leap_of_faith

I liked playing Super Mario just for jumping from one place to another. Can you do that?

Challenge Statement

3KB

chall.zip

archive

Open

Zipped chall file

Checksec of chall

Running the challenge binary, it will ask for an address to jump.

Running chall

Doing decompilation on the binary, we will know that the binary will jump to the address that we gave for real.

main() function

Beside that, there is a win() function in the binary which will usually mean that reaching that function will be our main goal.

Doesn't that mean that we could just put the win() function address and finish the challenge? Eventhough there is a checker, we could just jump pass right the checker right?

win() function

Unfortunately, we will somehow get this "weird" (I don't know what caused this to be honest :v) looking segmentation fault. But, when I tried to jump to the beginning of the win() function and skip the checker manually (Using "set $rip="), the binary will seem to work fine. (Btw, I set my local flag to be "this_is_flag")

Segmentation Fault when immediately jumping right after the checker in win() function

So, when I tried to look at the beginning of the win function, there is a stack adjustment (It is equivalent to "sub rsp, 0x80") and arguments moving to the stack.

Disassembly of the beginning of the win() function

Beside that, notice that there is a "sub rsp, 0x10" right before we jump, to me this seems sus as "sub rsp, 0xXX" or stack adjustment thing usually exists at the beginning of a function. Hence, this means that we can achieve "sub rsp, 0x80" effect, if we jump back to the main some number of times, then after that, if we call the win() function everything should be fine right? (I assume that this stack adjustment thing to be the reason of the SIGSEGV)

sub rsp, 0x10 before jmp rax

I will implement this idea using pwntools. (We can choose to jump for less than 8 times, but due to my bad math, somehow I put 8 on doing this challenge, but if it works, it works :v)

from pwn import *

local = 0
p = null
elf = ELF('./chall')
gdbsc = """
b *0x40125B
b *0x401182
b *0x4011ba
c
"""
if not local:
    p = remote('kashictf.iitbhucybersec.in', 33765)
else:
    p = process('./chall')
    gdb.attach(p, gdbscript=gdbsc)

for i in range(8):
    p.sendline(b'0x40125E')

p.sendline(b'0x4011ba')

p.interactive()

Running the exploit

FLAG: KashiCTF{m4r10_15_fu_w17H_C_FJnlPNPf}