This writeup describes the solution for the easy-math challenge in Hackover CTF 2015 held by Chaos Computer Club Hamburg.
The task describes some basic arithmetics to warm up:
This file was published: easy-math.tar.gz. It is a 32bit ELF executable. Running the file shows this output:
ruport@zentaur:~/hackover2015$ ./easy_math Warmup: sh0w m3 h0w 1337 y0u 4r3> rup0rt
It reads some data and does stuff with it. I gonna try GDB to have a detailed look in the operations.
So lets set a breakpoint after the read() functions and single step (si).
(gdb) b *0x0804855d Breakpoint 1 at 0x804855d (gdb) display /i $eip (gdb) run Starting program: /home/ruport/hackover2015/easy_math Warmup: sh0w m3 h0w 1337 y0u 4r3> AAAABBBBCCCC (gdb) CC Undefined command: "CC". Try "help". 1: x/i $eip => 0x804855d <main+153>: add esp,0x10
We already recognize that the binary only takes 10 bytes of input because, 2 bytes of our input (CC) is already passed back to GDB. Then the program does some compares. One of them is very interesting because it checks our input data: