MBEC

lab1B

Report:-

On opening the file in IDA we see that in the main function a random value is passed to [esp+4] and that it calls a function test().

On viewing the test function we see that it is in fact a switch statement which depends on the difference between the value at [esp+4] and the input. 

On looking at the differences  between the default case and the other cases we find that the thing is there is a rand() in the default case. All cases then redirect to a decrypt function.

rand() :-  It returns a pseudo-random number in the range of 0 to RAND_MAX. Where RAND_MAX is a constant whose default value may vary between implementations but it is granted to be at least 32767.

Looking at the disassembly of the decrypt function you see that the letters a-z are stored in the stack and checks if the top value in the stack is zero. Then the strlen() gives the of a string which seems to be generated by the function.

Then the function proceeds to move into a loop in which [ebp-40] acts as the counter for the loop when the counter reaches the string length it exits the loop.

In the loop each of the characters is Xored with [ebp+8] which has the value of the argument of the function. While doing dynamic analysis it is seen that the string is almost the same each time. Then it seems that the final result is compared to the offset "Congratulations!".

Then if they are the same you proceed to get shell. Which is in fact the flag!!. 

Since xor is a reversible function when you xor the required output with the character converted you get the hex value 0x12 which is actually 18 in decimal.

So what you need to do is to give a input which is 18 less than the number passed in the main function.

 

    MBEC - lab01/lab1A
 
Difficulty level: hard
 
Report:   On loading the binary in IDA one can see that in the main() there is a interesting  function called the auth().
     
 Auth() :-

  The function has a strcspn() at the beginning.

    strcspn() :- compares two string given as input and returns the position of the first character of string 1 which has a character of string 2 .         

   then it has a strlen() func. which stores the length of the string in eax. The function then checks if the length is greater than 5, if not then you lose.

 After that it runs a ptrace() function.

    ptrace() :- It checks all the processes the system runs and and returns  a value acording to the program being run.

This function is used to detect if GDB is being run and the program is debugged dynamically. It quits if it finds such processes happening.To bypass this security feature one can put a break point on the jump statement. And change the value of eax to something else , this does not affect the rest of the program as the value of eax is changed in the next statement itself.
The next node takes the fourth letter of the username and xors it with 4919 and adds a no to it. ebp-20 acts as the counter for the loops coming once it is greater than 6 it quits the loop.While in the loop the first node checks if the ACSII value of each of the letters of the username is greater than 31. Upon which the control moves to the next node. It takes each letter of the username then xors it with the value at ebp-16 ( which seems to be almost same for different inputs).