Link to challenge: https://academy.hacking-lab.com
Date Completed: 16 December 2019
Challenge
HV19.16 B0rked Calculator
1 2 3 4 5 6 |
Introduction Santa has coded a simple project for you, but sadly he removed all the operations. But when you restore them it will print the flag! Resources HV19.16-b0rked.zip |
Resources: HV19.16-b0rked.zip
Solution
We are presented with a x86 Windows binary file. Upon inspection it looks to be a simple calculator but unfortunately its borked!
It supports the following operations:
+
-
* and
/.
However, it seems like it either ignores the left or right operand in calculations. In the example above, it ignored the right operand.
We find the following problems:
1 2 3 4 |
+ ignores right operand - ignores left operand * ignores left operand / ignores left operand |
We open the binary in IDA Pro and discover that each operation is contained in its own method and is passed two doublewords as arguments:
However, each method was broken in some way:
- Missing stack variable definitions
- Now loading arguments into registered
- Not calling required ASM function to perform operation (add, sub, mul, div)
Each method conveniently was padded with 0x90 NOP opcodes which meant we did not have to change the size of the binary. We patch all these method one by one, running the binary again after each correction to check functionality works.
These were the changes made where white is old binary and green is new binary:
IDA Diff:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
This difference file was created by IDA b0rked.exe 0000000000000BBD: 90 03 0000000000000BBE: 90 45 0000000000000BBF: 90 0C 0000000000000BC8: 90 8B 0000000000000BC9: 90 45 0000000000000BCA: 90 08 0000000000000BCB: 8B 2B 0000000000000BCC: 4D 45 0000000000000BD8: 90 8B 0000000000000BD9: 90 45 0000000000000BDA: 90 08 0000000000000BDB: 90 8B 0000000000000BDC: 90 4D 0000000000000BDD: 90 0C 0000000000000BDE: 90 F7 0000000000000BDF: 90 E1 0000000000000BE8: 90 8B 0000000000000BE9: 90 45 0000000000000BEA: 90 08 0000000000000BEB: 90 8B 0000000000000BEC: 90 4D 0000000000000BED: 90 0C 0000000000000BEE: 90 F7 0000000000000BEF: 90 F1 |
Running the binary one more time and clicking on calc showed us our flag on the screen:
Flag: HV19{B0rked_Flag_Calculat0r}