Cereal Killer 3

Challenge:

luciafer also has a favorite cereal. It is also spooky, and very delicious! This one, however, is a bit tricky. Download the program and decrypt the output to find out >what her favorite cereal is. Enter the answer as flag{here-is-the-answer}.

(Choose either the Windows or Linux binaries to analyze…)
RE03 (Windows)
SHA1: a2f56969e84a46d1b899db6867642d263b28a6c1
RE03 (Linux)
SHA1: 456247e9c9c6a1986838b4be66fa62361018eebc

Solution:

Executing the Linux binary prompts the user for a cereal name:

$ ./deadface_re03.bin 
What is the best and sp00kiest breakfast cereal?
Please enter the passphrase: PingTrip
notflag{you-guessed-it-again--this-is-not-the-flag}

Using similar techniques we used during the Cereal Killer challenge we identify the strcmp() call that validates the user input and place a breakpoint:

gdb-peda$ b *0x56556590
gdb-peda$ run

The strcmp() function is comparing the two values that were pushed onto the stack just prior:

   0x56556582 <+821>:	lea    eax,[ebp-0x273]
   0x56556588 <+827>:	push   eax
   0x56556589 <+828>:	lea    eax,[ebp-0x21c]
   0x5655658f <+834>:	push   eax

$ x/s $ebp-0x21c
0xffffcedc:	"PingTrip"

gdb-peda$ x/s $ebp-0x273
0xffffce85:	"B00-Boo-Boo-B33ry!"

We re-ran the binary and passed the expected cereal name:

$ ./deadface_re03.bin 
What is the best and sp00kiest breakfast cereal?
Please enter the passphrase: B00-Boo-Boo-B33ry!

flag{B00-B00-B00-Bury-IZ-DA-BOMB}