bin100: Very similar challenge to one from teaser, roll some dices and win. ofcourse you have to roll 3 1 3 3 7 ;] all rools look alike: 8048ebb: e8 50 fc ff ff call 8048b10 8048ec0: 89 c1 mov ecx,eax 8048ec2: ba ab aa aa 2a mov edx,0x2aaaaaab 8048ec7: 89 c8 mov eax,ecx 8048ec9: f7 ea imul edx 8048ecb: 89 c8 mov eax,ecx 8048ecd: c1 f8 1f sar eax,0x1f 8048ed0: 29 c2 sub edx,eax 8048ed2: 89 d0 mov eax,edx 8048ed4: 01 c0 add eax,eax 8048ed6: 01 d0 add eax,edx 8048ed8: 01 c0 add eax,eax 8048eda: 89 ca mov edx,ecx 8048edc: 29 c2 sub edx,eax 8048ede: 8d 42 01 lea eax,[edx+0x1] 8048ee1: 89 44 24 50 mov DWORD PTR [esp+0x50],eax 8048ee5: 83 7c 24 50 01 cmp DWORD PTR [esp+0x50],0x1 so just find 5 rands move and put breaks on mov DWORD PTR [esp+0x50],eax something like that --- bin100.gdb --- b *0x8048ee1 b *0x80490ee b *0x80492fc b *0x80494ff b *0x8049744 commands 1 set $eax=3 c end commands 2 set $eax=1 c end commands 3 set $eax=3 c end commands 4 set $eax=3 c end commands 5 set $eax=7 c end run quit --- end --- fire it up: gdb -q -nx -x bin100.gdb bin100 press some enters aaand... [*] You rolled a seven, with a six sided dice! How awesome are you?! [*] You rolled 3-1-3-3-7, what does that make you? ELEET! \o/ [*] Nice job, here is the flag: ebCTF{9a9689dbd47a1fd3fc0bf17d60edf545} bin200: Throw it in IDA, look around start googling RunPerl or -p2x-exe/debug find out its perl script compiled with perl2exe - find decoder here: http://www.kernelmode.info/forum/viewtopic.php?f=10&t=2575# - run it $ python2 per2exe-dec.py ebCTF_BIN200.exe p2x_stub.lib p2x_header.pm p2x_info.pm _main.pl P2XDLL/p2x5123.dl $ cat _main.pl #!/usr/bin/perl print "\n[*] ebCTF BIN 200\n". " No comment...\n\n"; $secret = "Sup3RSeCr3tStuFf!"; print "[*] What is the secret? "; $answer = ; chomp($answer); if ($answer eq $secret) { print "\n[*] Yes, that is correct! However that was not the goal of this challenge.\n". " Did you know that compiled code does not contain any comments?\n"; } else { print "\n[*] Isn't that cute...but it is WRONG!.\n"; } # W e l l , w e l l, i t s e e m s t h e r e a c t u a l l y i s a c o m m e n t . . . # # .----------------. .----------------. .----------------. .----------------. #| .--------------. | .--------------. | .--------------. | .--------------. | #| | _________ | | | ______ | | | ______ | | | _________ | | #| | |_ ___ | | | | |_ _ \ | | | .' ___ | | | | | _ _ | | | #| | | |_ \_| | | | | |_) | | | | / .' \_| | | | |_/ | | \_| | | #| | | _| _ | | | | __'. | | | | | | | | | | | | #| | _| |___/ | | | | _| |__) | | | | \ `.___.'\ | | | _| |_ | | #| | |_________| | | | |_______/ | | | `._____.' | | | |_____| | | #| | | | | | | | | | | | | #| '--------------' | '--------------' | '--------------' | '--------------' | # '----------------' '----------------' '----------------' '----------------' # .----------------. .----------------. .----------------. .----------------. #| .--------------. | .--------------. | .--------------. | .--------------. | #| | _________ | | | __ | | | _________ | | | ________ | | #| | |_ ___ | | | | .' _/ | | | |_ ___ | | | | |_ ___ `. | | #| | | |_ \_| | | | | | | | | | |_ \_| | | | | | `. \ | | #| | | _| | | | < < | | | | _| _ | | | | | | | | | #| | _| |_ | | | | |_ | | | _| |___/ | | | | _| |___.' / | | #| | |_____| | | | `.__\ | | | |_________| | | | |________.' | | #| | | | | | | | | | | | | #| '--------------' | '--------------' | '--------------' | '--------------' | # '----------------' '----------------' '----------------' '----------------' # .