[CrackMe] BabyELF

_py · June 26, 2018, 1:00pm

BabyELF

                        _..--""""--...___                 .---,
                      ,' \               `'--.___        /   /
                     /`\  \                      ``''--:'`--'
                    (  ,'. '.              _____..--''`
                    )__/`-'._;__       .-'`
                     _/ e    /.-|     /
                     \        _/      |
                      |_,    (  \     /
                       \______\__\_.-'//////
                        |||||||||}////////;._
          __/\ _..----''````     \_       /  /.
         (    / |                  `'._---:./  '.
          '---\_;-...______.           '.   |_,  \  ===---
                        /               .`     '-'
                       /             _.'                ===---
                      /___.._  _..-'`\
                       /    /`'  \    '--.______ \
                      /    /      \         \   \#\
                      |   |        '---------'-. \#\
            ----------|  /----------------------\_\-\-----------------
                      |__|                         ._\
                   __.'  |
                  /______|       ..::::::::::::::::::::::::::..
                (___#__#____  .::::::::::::::::::::::::::::::::::'
                              '':::::::::::::::::::::::::::::'

Rules

Make the binary display Congrats!
Patch more than one byte and you’re disqualified. Don’t patch any instruction!

Binary

base64 -d dump | gunzip > babyelf

H4sICHM1MlsAA2JhYnllbGYA7VlvbFPXFb+24/whwTEUWCCsvHZQBaQYJzVZaDWwkxheWAJZcCjV
Fl4cPyfx8J/IfqYJHza2FFYLaFG7SfkyqVK1tZMmbd0+DE0aCQqCIe0DrdQJbftAt1ElZe1SlaFo
Gnjn3nfu83vXz4N92b5wJPu887vnnHvueee+d+993w737XM6HISTk+whVPK7g0wOIn5qk6ECWCep
g/8tZDOpBtlt0guSoIWvoGvOa1HPBb8q+HU6dbnTGbTwzajHucPE3cRMQQs/hx1wTohk2NFYvR4d
9XpGLDyIcchOq50T7VrQrgX1Ob+Bgd0QxleFvwj6i+C4OO9BvR6TPqWB25pKr0dqdHmkJmjhAdQL
CHZfA7tq8ujkRT6I/VXKyzKOi3N+H3YmE6MdgZ1JtTWZSOenWqc6O1o7Ar5cxtfOYvKi7v6DQ0yf
51HCmNcRvQZo++/uXj/2zy++tKr1qPvHo2+9eOK1Xxz6rgPtS5X5aFQPv7UVxmuHP1UBb62AV/K/
l/CKEQjyFKNp6SCTeS1HFCWnRWPHldjEcWUsmkiSbDyqkpyWjaUmoZFqU42spqSiiTQg46lMGhGF
7O/r7epW2n0B46rdt4vQ7Lrg5yRG8ULenCx3/D6vSyRW04wfRCy/KVFH7Y5i+0rjCOPV+OPU5NXx
GmK9F5IJd5rwFhPuMuF+E15lwjtNuHleyzN/q5XPuofqJSKfntfcizkGXqldsKa3uKsLVIrbeuC/
cUsQrqg8QZuWbhWBtj1HZRr60g0mt1OZhrw0z+QdVKahLv2cyU9TmYa49CaT318lkbELvL+2T3oL
7x2TC3+WZ/66PBDpvTbvh5kpX7s8X03ZtWeALb4NdnfHGrfA5L74AgxwSG4dACbPrHjkwu0TzRfZ
CGFYa4bnaEPxFii/zPwPL9BRjPm4fGmA2X/nU+bg8gMXOJALy/Llxb2y46r83gNtveGtnntr3AJ+
