HITB2018AMS Badge Challenge Write-Up

1. --------------------------------------------------------------------
2. HITBSecConf Amsterdam 2018 Badge Challenge by Qihoo 360 Unicorn Team
3. --------------------------------------------------------------------
4. Write-up by: Nikias Bassen (@pimskeks)
5. April 17, 2018
6. --------------------------------------------------------------------
7.  
8. As a past speaker of HITB I was lucky to get hold of the cool badge that
9. the Unicorn Team provided for the speakers and attendees at the HackInTheBox
10. Amsterdam 2018 event last week:
11.  
12. https://conference.hitb.org/hitbsecconf2018ams/commsec-village/#badge
13.  
14. As announced on Twitter and mentioned on the above page the badge has a hidden
15. challenge which made me curious and which actually was the reason why I wanted
16. the badge in the first place. However I was told (not by the Unicorn Team!)
17. that I _might_ have to solder wires to the breakout pins and connect it via
18. USB or serial to get a link or something that would give me a clue how to
19. solve the challenge.
20.  
21. At the speakers reception I was finally checking out the badge and found a
22. "Secret Menu" entry that is asking for a code. Using the Up, Down, Left,
23. Right, OK, and ESC buttons on the badge it would allow to enter the characters
24. 'U', 'D', 'L', 'R', 'O', and 'C'. After six characters I was greeted with
25. "ACCESS DENIED!!! :(". A quick calculation shows that this would be a total of
26. 6^6 = 46656 combinations, way to much to try them all ;)
27. I didn't have soldering equipment with me so I wasn't really thinking I could
28. solve the challenge easily.
29.  
30. However since I wasn't following @sgniwx (how could I NOT follow him actually?)
31. I only realized later that night that they published the source code + binary
32. on GitHub earlier that day:
33.  
34. ---------------------------------------------------------------------------
35. Source code, binary and the schematic for #HITB2018AMS badge is available
36. now. Follow @sgniwx @WhiteA10n3 @klks84 and look for us in the conference.
37. Hint: crackme challenge is deep in the link.
38. https://github.com/klks/hitb2018ams_badge
39. ---------------------------------------------------------------------------
40. (https://twitter.com/sgniwx/status/984106705037471744)
41.  
42. So it looked like that I wouldn't have to solder after all (which I totally
43. wouldn't mind doing - given the right equipment)!
44.  
45. Anyway, I checked the source code and I found this:
46. https://github.com/klks/hitb2018ams_badge/blob/master/src/hitb_secret.h#L58
47. Which compares the input to "OOOOOO". Of course I knew this wouldn't be the
48. code since that would be too easy, also the next line saying
49. 'display_qrcode("/*REDACTED*/");'
50. was pretty obvious this is not exactly the same code that runs the badge.
51.  
52. But wait, they released the BINARY too which can be found here:
53. https://github.com/klks/hitb2018ams_badge/blob/master/hex/HITB.ino.bin
54. When searching for "ACCESS DENIED" I found a string "LRDROC" just a few bytes
55. before, at offset 0xC5FB, which immediately looked like that this would be
56. the code, and also a short link is right behind it: goo.gl/PhVrhv
57. (offset 0xC606). I tried the code on the badge and instead of
58. "ACCESS DENIED!!! :(" it displayed a QR code which just represents the short
59. link (yes, I checked it with my iPhone camera).
60.  
61. Following the short link you will be redirected to:
62. http://hardware.reverser.io/hitb2018ams/challange/
63. Which has some really clear instructions:
64.  
65. ------------
66. [binary](http://hardware.reverser.io/hitb2018ams/challange/secretbox)
67.  
68. 1. Download and reverse "secretbox" binary
69. 2. ssh [email protected]
70. 3. password = secretbox
71. 4. Look for "xwings" and show me your PoW.
72.  
73. - Binary by l4w @ vnsec
74. - xwings @ HITB Core Crew / Unicorn Core Team / vnsec
75.  
76. ------------
77.  
78. So I downloaded the binary and opened it in IDA Pro. It is a 32-bit Linux binary.
79. First I was a bit confused about all the 'extra' code but then quickly realized
80. it was because of the use of ncurses library.
81. Running it will display a "Token" which is random, and a keypad that you can
82. navigate with the arrow keys and select with the space key:
83.  
84. SAFEBOX KEYPAD
85. Token: EA7D
86. ┌───────────────────┐
87. │ │
88. │ │
89. │ [0] [1] [2] [3] │
90. │ [4] [5] [6] [7] │
91. │ [8] [9] [A] [B] │
92. │ [C] [D] [E] [F] │
93. │ │
94. │ │
95. └───────────────────┘
96.  
97. After entering 6 digits it will 'FAILED :(' if the code wasn't right. If you
98. try 3 times and still didn't guess the code it will print 'self desctruct'
99. all over the screen. Just connect to the server and see what happens.
