Helithumper RE (64-bit)

nightmare/modules/03-beginner_re/helithumper_re/rev at master · guyinatuxedo/nightmareGitHub

strings

strings rev
/lib64/ld-linux-x86-64.so.2
libc.so.6
puts

...

Welcome to the Salty Spitoon
, How tough are ya?
Right this way...
Yeah right. Back to Weenie Hut Jr
 with ya
;*3$"

...

Ghidra

1. Decompiled "main"

• With basic comments

bool main(void)
{
  char *pcVar1;
  undefined8 uVar2;
  bool bVar3;
  
  pcVar1 = (char *)calloc(0x32,1);
  puts(&DAT_00102008);
  
  __isoc99_scanf(&DAT_0010203b,pcVar1);   // __isoc99_scanf is an internal function used by the C standard library - provides underlying implementation for scanf
  
  uVar2 = validate(pcVar1); // external function called
  bVar3 = (int)uVar2 == 0;
  if (bVar3) {
    puts(&DAT_00102050);
  }
  else {
    puts("Right this way...");
  }
  return bVar3;
}

2. Steps in cleaning up the "main" code

2.1 Variables

a. char *pcVar1

1. Line 9: Stores the pointer returned from the calloc function

2. Line 11: Store the input from the __isoc99_scanf function

3. Line 12: Passed as argument to the validate() function.

Lets rename pcVar1 to input_ptr .

b. undefined8 uVar2

1. Line 12: Return value from the validate() function

2. Line 13: Compared with the value 0

• Since this value is compared with an integer (value 0), we can change its type to int

Lets rename it to check too.

c. bool bVar1

1. Line 13: Stores the value of the logical comparison

2. Line 14: Used in IF statement (check variable needs to be equals to 0) to pass the test condition

We can simply remove this variable and merge the IF statement:

if ((int)check == 0){
...

2.2 Function calls/arguments

a. Line 10: puts(&DAT_00102008)

• Address from "Listing" view at DAT_00102008, we can see the string Welcome to the Salty Spitoon ... :

b. Line 11: __isoc99_scanf(DAT_001203b, pcVar1)

The variable &DAT_001203b variable simply points to a memory address which stores the value %s .

c. Line 12: validate(input_ptr)

Refer to the section below for the analysis of this function.

d. Line 15: puts(&DAT_00102050)

Address from "Listing" view at DAT_00102050, we can see the string Yeah right Back to Weenie Hut Jr ... :

From this, we have the following information

1. If we input the value flag{HuCf_lAb} into the prompt, we will get the response: Right this way...

2. If we input an invalid value (not the flag), we will get the response: Yeah right. Back to Weenie Hut Jr™ with ya

Final refined code

bool main(void)
{
  char *input_ptr;
  int check;
  
  input_ptr = (char *)calloc(0x32,1);
  puts("Welcome to the Salty Spitoon™, How tough are ya?");
  scanf("%s",input_ptr);
  check = validate(pcVar1);
  
  if ((int)check == 0) {
    puts(&DAT_00102050);
  }
  else {
    puts("Right this way...");
  }
  return(ulong)(check == 0);
}

Taking a look into the validate() function

Lets take a look into the validate() function:

undefined8 validate(char *param_1)

{
  size_t sVar1;
  undefined8 uVar2;
  long in_FS_OFFSET;
  int local_50;
  int local_48 [14];
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  local_48[0] = 0x66;
  local_48[1] = 0x6c;
  local_48[2] = 0x61;
  local_48[3] = 0x67;
  local_48[4] = 0x7b;
  local_48[5] = 0x48;
  local_48[6] = 0x75;
  local_48[7] = 0x43;
  local_48[8] = 0x66;
  local_48[9] = 0x5f;
  local_48[10] = 0x6c;
  local_48[0xb] = 0x41;
  local_48[0xc] = 0x62;
  local_48[0xd] = 0x7d;
  sVar1 = strlen(param_1);
  local_50 = 0;
  do {
    if ((int)sVar1 <= local_50) {
      uVar2 = 1;
LAB_001012b7:
      if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
        __stack_chk_fail();
      }
      return uVar2;
    }
    if ((int)param_1[local_50] != local_48[local_50]) {
      uVar2 = 0;
      goto LAB_001012b7;
    }
    local_50 = local_50 + 1;
  } while( true );
}

Right off the bat, we notice an interesting variable: local_48 . It seems to be assigning each pointer index of the variable with a hexadecimal value, to form a string.

The final string is: 0x66, 0x6c, 0x61, 0x67, ... which forms the value flag{HuCf_lAb} . (https://www.rapidtables.com/convert/number/hex-to-ascii.html?x=0x66)

Analyzing variables

a. Line 27

sVar1 = strlen(param_1);

• param_1 is the argument to the validate function

b. Line 28

local_50 = 0;

Analyzing IF statements

Looking at the do-while loop, we can see 2 outer IF statements.