9P5PfSUB8ZP8miEwXExDYMNX3UcAcnzOepqTPDSwvSTvvvMG2BnOPqMGxRvDSyfBhl7DHZFU+WzV
thaqUQivtM3L18LLTP98ePnX1Qy+OkeBxR88KBZBZ1E+C7+ZRcfVHvcyU7vUQ9NVuLb4Bmicns83
zMkALIZBurNqbpBe74ZrPYyz/Suq/GwD6xFKwA8N1xdKuaHxh14IHQkViqGhUKTv/LY9NRIk63wr
5Yd7C/d6Cx/0bb/Naunyfdfi2/chqtOfaFLbH7mPvsLHfYV7PeChuO5P8syCQ959J/8xLbSvD4e+
ERoOHQspCxdKfX6+gLWJpUjn2fH4cdKdSY9no1ruKRLJTksT0awaz9Jni6PZ9XwAa3sEuj8F/Abw
AeBXYTzvUBwy/FuKA/fiJFuH9eY4OUgcU15Hc0NN7QVHjZfi9J04BT52mOaBvT4hW1H/5r+KRTbT
PN59nqYDjfUv1Z4iezc9v+PZrU8T1KHvog0Q0zkKhDzeM87u1dXO74EnvU2F3wVoj9P2Lo/3NWeX
p+lVV9gjna/q8rScc8se/5lq2dM5U9PvCWY9nSGPP+Rp6fJIoAf6XZ5aFudP4XcR/JifG4/pMT2m
x/SY/s8E6xdKt3D/x8kh8Abks1W63mqUA7hP2Ygy30c0o8z3R3w72YTtm4X2fzwoZph/p+6Prw1H
XLrM16gXsX0Vyiryeu4f+XpiJWNtiutP/i6aQs7fp7gNI19ALuF4OV6LMo+b91cnyPC6Y+O5ifEX
Ueb5XEb5Crb/r4jvY0X6PY7rI+T3kFdjXWwQ6oPT/u7u56SWodF8WstLu3wBn7+1I8+ktm+1dfj8
Ad/u7ToutfvbOvwd/t0PjdEFWeLnAlbcaeynrbiLaLZ4lVFPVtxt1JEVrzbqzYrX2N4nF1TBTVu8
zqgTK77KqCcrXm/MKyveQOZt8dVEsrkfLuIxznGseKMxT624lwRt8TXG+YMVX0tmbfEnjHlvxdcZ
892KryeSLb7Btj5dMBv5ftWKNxnz2YpvJEFbfBMZsMWbyzA6T6vIZ0URb2Bt5fHT558T8j8i5L8Z
8TcF3Ie4+NztYf5LcfLnxWF2XZ7Pk+iHP8c5nWH65fflRxXGVWm8P2Nta8krtVb/vyH2eSAV/Fxn
/0+Uxf8H5qf8vv8F9cX477H/8vqsc1A/5fWwxUHPb2BeoD5/7u902J/f/JLh5fXzVYf9OdCwg56v
bCyrq+1Mv3zeqRX8nKqAv14Bfxf7FeO8VEH//Qrj/RDwNc6NRBb8fEpx0/OBn+Hcx3zOY73FEf+A
0Hg2kaOCn1/x/GOd8z3saqeuL+Zto1PXfwb9n0P8Sad9/O1OPX7Rz54K+jXMv83zNpbVclp+bMwX
I4pyoHtQ6es9HFEUAvv6+Hgip8WzipZSYslMOk5P9dSMMp7MjEaTiqplsjklmp8isUxqMhnX4qrv
y7t2B+yVlLFEOqFEs9notBJPa9lpMpaNpuKKmk+lpsHEJCmgqVlUR6Oj0/GkHuK+wVB/WAkf7IEY
9YD5tcVMJUrPiwdD/b3d1hZ2wgjQ/oNDSlhGb3LPIFH29x3qCvUph/btOxyOKJFQV19Y4SeVsVye
DYAovZF+pZSaSH83TUwkOpqMs3PPYNB8YKnE1agWLTsLLSkF2LGoYCQejorN1CeOQz9PFRUsR6mg
n8soE9G0CiEqvYegQU2klXwurppHR1ME8mguh671Y9kDJ5RBHGt3MprLsRqAUfOk03TYJoP4ctMp
LToKXMvqfIJfJdKgPUl86YwW94W6elu16DhK4+m8bzSfSKqtCZUwaSKamyA+dToN/nSuZfWWE/Fs
LpFJWwQF2rLxZJQq4tVkUqNdwvDopW88AxdafAr+2R31ZTPsJvniE1iEE2q2JOmmevHoFvz6m7Es
iyeaSsQIdav3pDuDPBIfzIsUFLDNbPzvib5P6buKP8dL35F0ebOgL35P+BKxnmGXvtPosiToVwly
m2DP150aAlsfYk/f7/dg7c/t+fp0Voif73+Mz1pI9Dy/3tQ/X8deROAdxOl+yUHK9ylHiL4X4vZ8
vTuCGyS+n+Ik5u8Y0fcy3J6vi6+gvUeI3ynw40TfG3GZr59vor2/Qvyc6HqnyuTP2I9hovk4xfxx
/GW070KZr8cltOf7QTfaiPavktK3RUr8PTKL9qbPpozE+18Q7Pn6fh4VRwR9r8C/L9jzfYCEAxbz
Jco/FOz5e9mP9k7hkNZrFclbgj1f3wRwg1wn6Ivj/wmxzl++vgii/ZMPsX9XsC99L8V4HmI/J9jz
/cws2t8V9MX80XUsrXF+nlD6fmqvL8p0ndRosufr4aZHtP8Q4+f2fP0tPaL9R0S/d9y+9H1bl/l3
bX5/uT2vg1mhf74vW2n8z/1z/nfB3livYwfBh9ivCPZ8/Rv0WuMU7Tk9QIzb83XjgNdeX3z+uRw6
5hdwbi/Wn3iOtsbUt5km8QCtQehQ7N9cu2Z6Bfu/gDeOzqOdxP6cyq7/JjzwOio4F7/H/xs0wYoi
QCIAAA==

