TEAM NAME: inj3ct0r Members: jehu shalom (s3archin6@gmail.

com) Dhruv chand

Writeup for level.elf

About the file: ./level.elf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, not stripped Okay its a 64 bit elf. Switched over to 64 bit machine and executed. The output : | > Type to win, only what I want to read... | > Looks like we need to pass a string.The program reads one character at a time.If the first character is wrong then it gives a nice message and exits. | -> I DON'T THINK SO So this means it might be comparing input against something. Lets open the binary in gdb and analyse the "main" section.Our input is read here: 0x00000000004010f3 <+212>: callq 0x400fef <getch> It is copied from register to a memory location -0x4(%rbp) 0x00000000004010fb <+220>: mov %eax,-0x4(%rbp)

Also one byte is read and copied from 0x6033a0(,%rax,4) to register eax, which is compared against the input. 0x0000000000401103 <+228>: mov 0x6033a0(,%rax,4),%eax 0x000000000040110a <+235>: cmp -0x4(%rbp),%eax Checks whether total no of characters read is equal to 10 0x000000000040114e <+303>: cmpl $0x9,-0x8(%rbp) // i=0;i<9;i++

And if all the characters are right then it jumps to function success else gameover. Examining the bytes at location 0x6033a0(,%rax,4) : (gdb) x/50x 0x6033a0 0x6033a0 <facebookctf_rocks>: 0x20 0x00 0x00 0x00 0x53 0x00 0x00 0x00 0x6033a8 <facebookctf_rocks+8>: 0x55 0x00 0x00 0x00 0x52 0x00 0x00 0x00 0x6033b0 <facebookctf_rocks+16>: 0x50 0x00 0x00 0x00 0x52 0x00 0x00 0x00 0x6033b8 <facebookctf_rocks+24>: 0x49 0x00 0x00 0x00 0x53 0x00 0x00 0x00 0x6033c0 <facebookctf_rocks+32>: 0x45 0x00 0x00 0x00 0x21 0x00 0x00 0x00 0x6033c8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x6033d0: 0x00 0x00 The bytes in that location 20h53h55h52h50h52h49h53h45h21h are ascii values of some characters. which should look like " SURPRISE!" , flag: 9e0d399e83e7c50c615361506a294eca22dc49bfddd90eb7a831e90e9e1bf2fb