Slammer

Let’s check the file first.

Let’s analyze it with IDA Pro.

First, it prints the string “password: “. Then, it allocates 0x100 bytes from the stack and reads up to 0x32 bytes from stdin. Since the buffer size 0x100 and it only reads 0x32 bytes there is no buffer overflow. Next, it compares the first byte of our input to 0x78 which is ‘x’. If it is not equal to ‘x’, it prints the error message “Wrong!\n” and exits. Let’s assume that the first character is ‘x’. Then, it jumps to 0x600199.

Next, it xors 0xCB6 bytes at 0x6001B2 with ‘x’. After xoring 0xCB6 bytes, it jumps to 0x6001B2.

This means the code is self-decrypting. It decrypts then executes the decrypted code. Let’s create an IDC script and define a decrypt function.

Let’s call it from the IDA’s console.

This is the decrypted code.

It is very similar to the previous one. It increases the pointer to get the next character of our input and this time it checks whether it is 0x69 which is ‘i’ and if it is correct, then it xors the 0xC6E bytes at 0x6001FA with it. Finally, it jumps to 0x6001FA. Let’s decrypt it as well.

Let’s see the decrypted code snippet.

Again, it is the same routine. This time our expected character is 0x6F which is ‘o’, the target is 0x600242, size is 0xC26. It decrypts the target and jumps to there. So, we have a pattern here. The decryption keys are the flag’s characters. Let’s reload the executable into IDA and create an IDC script that automatically decrypts all the code snippets and prints the flag to the output console.

Here is the IDC script to get the flag.

Let’s call the getFlag function from the IDA console.

This is the last decrypted snippet of the code.

I’d like to mention that there was no length check for the password. Even though the flag is 46 characters, it reads up to 50 characters and only checks the first 46 characters. Thus, we can append any 4 characters to the flag and the password will still be correct.

Anyway, here is our flag xiomara{cool_thumbs_up_if_solved_using_r2pipe}.