Paranoia (rev)

im baby

15KB

paranoia

Below is the decompiled binary code:

undefined8 main(void)
{
  char cVar1;
  int iVar2;
  time_t tVar3;
  ulong local_20;
  
  tVar3 = time((time_t *)0x0);
  srand((uint)tVar3);
  for (local_20 = 0; local_20 < 0x12; local_20 = local_20 + 1) {
    // flag is a global var, which is a fake flag in the binary
    cVar1 = flag[local_20];
    iVar2 = rand();
    printf("%i ",(ulong)(uint)(iVar2 % 0x100 ^ (int)cVar1));
  }
  putchar(10);
  return 0;
}

It basically sets a seed using the current time by doing srand(time(NULL)), then every character in the flag is encoded using the next randomly generated value and given to the user.

We can use srand and rand by using the Python ctypes library. We set the seed using the current time, then connect to the server. For each character received from the server, we generate the same random value and reverse the encryption operation they performed (by repeating the XOR operation).

#!/usr/bin/python3
from ctypes import CDLL
from pwn import *

libc = CDLL("libc.so.6")

p = remote("20.80.240.190", 1234)
# p = process("./paranoia")

libc.srand(libc.time(0))

flag = ""

for i in range(0x24):
    x = libc.rand()
    x = x % 0x100
    y = p.recvuntil(b" ")
    y = y[:-1]
    y = int(y.decode(), 10)
    flag += chr(x ^ y)

print(flag)
# akasec{n0t_t00_m4ny_br41nc3lls_l3ft}