level03: done

2025-05-06 13:56:20 +02:00 · 2025-05-06 13:56:20 +02:00 · 132e604f3b
commit 132e604f3b
parent d8ce593b67
3 changed files with 16 additions and 1 deletions
--- a/level03/ressources/exploit
+++ b/level03/ressources/exploit
@ -0,0 +1 @@
+(echo 322424827; cat) | ./level03
--- a/level03/source.c
+++ b/level03/source.c
@ -10,10 +10,11 @@ int decrypt(char key)

 	// Stack canary protection (or SSP)
 	// *(_DWORD *)((char *)&str[4] + 1) = __readgsdword(0x14u);
+	//
 	strcpy((char *)str, "Q}|u`sfg~sf{}|a3");
 	len = strlen((const char *)str);
 	for (int i = 0; i < len; ++i)
-		*((char *)str + i) ^= key;
+		str[i] ^= key;
 	// Key needs to equal 12
 	if (!strcmp((const char *)str, "Congratulations!"))
 		return system("/bin/sh");
--- a/level03/walkthrough
+++ b/level03/walkthrough
@ -0,0 +1,13 @@
+# Level03
+
+Using hexrays, we can decompile the code and see that it `decrypt()`s a constant string (`"Q}|u`sfg~sf{}|a3"` with a key that we can input (more or less).
+Basically, the code will `xor` each character of the string with the key.
+The modified string will then be compared to `"Congratulations!"` and execute a shell if the value matches.
+All we have to do is find the key where `'Q'^key == 'C'`. We use this (xor calculator)[https://xor.pw/] to find the value, which is 18 in decimal.
+Finally, we need to input this through the `scanf()` call. This will store our input in a variable that will then be passed as the first parameter of the `test()` function.
+The second parameter is `322424845` and `test()` will call `decrypt()` with the difference between `a2` and `a1` (let's call it `key`).
+Since `a2 == 322424845` and we want `key == 18`, we need to have `a1 == a2 - 18`, which is `322424827`.
+We just need to input this value into the program.
+
+Here is the command:
+`(echo 322424827; cat) | ./level03`