Paranoia (rev)
im baby
Below is the decompiled binary code:
undefined8 main(void)
{
char cVar1;
int iVar2;
time_t tVar3;
ulong local_20;
tVar3 = time((time_t *)0x0);
srand((uint)tVar3);
for (local_20 = 0; local_20 < 0x12; local_20 = local_20 + 1) {
// flag is a global var, which is a fake flag in the binary
cVar1 = flag[local_20];
iVar2 = rand();
printf("%i ",(ulong)(uint)(iVar2 % 0x100 ^ (int)cVar1));
}
putchar(10);
return 0;
}
It basically sets a seed using the current time by doing srand(time(NULL))
, then every character in the flag is encoded using the next randomly generated value and given to the user.
We can use srand
and rand
by using the Python ctypes
library. We set the seed using the current time, then connect to the server. For each character received from the server, we generate the same random value and reverse the encryption operation they performed (by repeating the XOR operation).
#!/usr/bin/python3
from ctypes import CDLL
from pwn import *
libc = CDLL("libc.so.6")
p = remote("20.80.240.190", 1234)
# p = process("./paranoia")
libc.srand(libc.time(0))
flag = ""
for i in range(0x24):
x = libc.rand()
x = x % 0x100
y = p.recvuntil(b" ")
y = y[:-1]
y = int(y.decode(), 10)
flag += chr(x ^ y)
print(flag)
# akasec{n0t_t00_m4ny_br41nc3lls_l3ft}
Last updated