----------------. .----------------. .----------------. .----------------. #| .--------------. | .--------------. | .--------------. | .--------------. | #| | ______ | | | ________ | | | ______ | | | ____ | | #| | |_ _ \ | | | |_ ___ `. | | | |_ _ \ | | | .' '. | | #| | | |_) | | | | | | `. \ | | | | |_) | | | | | .--. | | | #| | | __'. | | | | | | | | | | | __'. | | | | | | | | | #| | _| |__) | | | | _| |___.' / | | | _| |__) | | | | | `--' | | | #| | |_______/ | | | |________.' | | | |_______/ | | | '.____.' | | #| | | | | | | | | | | | | #| '--------------' | '--------------' | '--------------' | '--------------' | # '----------------' '----------------' '----------------' '----------------' # .----------------. .----------------. .----------------. .----------------. #| .--------------. | .--------------. | .--------------. | .--------------. | #| | ______ | | | ______ | | | _______ | | | ______ | | #| | / ____ `. | | | .' ___ | | | | | ___ | | | | .' ____ '. | | #| | `' __) | | | | / .' \_| | | | |_/ / / | | | | (____) | | | #| | _ |__ '. | | | | | | | | / / | | | '_.____. | | | #| | | \____) | | | | \ `.___.'\ | | | / / | | | | \____| | | | #| | \______.' | | | `._____.' | | | /_/ | | | \______,' | | #| | | | | | | | | | | | | #| '--------------' | '--------------' | '--------------' | '--------------' | # '----------------' '----------------' '----------------' '----------------' # .----------------. .----------------. .----------------. .----------------. #| .--------------. | .--------------. | .--------------. | .--------------. | #| | ______ | | | ____ | | | _________ | | | __ | | #| | .' ____ '. | | | .' __ '. | | | |_ ___ | | | | / \ | | #| | | (____) | | | | | (__) | | | | | |_ \_| | | | / /\ \ | | #| | '_.____. | | | | .`____'. | | | | _| | | | / ____ \ | | #| | | \____| | | | | | (____) | | | | _| |_ | | | _/ / \ \_ | | #| | \______,' | | | `.______.' | | | |_____| | | ||____| |____|| | #| | | | | | | | | | | | | #| '--------------' | '--------------' | '--------------' | '--------------' | # '----------------' '----------------' '----------------' '----------------' # .----------------. .----------------. .----------------. .----------------. #| .--------------. | .--------------. | .--------------. | .--------------. | #| | _______ | | | _______ | | | __ | | | ______ | | #| | | ___ | | | | | _____| | | | / | | | | |_ _ \ | | #| | |_/ / / | | | | |____ | | | `| | | | | | |_) | | | #| | / / | | | '_.____''. | | | | | | | | | __'. | | #| | / / | | | | \____) | | | | _| |_ | | | _| |__) | | | #| | /_/ | | | \______.' | | | |_____| | | | |_______/ | | #| | | | | | | | | | | | | #| '--------------' | '--------------' | '--------------' | '--------------' | # '----------------' '----------------' '----------------' '----------------' # .----------------. .----------------. .----------------. .----------------. #| .--------------. | .--------------. | .--------------. | .--------------. | #| | _________ | | | _____ | | | __ | | | ________ | | #| | |_ ___ | | | | / ___ `. | | | / | | | | |_ ___ `. | | #| | | |_ \_| | | | |_/___) | | | | `| | | | | | | `. \ | | #| | | _| _ | | | .'____.' | | | | | | | | | | | | | | #| | _| |___/ | | | | / /____ | | | _| |_ | | | _| |___.' / | | #| | |_________| | | | |_______| | | | |_____| | | | |________.' | | #| | | | | | | | | | | | | #| '--------------' | '--------------' | '--------------' | '--------------' | # '----------------' '----------------' '----------------' '----------------' # .