with user input (>FLAGSIZE_MAX).

Question: What does asm0(0xaa,0xf2) return? Submit the flag as a hexadecimal value (starting with '0x'). 

Learnt about assembly in COMP1521, but register names are a little unfamiliar (SPIM register names for the 32-bit general purpose registers, which was simpler). 

Useful reading here

Another Useful Reading

First two lines as well at the last three lines are just setting up the base and stack pointer -- function prologue/epilogue. We first save the calling function stack frame (ebp is tracking that) and in the second one, we set our function stack frame to be equal to the current stack location .Let’s look at the middle three lines, which is loading our passed arguments to eax and ebx:

mov     eax,DWORD PTR [ebp+0x8]

DWORD PTR means double-word property, which is 32 bits. Alternatively, consult table below. So the instruction is: move the 32 bits of the stack which starts 8 bytes ‘down’ the stack from EBP to eax, which is effectively:

eax = arg1

mov     ebx,DWORD PTR [ebp+0xc]

Similarly, ebx = arg2

mov     eax,ebx

Copy the value in ebx into eax, i.e.: eax = ebx

-----------------------

Return value is in EAX (by callee rules). So arg2 is returned, the flag is 0xf2.