# CSAW Quals 2020 not-malware

** Published:**

This is the next reversing challenge from CSAW Quals 2020 (first two are here).

This challenge gives you an application `not_malware`

and instructions for `nc`

. Because I did this after the actual CTF, I will assume that if I get a certain response (ouput of the flag, “correct”, etc…) from the binary, then I have solved the challenge.

## Write-up

I first started by running the program. It asks:

```
$ ./not_malware
What's your credit card number (for safekeeping) ?
>>
```

As per usual, I entered a random number of A’s and hit return. Nothing. The program just exited.

Next, I opened up the binary in Ghidra. I’ll be copying interesting snippets here, but you can find the entire decompilation (edited) here. I’ll be using images and snippets from my edited version of the decompilation (after the reverse engineering), but will try to explain pretending not to know certain things (like not knowing what `randint`

does).

The first function we hit looks like some anti-analysis (???) code, so I ignored it.

### Segment 1

The first interesting segment is below:

In this section, `addr`

is first set to 3. Then, the first `8`

bytes of the user input is copied to `local_store`

. `local_store`

is then compared to the string located at the address of `yeetbank`

+ addr*9 (or 27). Looking at the disassembly, we see that `local_store`

must be the same as `softbank`

. Lastly, we see that after `softbank`

, the next char must be `:`

.

So at this point our input is `softbank:`

.

### Segment 2 (??)

The next interesting segment is below:

Before I changed the names of these variables, it was a little confusing what these 3 values were used for. So, just like during the reversing process, I’ll talk more about this in the next segment.

### Segment 3

Looking at the third interesting segment, we see that the values from segment 2 are being used. Good, this will allow us to discern their use.

We can see that we have a loop for 20 iterations. At each iteration, we being by calling the function `rand_int`

:

```
/* seed set; so deterministic */
long rand_int(uint seed)
{
int retval;
srand(seed);
retval = rand();
return (long)retval;
}
```

As you can see, the seed is set at each iteration by `seed`

in segment 2. Next, the random number we get is copied as a string to `randstr`

. Then, at index `j`

, we set `check[j]`

to `randstr[idx]`

. Last, we update `seed`

by `seed_idx`

.

We learn a few things about segment 2 here. First, `seed`

is used to seed a random number generator. `idx`

is a constant value that will be used to see which random character is added to `check`

. And `seed_idx`

is used to update the `seed`

at each iteration.

Cool, now we know what the values from segment 2 do? But, what does segment 3 now?

The rest of this segment checks the user input against the 20 chars located in `check`

. So, we just need to reproduce `check`

using the `seed`

, `idx`

, and `seed_idx`

values we use.

To make it super simple, I started with just `seed=0`

. I wrote a quick `c`

file to see what the first random number generated would be.

```
#include <stdio.h>
#include <stdlib.h>
int main() {
srand(0);
int d = rand();
printf("%d\n", d);
return 0;
}
```

To continue with the “let’s not try to hard” motto, I set `seed_idx = 0`

so we do not have to generate any more random numbers. We can just use the first one. It doesn’t really matter what `idx`

is set to, but I chose `0`

because it is the easiest index to remember. This solves 2 parts of our input.

First, we have the three values for segment 2, `000`

, making our input `softbank:000:`

. Second, we have the next 20 chars, making our input `softbank:000:11111111111111111111:`

.

### Last but not least

This segment checks the remainder of the user input with `local_ac = 0x646e65`

. A quick hex->ascii tells us this is `dne`

. So, finally, we have that our user input must be

*drumroll*

`softbank:000:11111111111111111111:end`

Using this as input gives us

```
$ ./not_malware
What's your credit card number (for safekeeping) ?
>> softbank:000:11111111111111111111:end
Thanks!
[1]+ Stopped ./not_malware
```

I assume this (along with the `win`

function that is called) means solved the challenge and the flag would be returned if this was run on the challenge server.