----------------. .----------------. .----------------. .----------------. #| .--------------. | .--------------. | .--------------. | .--------------. | #| | __ | | | ______ | | | ______ | | | _ _ | | #| | / | | | | / ____ `. | | | .' ____ \ | | | | | | | | | #| | `| | | | | `' __) | | | | | |____\_| | | | | |__| |_ | | #| | | | | | | _ |__ '. | | | | '____`'. | | | |____ _| | | #| | _| |_ | | | | \____) | | | | | (____) | | | | _| |_ | | #| | |_____| | | | \______.' | | | '.______.' | | | |_____| | | #| | | | | | | | | | | | | #| '--------------' | '--------------' | '--------------' | '--------------' | # '----------------' '----------------' '----------------' '----------------' # .----------------. .----------------. .----------------. .----------------. #| .--------------. | .--------------. | .--------------. | .--------------. | #| | __ | | | _______ | | | ____ | | | ______ | | #| | / \ | | | | _____| | | | .' __ '. | | | .' ____ \ | | #| | / /\ \ | | | | |____ | | | | (__) | | | | | |____\_| | | #| | / ____ \ | | | '_.____''. | | | .`____'. | | | | '____`'. | | #| | _/ / \ \_ | | | | \____) | | | | | (____) | | | | | (____) | | | #| ||____| |____|| | | \______.' | | | `.______.' | | | '.______.' | | #| | | | | | | | | | | | | #| '--------------' | '--------------' | '--------------' | '--------------' | # '----------------' '----------------' '----------------' '----------------' # .----------------. .----------------. .----------------. #| .--------------. | .--------------. | .--------------. | #| | ____ | | | ____ | | | __ | | #| | .' '. | | | .' '. | | | \_ `. | | #| | | .--. | | | | | .--. | | | | | | | | #| | | | | | | | | | | | | | | | > > | | #| | | `--' | | | | | `--' | | | | _| | | | #| | '.____.' | | | '.____.' | | | /__.' | | #| | | | | | | | | | #| '--------------' | '--------------' | '--------------' | # '----------------' '----------------' '----------------' copy this huge comment - ebCTF{edbdb03c7998fa751be21d1364a58600}. win bin300: Quick look at disassembly reveals it's binary that load obfuscted lua script and excuted it with luaL_loadbuffer so we can just break there and read the script: --- moon.gdb --- b luaL_loadbuffer set print elements 0 commands 1 call printf("%s\n",$rsi) end run quit --- end --- [13:35:41][/tmp]$ gdb -q -nx -x moon.gdb moon Reading symbols from /tmp/moon...(no debugging symbols found)...done. Breakpoint 1 at 0x411110 warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7ffff7ffa000 warning: Could not load shared library symbols for linux-vdso.so.1. Do you need "set solib-search-path" or "set sysroot"? Breakpoint 1, 0x0000000000411110 in luaL_loadbuffer () p = 54111037 g = 56321 io.write("Enter your password: ") io.flush() password=io.read() if string.len(password) ~= 32 then print("Wrong!") return 0 end v = g alpha = "0123456789abcdef" for loop =1,32 do v = v * g v = v % p r = v % 16 good = string.sub(alpha,r+1,r+1) if good ~= string.sub(password,loop,loop) then print("Wrong!") return 0 end end print("Well done, the flag is: ebCTF{"..password.."}") -- f02233aca4839124ee6ffa766883c47e $1 = 488 A debugging session is active. Inferior 1 [process 2096] will be killed. Quit anyway? (y or n) [answered Y; input not from terminal] First quess is that comment is a flag paid off - just wrap it with ebCTF{} and submit. done