Writeup by xkaynit for Fifty Shades of White (Junior)

intro reverse linux x86/x64

May 4, 2024

Table of contents

Analysis

Firstly I’m going to analyse what is in the text file. Here is the content:

TmFtZTogV2FsdGVyIFdoaXRlIEp1bmlvcgpTZXJpYWw6IDFkMTE3YzVhLTI5N2QtNGNlNi05MTg2LWQ0Yjg0ZmI3ZjIzMApUeXBlOiAxCg==

It seems to be a base64-encoded content according to the two equal signs at the end of the string. It’s possible to decode the chain like below:

Name: Walter White Junior
Serial: 1d117c5a-297d-4ce6-9186-d4b84fb7f230
Type: 1

Now, I know the content of the license file and the analysis of the fifty-shades-of-white file can start. I open the file with Ghidra and see the different functions defined in this file:

undefined8 main(int param_1, undefined8 *param_2)
{
  int ivar1;
  void *local_28;
  void *local_20;
  if (param_1 != 2) {
    printf("Usage: %s <license.txt>\n", *param_2);
                /* WARNING: Subroutine does not return */
    exit(l);
  }
  ivarl = parse(param_2[1], &local_28);
  if (ivar1 == 0) {
    puts("Invalid license!");
  }
  else {
    check(&local_28);
    free(local_28);
    free(local_20);
  }
  return 0;
}

If I click on the check function, I can display this function and analyse what it does:

void check(undefined8 *param_1)
{
  int ivar1;

  ivar1 = validate(*param_1, param_1[1]);
  if (ivar1 == 0) {
    puts("Invalid license!");
  }
  else if (*(int *) (param_1 + 2) == 1) {
    printf("Valid license for %s!\n", *param_1);
  }
  else if (*(int *) (param_l + 2) == 0x539) {
    printf("Valid admin license for %s!\n", *param_1);
    show_flag();
  }
  else {
    puts("Invalid license, but nice try! Here: https://www.youtube.com/watch?v=dQw4w9WgXcQ");
  }
  return;
}

In this function, we can see 3 if-loops which is the result of the validate function which take the license parameter in entry. Below is an explanation of each loop and the condition to pass in it:

  • The first loop check if a license is provided when the program is started.
  • The second loop verify that the type of the license is equal to 1.
  • The last loop calls the function show_flag if the type is equal to 0x539.

Solution

As we can see, 0x stand for hexadecimal number. So, with a converter, I know that 0x539 give 1337 in decimal. Now, I will try to modify the type field in the license file with 1337 and see what appends.

[*] Send empty lines to mark the end of your inputs.
[*] Give me a valid admin license for username: Walter White Junior
----BEGIN WHITE LICENSE----
TmFtZTogV2FsdGVyIFdoaXRlIEp1bmlycgpTZXJpYWw6IDFkMTE3YzVhLTI5N2QtNGNlNi05MTg2LWQ0Yjg0ZmI3ZjIzMApUeXBlOiAxMzM3Cg==
-----END WHITE LICENSE-----

Valid admin license for Walter White Junior!
Well done! Here is the flag for the Junior challenge:
FCSC{2053bb69dff8cf975c1a3e3b803b05e5cc68933923aabdd6179eace1ece0c41a}

With 1337 as the license type, the program runs the third loop and then displays the flag.

FLAG: FCSC{2053bb69dff8cf975c1a3e3b803b05e5cc68933923aabdd6179eace1ece0c41a}