More info about gogo CTF

[Droei]

Hi!

I've been spending quite some time now trying to understand what exactly is going on when you started examining the assembly code from the if statements in your writeup from PicoCTF: Gogo. You mentioned placing a breakpoint but I couldn't find anywhere more info online about doing this as I assume you do this within Ghidra right? Also when I try doing the same hexdump as you did on the file (my file is called enter_password tho) I always get the entire output rather than what you get, did I maybe misunderstand on what file I had to hexdump from or did I not add some code through Ghidra?

for reference, here is a link to the repo: https://github.com/Dvd848/CTFs/blob/master/2021_picoCTF/gogo.md

Thanks in advance!
Daan

[Dvd848]

Hey Daan!

You're right, it looks like I skipped over a few details in the writeup, let me try to explain them here.

Today Ghidra 10.0+ comes with a built in debugger, but honestly I don't have much experience with it, and at the time it wasn't even available. Therefore, in the writeup I'm using good old gdb in order to debug. However, the default gdb UX/UI is a bit too bare-bones and in order to enhance the debug experience, there are a few different "plugins" that offer additional capabilities.
In the writeup I'm using a "plugin" called gef:

GEF is a set of commands for x86/64, ARM, MIPS, PowerPC and SPARC to assist exploit developers and reverse-engineers when using old school GDB. It provides additional features to GDB using the Python API to assist during the process of dynamic analysis and exploit development. Application developers will also benefit from it, as GEF lifts a great part of regular GDB obscurity, avoiding repeating traditional commands, or bringing out the relevant information from the debugging runtime.

After starting gdb from the command line, we should eventually get a prompt:

┌──(user@kali)-[/media/sf_CTFs/pico_2021/gogo]
└─$ gdb -q ./enter_password
GEF for linux ready, type `gef' to start, `gef config' to configure
92 commands loaded for GDB 10.1.90.20210103-git using Python engine 3.9
[+] Configuration from '/home/user/.gef.rc' restored
Reading symbols from ./enter_password...
warning: Missing auto-load script at offset 0 in section .debug_gdb_scripts
of file /media/sf_CTFs/pico_2021/gogo/enter_password.
Use `info auto-load python-scripts [REGEXP]' to list them.
gef>

This is how we interact with the debugger.

We first want to set a breakpoint at 0x080d4b28:

gef>  b *0x080d4b28
Breakpoint 1 at 0x80d4b28: file /opt/hacksports/shared/staging/gogo_5_8320186217489444/problem_files/enter_password.go, line 71.

Then we run with r and enter our password when we're prompted for it:

gef>  r
Starting program: /media/sf_CTFs/pico_2021/gogo/enter_password
[New LWP 1639]
[New LWP 1640]
Enter Password: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

At this stage the breakpoint should hit and the GEF UI should appear. We can run hexdump from the GEF prompt (hexdump is one of GEF's GDB enhancements):

gef>  hexdump byte $ecx 32
0x18414220     61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61    aaaaaaaaaaaaaaaa
0x18414230     61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61    aaaaaaaaaaaaaaaa

And similarly inspect the other locations:

gef>  hexdump byte $esp+0x4 32
0x18439f28     38 36 31 38 33 36 66 31 33 65 33 64 36 32 37 64    861836f13e3d627d
0x18439f38     66 61 33 37 35 62 64 62 38 33 38 39 32 31 34 65    fa375bdb8389214e
gef>  hexdump byte $esp+0x24 32
0x18439f48     4a 53 47 5d 41 45 03 54 5d 02 5a 0a 53 57 45 0d    JSG]AE.T].Z.SWE.
0x18439f58     05 00 5d 55 54 10 01 0e 41 55 57 4b 45 50 46 01    ..]UT...AUWKEPF.

The rest of the calculations are performed in the writeup with Python, but the can be done with gef as well:

gef>  xor display 0x18439f28 32 4a53475d414503545d025a0a5357450d05005d555410010e4155574b45504601
[+] Displaying XOR-ing 0x18439f28-0x18439f48 with '4a53475d414503545d025a0a5357450d05005d555410010e4155574b45504601'
──────────────────────────────────────────────────────────────────────────────────────────────── Original block ────────────────────────────────────────────────────────────────────────────────────────────────
0x18439f28     38 36 31 38 33 36 66 31 33 65 33 64 36 32 37 64    861836f13e3d627d
0x18439f38     66 61 33 37 35 62 64 62 38 33 38 39 32 31 34 65    fa375bdb8389214e
───────────────────────────────────────────────────────────────────────────────────────────────── XOR-ed block ─────────────────────────────────────────────────────────────────────────────────────────────────
0x18439f28     72 65 76 65 72 73 65 65 6e 67 69 6e 65 65 72 69    reverseengineeri
0x18439f38     63 61 6e 62 61 72 65 6c 79 66 6f 72 77 61 72 64    canbarelyforward

Hope this clarifies things.

[Droei]

Hey Dvd!

Thank you so much for the great reply, it definitely clarifies a lot!
I really appreciate the time you took to clarify things!!!

Thanks and have a nice day!! :)