Cereal Killer


spookyboi is really into Serial Killers. He loves to watch Mindhunter on NetFlix. He can also SLAY a bowl of his favorite cereal.

(Choose either the Windows or Linux binaries to analyze…)
RE01 (Windows)
SHA1: 3674964b75d2894f297470be8a39802af40314b3
RE01 (Linux)
SHA1: af2392a43e3571fa43be6a48a3a83131f549013c


Executing the Linux binary produces the following:

$ ./deadface_re01.bin 

What is the best and sp00kiest breakfast cereal?
Please enter the passphrase: pingtrip


So the goal is to determine the proper input that will produce the flag. We loaded the binary into gdb and disassembled the main() function:

$ gdb ./deadface_re01.bin

gdb-peda$ start
gdb-peda$ pdisass main

What we're looking for is the comparison that is performed on the user's input. Looking at the pdisass dump you can see where the first output, "What is the best and sp00kiest breakfast cereal?", is printed (puts()) followed by the prompt, "Please enter the passphrase:" (printf_chk()), and then waiting on input from the user (scanf()):

   0x0000555555555108 <+72>:	lea    rdi,[rip+0xf19]        # 0x555555556028
   0x0000555555555119 <+89>:	call   0x555555555080 <puts@plt>
   0x000055555555511e <+94>:	lea    rdx,[rip+0xf6a]        # 0x55555555608f
   0x0000555555555133 <+115>:	call   0x5555555550a0 <__printf_chk@plt>
   0x0000555555555144 <+132>:	call   0x5555555550b0 <__isoc99_scanf@plt>

We can confirm these steps by examining the memory address referenced just prior to the function calls:

gdb-peda$ x/s 0x555555556028
0x555555556028:	"What is the best and sp00kiest breakfast cereal?"

gdb-peda$ x/s 0x55555555608f
0x55555555608f:	"Please enter the passphrase: "

Once the user submits their input a comparison operation is done and puts() is called if the comparison is not equal:

   0x0000555555555153 <+147>:	cmp    QWORD PTR [rsp+0x20],rax
   0x0000555555555158 <+152>:	je     0x555555555184 <main+196>
   0x000055555555515a <+154>:	lea    rdi,[rip+0xeff]        # 0x555555556060
   0x0000555555555161 <+161>:	call   0x555555555080 <puts@plt>

Spot checking the memory address of the printed string provides confirmation that this is the "if…then" that we're interested in:

gdb-peda$ x/s 0x555555556060
0x555555556060:	"notflag{you-guessed-it---this-is-not-the-flag}"

We set a breakpoint on the call to cmp and run the program:

gdb-peda$ b *0x0000555555555153
Breakpoint 2 at 0x555555555153
gdb-peda$ run

Starting program: /home/pingtrip/Documents/deadface_re01.bin 
What is the best and sp00kiest breakfast cereal?
Please enter the passphrase: pingtrip

When the execution reaches the breakpoint we (surprisingly) spotted the flag at the top of the stack:

0000| 0x7fffffffdd00 ("flag{c0unt-ch0cula-cereal-FTW}")

For the sake of challenge, you could also follow the three cmp() calls to discover the correct input, c0unt-ch0cula.

$ ./deadface_re01.bin

What is the best and sp00kiest breakfast cereal?
Please enter the passphrase: c0unt-ch0cula



Leave a comment