CSAW 2013 Quals – Rev400 – keygenme

This challenge gives a server and a binary. Upon connection, the server asks you to generate two integer keys for a string. The binary we’re given accepts a string and two integer arguments as input, and will tell us if those are valid keys for that string by outputting :-( or *<:-). Near these strings in the binary we see a long string of numbers, and we can see that there are functions with names that indicate there is a virtual machine written in C++(“cpu execute, cpu fillmem, instruction”). We stared at this VM for a while and noticed it’s MIPS — but we didn’t feel like spending the time to analyze what the bytecode is doing.

Thankfully, we only need the two valid keys for our string that this binary checks our input keys against. We followed through the main function until we see a spot where the two valid keys are in memory, and we patched in shellcode to write them to stdout.

cpu destructs, and then our shellcode

notice the CPU destructor above, this is after it executes and retrieves the output from the MIPS code. you can see our shellcode to dump T7/T6 in the second block.

This will pass us the values we need to send to the server, then it’s just a matter of sending them. I lost the python I wrote to do this, but you just needed to pass the desired string(from the server) to the binary, parse the 8 bytes the binary outputs into two unsigned longs, and then send them to the server. Repeat this until it dumps you a key.