0x00pf · June 26, 2018, 3:52pm

I’m curious about the 4 bits patch. This is a basic 1 byte patch. Hope to get some time to look for the 4bits solution

echo -ne “\x26” | dd of=test1 seek=$((0x2b8 + 0x78)) bs=1 count=1 conv=notrunc

_py · June 26, 2018, 6:30pm

Oopsie! I had made a previous demo whose strings in the string table differed in distance so little that required 4-bit patching. Updated the description

Congrats on patching .dynsym like a boss

0x00pf · June 26, 2018, 9:24pm

I see, glad to see that I haven’t missed something obvious
BTW, thanks for the challenge mate.

I love the smell of .dynsym in the morning

Leeky · June 26, 2018, 10:11pm

I’m not sure if this was the intended way. Was fun though

echo -ne “\x65” | dd of=babyelf seek=4152 bs=1 count=1 conv=notrunc

_py · June 27, 2018, 8:13am

Not bad at all

The intended patch required ELF mastery, but a patch is a patch. Feel free to look through the spoiler tags or try a lil’ harder

cedric · June 27, 2018, 9:12pm

Worked on a solution using LIEF

https://github.com/cedriczirtacic/stuff/tree/master/CTFs/0x00sec/BabyELF

ricksanchez · June 27, 2018, 9:57pm

What fitting challenges …

This one is about patching the right index for the string table in the st_name field in the .dynsym section for the second puts call. When looking at the assembly code the second puts looks more like an intended strcmp with the loading of ‘kek’ in the register right before the fubction call.

In the string table puts is index at 11, where as strcmp is at index 38. It’s enough to provide just the start of the string in the st_name field since those strings are null terminated and the replacement routine in the end does something like “[fromhere] until \0”

note: you actually can count the bytes for the correct replacement by hand if you found the right position

dynsym

$ ./babyelf
kek
Congrats!

_py · June 27, 2018, 11:13pm

Nice control over your ELF structures @ricksanchez, gj

_py · June 27, 2018, 11:14pm

LIEF is awesome and does wonders! gj

_py · July 26, 2018, 1:09pm

This topic was automatically closed after 30 days. New replies are no longer allowed.