Reversing challenge from hxp CTF 2022
| Category | Reversiong |
|---|---|
| Estimate | Hard |
| Solves | 1 |
| Flag | hxp{BFGQS0C0DUV0EJM1G0I0Z1K0LST1N0P0Z0QR0YZ4WX3} |
- Build the Docker container of the Obfuscator and tag it hxp:obfuscator.
- Use build.sh to build the challenge with the obfuscator from (1)
- Reorder the relocations to move the IRELATIV relocation between RELATIVE and GLOB_DAT
with open("chall", "r+b") as f:
f.seek(0x6e8 + 3 * 0x18)
data = f.read(10 * 0x18)
entry = f.read(0x18)
f.seek(0x6e8 + 3 * 0x18)
f.write(entry)
f.write(data)- Patch the Binary in two places:
- move the relocation address of the ifunc to 0x8ba0
- place a breakpoint at the first instruction of the call to memfrob (0x11e8)
- Fix the crc checksum of the binary (fixcrc.py chall <offset to end of text segment rounded to next 0x10> (0x68e0))
When modifying you need to fix manual offsets
- protect.c
- l. 203: offset of crc64_we
- l. 210: address of graph
- l. 215: offset of _ITM_consumeTMCloneTable in main.c
- main.c
- l. 142: offset of permute, offset of the breakpoint (in memfrob)