SECT 2018 EzDOS Reversing Challenge
Solution for Ez(Easy) DOS RE challenge

This challenge was fairly easy and one of the first one to be solved as well along with my team mate,4rbit3r!

We were given the file and as the name suggests, it was a DOS file. Firing it up in IDA would give you a fair idea of what actually happens and also would help you to see that a key is being taken as the input which is 13 in length.

Further moving ahead, we can see that there is a comparison being done along with the characters shown below:

In the beginning, I was trying to run the file using the DOS emulator which did not work and giving strings command gave me a few strings which was later important. There was a string being moved as you can see here which was nothing else but 1337SHELL which was a guess as that was the only string which was not being used anywhere else. You can use r2 or gdb to print out what was there in that address, 26Bh.

The rest was pretty straighforward as the string 1337 stayed there and the rest of our input was being xored SHEL and compared with the strings shown below

More of like:

if inp[4] != '-':
    exit(0)
if inp[5] ^ buf[4] != 'f':
    exit(0)

In order to get the

We can get that the resulting four characters after the -:

In [1]: chr(ord('S')^ord('f'))
Out[1]: '5'

In [2]: chr(ord('H')^ord('y'))
Out[2]: '1'

In [3]: chr(ord('E')^ord('t'))
Out[3]: '1'

In [4]: chr(ord('L')^ord('y'))
Out[4]: '5'

Now we have four characters after - which is 5115. We can see a flag file being opened and hence send the final string to the server where it is hosted.

NOTE:String comparison is only done against first 9 characters

The final string is, 1337-5115 :)

Any questions, reach to us in Twitter.

*****
Written by Gokul Krishna on 14 September 2018