Hi ayaPhysicsIsFun,
​
Had a look and made a few changes and seems to work on my end.
If you want to try it out, here's the changed script: https://hastebin.com/maribezane.makefile
If you have any questions I'll try my best to answer them 👌
>https://hastebin.com/maribezane.makefile
O. M. G.
After comparing I am pretty sure the only thing you changed is putting the nop/\xCC after the shellcode?? and that fixed it??
Oh well.
.
THANK YOU Orz Orz srO srO Orz srO
​
i should investigate more on this lol
nop slid rip
EDIT: Looks like /u/rya_nc has a link to a snapshot, this post can be ignored
OpenSSL 0.9.8c-1 is what you want and I can't find it.
The closest I could find is this: https://launchpad.net/ubuntu/+source/openssl/0.9.8c-4
ANd according to the diff you do have the breaking change where MD_Update is commented out:
https://launchpadlibrarian.net/5070683/openssl_0.9.8c-3.diff.gz
--- openssl-0.9.8c.orig/crypto/rand/md_rand.c +++ openssl-0.9.8c/crypto/rand/md_rand.c @@ -271,7 +271,10 @@ else MD_Update(&m,&(state[st_idx]),j);
+/*
+ * Don't add uninitialised data.
MD_Update(&m,buf,j);
+/
MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
MD_Final(&m,local_md);
md_c[1]++;
@@ -465,8 +468,10 @@
MD_Update(&m,local_md,MD_DIGEST_LENGTH);
MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
#ifndef PURIFY
+#if 0 / Don't add uninitialised data. /
MD_Update(&m,buf,j); / purify complains */
#endif
+#endif
k=(st_idx+MD_DIGEST_LENGTH/2)-st_num;
if (k > 0)
{
However, when I pulled down the source it did not match as the comments were not there. However this version should be sufficiently close for you to manually re-add the comment and reintroduce the issue.
Good luck looking.
While I can’t point you to exact tools, take a look at Homebrew. It is a package manager for Mac (think like apt and rpm on Linux) that should allow you to easily install tools available on Linux.
For work and for CTFs, I typically spin up throwaway instances on Digital Ocean or use one of the ones I already have. Pretty easy to spin one up on the fly for a netcat listener.
Alternatively, you could use something like https://ngrok.com/product in their tcp mode to expose your locally scoped network services to the Internet temporarily.
I poked on it for you.
You need to look at the decompiled ELF, after that it should be pretty easily discovered. I used Ghidra to load the passcode ELF. Jump into the 'main' function, and pay attention to the fgets variable, and what follows, as well as the specific 'if' check.
Have fun :)
$ ./passcode Please enter your passcode: <numbers go here> [ACCESS GRANTED]