Sebastian's Blog

software developer. security enthusiast.

HACKVent 2019

HV19.16 B0rked Calculator

Sebastian
Challenge Description

After poking around with ghidra I found the part which checks the input and calls the responsible math function (which are all nop). I used ghidras rename feature to rename these functions. Searching for references to this functions shows, that there are also called in another part of the program. The part calculates some string and then displays it on the window.

        0040151d 68 70 a0        PUSH       0x1762a070
                 62 17
        00401522 68 d8 b5        PUSH       0x21ceb5d8
                 ce 21
        00401527 e8 8a 00        CALL       add                                              undefined4 add(undefined param_1
                 00 00
        0040152c a3 a0 20        MOV        [DAT_004020a0],param_1
                 40 00
        00401531 68 98 76        PUSH       0x38b57698
                 b5 38
        00401536 68 13 b9        PUSH       0xaae5b913
                 e5 aa
        0040153b e8 84 00        CALL       sub                                              undefined sub(undefined param_1,
                 00 00
        00401540 a3 a4 20        MOV        [DAT_004020a4],param_1
                 40 00
        00401545 6a 02           PUSH       0x2
        00401547 68 d6 ca        PUSH       0xbec8cad6
                 c8 be
        0040154c e8 93 00        CALL       div                                              undefined div(void)
                 00 00
        00401551 a3 a8 20        MOV        [DAT_004020a8],param_1
                 40 00
        00401556 6a 02           PUSH       0x2
        00401558 68 23 b6        PUSH       0x33b0b623
                 b0 33
        0040155d e8 72 00        CALL       mul                                              undefined mul(void)
                 00 00
        00401562 a3 ac 20        MOV        [DAT_004020ac],param_1
                 40 00
        00401567 68 1a 76        PUSH       0x53bd761a
                 bd 53
        0040156c 68 45 cd        PUSH       0x18a3cd45
                 a3 18
        00401571 e8 40 00        CALL       add                                              undefined4 add(undefined param_1
                 00 00
        00401576 a3 b0 20        MOV        [DAT_004020b0],param_1
                 40 00
        0040157b 68 f4 20        PUSH       0x46c920f4
                 c9 46
        00401580 68 57 96        PUSH       0xa8359657
                 35 a8
        00401585 e8 3a 00        CALL       sub                                              undefined sub(undefined param_1,
                 00 00
        0040158a a3 b4 20        MOV        [DAT_004020b4],param_1
                 40 00
        0040158f 6a 04           PUSH       0x4
        00401591 68 1d 8c        PUSH       0x1f5c8c1d
                 5c 1f
        00401596 e8 39 00        CALL       mul                                              undefined mul(void)
                 00 00
        0040159b a3 b8 20        MOV        [DAT_004020b8],param_1
                 40 00
        004015a0 68 a0 20        PUSH       DAT_004020a0
                 40 00
        004015a5 68 e8 03        PUSH       0x3e8
                 00 00
        004015aa ff 75 08        PUSH       dword ptr [EBP + param_4]
        004015ad e8 42 01        CALL       SetDlgItemTextA                                  BOOL SetDlgItemTextA(HWND hDlg, 
                 00 00
        004015b2 c9              LEAVE
        004015b3 c2 04 00        RET        0x4

I wrote a small python script which does the removed operations.

def add(x,y):
	return y + x
def sub(x,y):
	return y - x
def mul(x,y):
	return y * x
def div (x,y):
	return int(y / x)
def out(x):
	x = str(hex(x))
	x = x[2:]
	a, b, c, d = int(x[:2], 16), int(x[2:4], 16), int(x[4:6], 16), int(x[6:8], 16)
	print(chr(d) + chr(c) + chr(b) + chr(a), end='')

_DAT_004020a0 = add(0x1762a070, 0x21ceb5d8)
out(_DAT_004020a0)
_DAT_004020a4 = sub(0x38b57698,0xaae5b913)
out(_DAT_004020a4)
_DAT_004020a8 = div(0x2, 0xbec8cad6)
out(_DAT_004020a8)
_DAT_004020ac = mul(0x2,0x33b0b623)
out(_DAT_004020ac)
_DAT_004020b0 = add(0x53bd761a,0x18a3cd45)
out(_DAT_004020b0)
_DAT_004020b4 = sub(0x46c920f4,0xa8359657)
out(_DAT_004020b4)
_DAT_004020b8 = mul(0x4, 0x1f5c8c1d)
out(_DAT_004020b8)

This returns the flag which is HV19{B0rked_Flag_Calculat0r}.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top