HackIM 2016 RE 100 - ZorroPub


So, I tried a couple of different things with this challenge before just finally just scripting/brute-forcing my way through it.
Initially, while looking at the problem in Bokken (A cool GUI for radare2, a nice free alternative to IDA pro) I found the addresses of all of the compares which would allow me to bypass any sort of check on the inputs. Setting breakpoints in GDB and appropriately setting the Zero Flag when the program is doing a comparison before a jump.

It didn't quite work :(


Turns out the string printed to give you the flag is affected by your input, so not just any input and gdb trickery will grant you the answer.

The blocks in the screenshots correspond to the snippet below.
My next step was to take a closer look at the binary and see what it was doing that may affect the final output. In the screenshot to the left we can see that the input drink ID will be valid between 17–65535 (0x10, 0xffff).
The application then goes on through a number of operations, the first of which, pictured to the left, is:

A = DrinkID, B = 0
while A>0:
    B++
    A = A & A-1

If B is equal to/larger than 10, you move on to some more operations, which end up being slightly more complex and result in the final printed string. I began trying to reproduce the operations in python when I realized I could just run the program through all valid options and suss out the correct answer (based on knowing the string printed along with the flag).

Brute force it, looking for the "nullcon" prefix to the flag

My laziness paid off, and python spit out the correct flag. Xoring is amazing.
:D