1st IF statement:

    if ((int)sVar1 <= local_50) {
      uVar2 = 1;
LAB_001012b7:
      if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
        __stack_chk_fail();
      }
      return uVar2;
    }

a. Outer IF statement

if ((int)sVar1 <= local_50) {
   ...

• When the value of local_50 is larger than sVar1 (length of the input argument to this function), set uVar2 to 1, and return from function with the value of uVar2

  • Since the value of uVar2 equals 1, this will NOT match the first IF statement in the main function, and go into the ELSE block

b. LAB_001012B7 goto statement definition

LAB_001012b7:
    ...

• The goto definition which will be called later on (refer to the 2nd IF statement section below)

c. Logic defined within the LAB_001012b7 goto defintion

if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
        /* WARNING: Subroutine does not return */
        __stack_chk_fail();
    }

Before we discuss this line, we need to take a look at 11 from the validate function before:

local_10 = *(long *)(in_FS_OFFSET + 0x28);

• IN_FS_OFFSET: a compiler-generated variable that points to the FS register (x86-64 Linux), that is used to access multiple data. In our case, this value would be the stack canary (or stack guard)

  • the stack canary is accessed with fs:[0x28] in assembly

• Purpose of this line of code: loads the value in the stack canary to the load_10 variable, which will be checked right before the program exits

  • calls the __stack_chk_fail() function which will force the program to exit

stack canary | Penetration testing & ethical hacking conceptsjarrettgxz-sec.gitbook.io

• The corresponding assembly code (retrieved from Ghidra) is:

MOV    RAX,qword ptr FS:[0x28]

2nd IF statement:

    if ((int)param_1[local_50] != local_48[local_50]) {
      uVar2 = 0;
      goto LAB_001012b7;
    }

a. Outer IF statement

• If any of the pointer index integer value (character) in param_1 does not match local_48 , set uVar2 to 0, and goto label LAB_00102b7

  • Since the value of uVar2 equals 0, this will match the first IF statement in the main function

b. goto LAB_001012b7

• Call the goto statement definition discussed above

GDB

In this section, I aim to outline the basic commands used in GDB to disassemble and play around with the registers and memory addresses

$ gdb rev
gdn> break main # set breakpoint on "main" function
gdb> run # run -> performs memory relocation of code addresses
gdb> disasss main # view disass
Dump of assembler code for function main:
   0x0000555555555175 <+0>:	push   %rbp
   0x0000555555555176 <+1>:	mov    %rsp,%rbp
=> 0x0000555555555179 <+4>:	sub    $0x10,%rsp
   0x000055555555517d <+8>:	mov    $0x1,%esi
   0x0000555555555182 <+13>:	mov    $0x32,%edi
   0x0000555555555187 <+18>:	call   0x555555555060 <calloc@plt>
   0x000055555555518c <+23>:	mov    %rax,-0x8(%rbp)
   0x0000555555555190 <+27>:	lea    0xe71(%rip),%rdi        # 0x555555556008
   0x0000555555555197 <+34>:	call   0x555555555030 <puts@plt>
   0x000055555555519c <+39>:	mov    -0x8(%rbp),%rax
   0x00005555555551a0 <+43>:	mov    %rax,%rsi
   0x00005555555551a3 <+46>:	lea    0xe91(%rip),%rdi        # 0x55555555603b
   0x00005555555551aa <+53>:	mov    $0x0,%eax
   0x00005555555551af <+58>:	call   0x555555555070 <__isoc99_scanf@plt>
   0x00005555555551b4 <+63>:	mov    -0x8(%rbp),%rax
   0x00005555555551b8 <+67>:	mov    %rax,%rdi
   0x00005555555551bb <+70>:	call   0x5555555551ea <validate>
   0x00005555555551c0 <+75>:	test   %eax,%eax
   0x00005555555551c2 <+77>:	je     0x5555555551d7 <main+98>
   0x00005555555551c4 <+79>:	lea    0xe73(%rip),%rdi        # 0x55555555603e
   0x00005555555551cb <+86>:	call   0x555555555030 <puts@plt>
   0x00005555555551d0 <+91>:	mov    $0x0,%eax
   0x00005555555551e8 <+115>:	leave
   0x00005555555551e9 <+116>:	ret
End of assembler dump.

gdb> break *0x0000555555555197 # first puts() function call
gdb> run # run to breakpoint
gdb> info registers rdi # view the "rdi" register content
rdi            0x555555556008      93824992239624

gdb> x/s 0x555555556008  
# view string content at address stored in rdi
# "x/s $rdi" works too
0x555555556008:	"Welcome to the Salty Spitoon™, How tough are ya?"