Fortunately I've got qemu-ppc-static installed on my ctf-box, so we can actually run the program by the following command:
Kind of appreciate that this is a static linked binary, because if it's a dynamic linked binary then I'll have to spend more time to installed the PPC version of libc.
Anyway we can see that the program will ask us to input the flag, and check if the flag is correct or not.
To do the dynamic analysis, I first use qemu-ppc-static -g 10001 ./flame to launch the program and listen for a gdb connection at port 10001, then I use gdb-multiarch to debug the program with target remote localhost:10001. As for the static analysis, I launch the program with IDA Pro.
After done some reversing, I summarize the program behavior with the following pseudo code:
The most challenging part is the line check[i] = flag[i] ^ (r & 0xfff);, it actually look like this in the PowerPC assembly:
Took me a while to figure out the whole operation.
So now we know that the flag is a string with 35 characters. The program will do some operation on our input, then store the result into the check buffer. Then it will compare each byte between the check buffer and the secret buffer, and print out the success message if their content were the same.
We can dump the content of the secret buffer by using the debbuger.
After that, we can just recover the flag by writing some simple scripts.
test is a C program for generating the random seed