Rusted Oracle

Personal Rating: Medium

We have an ELF binary file. Stack protections are enabled and an overflow is not possible. Opening in Ghidra, we can have a look at the main function:

In summary, there is some story output, then user input is taken and compared with the string "Corwin Vell". If the strcmp function returns 0 for this, which means that the strings are equal, the machine_decoding_sequence() function is executed. Let us have a look at this function:

At first I started to reverse-engineer the decryption part, but then I noticed that the __seconds parameter that is given to the sleep function is a random uint. Looking up what this means for the sleep function, the sleep could be as long as 68 years.

I tried to patch the instruction in various ways, changing the parameter to 0, changing it from uint to bool etc. but the export function of Ghidra never worked. I then looked up which register is prepared with the sleep function parameter and solved this dynamically in gdb. These are the commands you can use:

break sleep
commands
silent
set $rdi = 0
continue
end

This sets a breakpoint at the sleep function, sets the rdi register value to 0, which is the register the function takes the sleep time from, and then continues to run. This was successful and the flag was returned.

Actually, I revisited the challenge later and solved it statically with Binary Ninja. This program seems to be much better suited for changing binaries and saving the modified version. I just converted the sleep part to NOP, saved the new binary and ran it.