HackLu CTF 2012 – Tux-Bomb! (150) Write-up

5 – TUX-BOMB! (150)
Yeah! We control a zombie server which is connected to a TUX-Bomb. These servers are located in the head of the organization. This bomb can destroy a lot of their servers and employees. But we have no access since we are not in possession of a valid user name and activation key. So here’s your job: Find a way to detonate the TUX-BOMB!


Hint: There is a small typo on your way to the flag – don’t get confused about it. Just use your intuition and everything should work fine!

We are provided with a Windows .exe binary. This binary needs to be run with 22 arguments:

.text:004018F7 loc_4018F7:                             ; CODE XREF: sub_4014A0+341j
.text:004018F7                 cmp     [ebp+arg_c], 17h
.text:004018FB                 jnz     loc_4017E7

It then asks for a username and a product key. The username must meet this condition (expressed in Python):

sum([(ord(c) * 3) for c in username]) == 0x29a

A username that matches that condition is “DMM”:

>>> print hex(sum([(ord(c) * 3) for c in 'DMM']))

So I’ll be using DMM as username.

Then it checks the supplied product key against the 18th argument. If they match, a PDF file named “FLAG.pdf” is dropped. This is the content of the dropped PDF file:

So we first have to solve this (look at the “aoti” typo mentioned in the description of the challenge):

x = (atoi(F)+atoi(l)+atoi(u)+atoi(x)+atoi(f)+atoi(i)+atoi(n)+atoi(g)+aoti(e)+atoi(r)+atoi(s))

So x is:

>>> sum([ord(c) for c in 'Fluxfingers'])

Then we can use WolframAlpha in order to compute the definite integral:

integrate e^(-(sqrt u)) du from u=0 to infinite

You can check it by yourself here: http://www.wolframalpha.com/input/?i=integrate+e^%28-%28sqrt+u%29%29+du+from+u%3D0+to+infinite

The result of the definite integral is 2.

So the key for this challenge is md5( 1165 * 2 – 993 ) = md5(1337) = e48e13207341b6bffb7fb1622282247b.


One thought on “HackLu CTF 2012 – Tux-Bomb! (150) Write-up

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s