Last week, I played the FwhibbitCTF for a few hours, it was a CTF organized by Follow The White Rabbit.

They used the Facebook platform, and this challenge  is the corresponding to Congo country. My solution for Crazy serial is below .

Category: Reversing.
Points: 330pts.

When I opened this challenge…

As it can be seen, that flowgraph is because of the if statements. So, my first thought, at the time, was using the framework angr. It’s neccesary to enter two strings, an email, and a serial.

If the binary was compilated with -pie flag, angr (exactly cle) in this case load the binary with a base address of 0x400000.

I specify the initial state at base+0x01129, because in that address begins the comparison of serial byte to byte in different order. When we are programming for angr,  sometimes its necessary to specify avoid functions, that way it’s a bit more easier for angr finding the final state. The function to avoid is the one into crazy serial crazy which prints “Wrong Serial”, that function will be found at base+0x100F and the final state at base+0x1412. The local variable serial is at rbp-0x430, and in this case I created a bit-vector symbol which will contain the flag value, as follows:

Executing the script and after a few seconds, we have the result:

What is going on? analyzing the executable, we can found out three comparisons as it can be seen;

We can represent the above assembler code into a C approaching.

Maybe for the skilled reader seems strange the way I decompiled it, from that code it can be seen that if angr meets just one condition it is not neccesary the other two are met. That is why angr give us incorrect characters.

We only need to replace the characters found at indexes 11 and 18 by the character "-" (without quotes), and we will get the right serial, or we could add some constraints specifying the content in those positions will be "-".

The serial is: Tzey7-drFLT-ctfgH5-puTF6Y.

The email, must be bigger than 3 bytes, one character must be ‘@’, so the email could be: nox@nox.nox.

The flag is: fwhibbit{r4bb1t_s3r14l-2JBH8tckcTj}.

The full script can be found here: