Updated solves

Author: mcdulltii

dynamic/README.md

@@ -1,21 +1,39 @@
-# Workflow
+# Dynamic
+
+## Solving
+
+- Flag is 35 characters long, from the self modification
+
+- Flag is encoded using the "ic..." sequence as key
+
+### ![Extract Sequence and Encoded Flag](./6.png)
+
+- Extract 35 rows of \x__ characters
+
+- Characters with 'c' as key are bit subtracted by 0x47, while those with 'i' remain the same
+
+- Decode characters using the above rule to obtain the flag
+
+### ![Decode Flag](./7.png)
+
+## Workflow
 
 - Change file permissions to RWX, then to X when exited
 
-## ![Changing Binary Permissions](./4.png)
+### ![Changing Binary Permissions](./4.png)
 
 - Check if binary is run by a debugger, then change strlen check in main() from 20 to 35
 
-## ![GDB Check](./1.png)
+### ![GDB Check](./1.png)
 
 - Decode string using bit subtraction, then call DC() to load function dynamically
 
-## ![Decode String and Call Loaded Function](./5.png)
+### ![Decode String and Call Loaded Function](./5.png)
 
 - Finds function name within struct, and loads the function with the corresponding name
 
-## ![Function loader](./3.png)
+### ![Function loader](./3.png)
 
 - Call loaded function to validate input string using ty as the index
 
-## ![Dynamically Loaded Function](./2.png)
+### ![Dynamically Loaded Function](./2.png)

dynamic/solve.py

@@ -10,7 +10,7 @@
 Guess the flag?
 iciicicciciicicicciciiciicciiciciic
 Correct
-<35 Rows of (OFFSET)\x__ Characters>
+<35 Rows of (OFFSET)0x__ Characters>
 """
 
 encoded_flag = f[f.find('Correct')+len('Correct'):][:35]

load/5.png

@@ -1,17 +1,35 @@
-# Workflow
+# Load
+
+## Solving
+
+- call sym dbp() is a function that detects breakpoints when the binary is run within a debugger
+
+### ![Decompiled binary](./5.png)
+
+- Overwrite jump instruction to skip GDB check
+
+### ![Overwrite ASM Instruction](./6.png)
+
+- Use gdb to step through instructions till string compare function is called
+
+- Stack is pushed to save the entire decoded flag when the loaded strcmp function is run, thus obtaining the flag
+
+### ![Flag in Stack](./7.png)
+
+## Workflow
 
 - Strings are obfuscated via XOR, thus hidden from strings
 
-## ![Obfuscation technique](./1.png)
+### ![Obfuscation technique](./1.png)
 
 - Compile library within /tmp/ file to hide files during runtime
 
-## ![Creation, Load, and Removal of Compiled Libary](./2.png)
+### ![Creation, Load, and Removal of Compiled Libary](./2.png)
 
 - Load function within library
 
-## ![Loaded Function Within Compiled Library](./3.png)
+### ![Loaded Function Within Compiled Library](./3.png)
 
 - Call loaded function to validate input string
 
-## ![Call Loaded Function](./4.png)
+### ![Call Loaded Function](./4.png)

load/6.png

@@ -1,37 +1,66 @@
-# Workflow
+# Rewrite
+
+## Solving
+
+- Encoded strings loaded as int arrays
+
+### ![Encoded Strings](./9.png)
+
+- Encoded flag loaded as int array
+
+### ![Encoded Flag](./10.png)
+
+- Encoded strings can be split by the differences in opcodes
+  - eg. c745________ is a different int array compared to c785________
+
+- Encoded strings tailer are the NULL character, which are 0x1A for the strings, and 0x56 for the flag
+
+- XOR or bit addition/subtraction can be used to identify which is the encoding method
+
+- By trial and error, bit subtraction is found to be the decoding method, thus bit addition is the encoding method
+
+### ![Decode Function](./11.png)
+
+- Extract the last character before the \x00 characters from each instruction to obtain the characters to form each string
+
+- Similar to the encoded strings, only the bit offset is different (0x56 instead of 0x1A), which obtains the flag
+
+### ![Output](./12.png)
+
+## Workflow
 
 - Strings are encoded via bit addition
 
-## ![Obfuscation technique](./1.png)
+### ![Obfuscation technique](./1.png)
 
 - Concatenate initial string s from char array
 
-## ![Initial String](./2.png)
+### ![Initial String](./2.png)
 
 - Fork process to thread functions
 
 - Calculate pid, address and length of initial string, within the virtual memory of the primary process
 
 - Write to pipe to transfer values to secondary process
 
-## ![Calculate Important Values](./3.png)
+### ![Calculate Important Values](./3.png)
 
 - Read from pipe and convert string values to integers
 
-## ![Read Values from Primary Process](./4.png)
+### ![Read Values from Primary Process](./4.png)
 
 - Secondary process to read /proc/{pid}/maps of primary process to ensure the heap of the primary process has the correct readable and writable permissions
 
-## ![Read /proc/{pid}/maps](./5.png)
+### ![Read /proc/{pid}/maps](./5.png)
 
 - Secondary process to read /proc/{pid}/mem of primary process, then overwrite a new string onto the same address of the initial string
 
-## ![Read and Write to /proc/{pid}/mem](./6.png)
+### ![Read and Write to /proc/{pid}/mem](./6.png)
 
 - Primary process prints the initial string, then parses the input string into the next string compare function while delaying for the secondary process to overwrite the initial string
 
-## ![Validation Function](./7.png)
+### ![Validation Function](./7.png)
 
 - Validates input string with overwritten string
 
-## ![Strcmp Function](./8.png)
+### ![Strcmp Function](./8.png)