BLAHAJ/writeups
BLAHAJ
/
writeups
10
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

add image

This commit is contained in:
xenia 2020-07-14 03:34:57 -04:00
parent ea86d2a87e
commit f0395722e1
1 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
2020/rgbctf/lych-king/README.md
View File

@ -103,11 +103,16 @@ computing the XOR of the output with the input to recover the key. by default we
so i gave up and switched to fuzzing. the flavor text says the binary was slightly changed, so i so i gave up and switched to fuzzing. the flavor text says the binary was slightly changed, so i
guessed the initial argument of 1997 was changed to something else. by cribdragging the ciphertext guessed the initial argument of 1997 was changed to something else. by cribdragging the ciphertext
(looking for any points in the stream where XOR with any digits 0-9 can produce `rgbctf{`) i found (looking for any points in the stream where XOR with any digits 0-9 can produce `rgbctf{`) i found
exactly one such offset -- 152. then i created a script to patch the binary for 1997, the exact exactly one such offset -- 152.
instruction that loads it can be found in `s3m8_info` at address `0x407c57`. i found this by simply
searching the memory in ghidra for 1997. this corresponds to a file offset of `0x7c5b:0x7c5f`. then then i created a script to patch the binary for 1997, the exact instruction that loads it can be
i tried numbers in order until the pad contained the right numbers to produce `rgbctf{` at offset found in `s3m8_info` at address `0x407c57`. i found this by simply searching the memory in ghidra
152. for 1997. this corresponds to a file offset of `0x7c5b:0x7c5f`.
![ghidra view showing the instruction that must be patched](ghidra.png)
then i tried numbers in order until the pad contained the right numbers to produce `rgbctf{` at
offset 152.
```python ```python
def run_patch(i): def run_patch(i):