Interesting challenge. First we connect to the service, it will send us the following message:
So it seem like the service gave us the registers' inital value, and a sequence of machine code. Apparently, they want us to execute the machine code and send them all the register values after the execution.
After some thinking and researching, I decide to solve the challenge by using the following method:
First, get all the registers' initial value and construct the machine code, start with mov [reg], [val]. Then, receive the machine code from the server, and append it to the current machine code. So the final machine code will be like this:
Now all we have to do is to execute the machine code and get all the registers' value. To achieve this requirement, I prepared a C code:
"machine" will be replace by the machine code I have (by using the sed command). After we finish building the C file, we can compile it by using the gcc -g -z execstack -o real real.c command.
Now we'll just need to excute the binary file we have compiled. I decide to execute it with gdb, since it'll make me more easier to get the register values. So now the problem is how do we get the output from gdb by using python? Fortunately, with the help of the internet, I found this link, which is pretty useful for me to solve the challenge. All I need to do is call gdb by using Popen, send 3 command to it (b 8, r & i r), then parse the result and send the answer to the server.
Here's the final script:
Notice the line context.endian = 'big'. At first I use the little endian to solve the challenge, which gave me "Invalid solution" everytime I send the answer. Just before I was about to give up, teammate bletchley suggest me to change the endianness into big endian. And guess what? The flag appears on the screen right after I change the word "little" into "big"! What an end!
Flag: Cats with frickin lazer beamz on top of their heads!