100.  
101. So, obviously the code depends on the random token.
102.  
103. Looking at the main function, first thing it does is chdir to
104. /home/secretbox.
105. This will be used later. Right after that, there is a call to a sub function:
106.  
107. .text:080490EF call sub_8049000
108.  
109. This function opens /dev/urandom, reads 2 bytes from it, and snprintf()s that
110. to a global buffer with format %04X. I renamed the function to
111. 'get_random_token' and the buffer to TOKEN_BUF.
112.  
113. Back in main, the ncurses screen is initialized using initscr, start_color,
114. init_pair, newwin, etc. You can also see the code that is writing the token
115. onto the screen, using the global TOKEN_BUF I mentioned above:
116.  
117. .text:080492DA mov ecx, 1
118. .text:080492DF mov edx, 5
119. .text:080492E4 lea esi, aTokenS ; "Token: %s"
120. .text:080492EA lea edi, TOKEN_BUF
121. .text:080492F0 mov dword ptr [esp], 1 ; int
122. .text:080492F7 mov dword ptr [esp+4], 5 ; int
123. .text:080492FF mov [esp+8], esi ; char *
124. .text:08049303 mov [esp+0Ch], edi
125. .text:08049307 mov [ebp+var_B0], eax
126. .text:0804930D mov [ebp+var_B4], ecx
127. .text:08049313 mov [ebp+var_B8], edx
128. .text:08049319 call _mvprintw
129.  
130. Looking further, there is another call to an unknown sub function:
131.  
132. .text:080493A0 call sub_8049B50
133.  
134. It does some ncurses stuff that draws a border, prints a string with 6 chars
135. (using mvwprintw with format %06s) from another global buffer, and then it
136. loops 4 times, sequentially reading 4 chars from a global wide char string
137. (0123456789ABCDEF) and printing it with format [%s] to different positions
138. for all the 16 characters. This is the keypad drawing function obviously.
139. I renamed it to draw_keypad. This function has one interesting piece here,
140. since it has a buffer that is used to print whatever we entered so far onto
141. the screen. This function is also redrawing the keypad because it highlights
142. whatever 'key' we have selected and thus it needs to redraw every time we
143. move the cursor. That global buffer, I named it ENTERED_WCHAR_BUF. I named
144. the other global wide char string 'keypad_wchars'.
145. Going from there I checked the XREFs to see where the code writes to the
146. buffer, and found this:
147.  
148. .text:08049623 mov eax, [ebp+var_14]
149. .text:08049626 mov [ebp+var_18], eax
150. .text:08049629 mov eax, [ebp+var_18]
151. .text:0804962C mov eax, dword_804C0D0[eax*4]
152. .text:08049633 mov cl, [eax]
153. .text:08049635 mov eax, [ebp+var_20]
154. .text:08049638 mov ds:dword_804C130[eax], cl
155. .text:0804963F mov eax, [ebp+var_18]
156. .text:08049642 mov eax, keypad_wchars[eax*4]
157. .text:08049649 mov cl, [eax]
158. .text:0804964B mov eax, [ebp+var_20]
159. .text:0804964E mov ds:ENTERED_WCHAR_BUF[eax], cl
160.  
161. Now what are those ebp+var_14 and ebp+var_20 ? If you browse through the code
162. you easily figure out that ebp+var_20 is initially 0 and increases with every
163. character that is selected through the keypad. It is the offset in the buffer.
164. For ebp+var_14 it is the index of the keypad number selected (0..15).
165. Now it reads something from address dword_804C0D0 + keypad_index * 4, so what
166. is dword_804C0D0? If you check out its location you realize it is has some
167. byte_* addresses there, each one of them pointing to the bytes (not chars!)
168. 0, 1, 2, through 0xF. Let's rename it to 'array_00_0F'. Now it reads a byte
169. from that array and stores that into another global buffer dword_804C130, that
170. we rename to ENTERED_BUF, because that's what gets entered effectively.
171. As for ENTERED_WCHAR_BUF, it uses the same keypad index ebp+var_14
172. (and ebp+var_18) to get the wide char from the 'keypad_wchars' we already
173. figured out in the draw_keypad function.
174. So, we have one buffer that stores the byte values selected through the keypad
175. (ENTERED_BUF) and one buffer that stores the printable chars 0-9A-F
176. (ENTERED_WCHAR_BUF).
177.  
178. If you check the code right after the previous snippet, we see this:
179.  
180. .text:08049655 mov eax, [ebp+var_20]
181. .text:08049658 add eax, 1
182. .text:0804965B mov [ebp+var_20], eax
183. .text:0804965E cmp [ebp+var_20], 6
184. .text:08049662 jnz loc_80498B7
185. .text:08049668 lea eax, ENTERED_BUF
186. .text:0804966E lea ecx, TOKEN_BUF
187. .text:08049674 mov [esp], eax ; int
188. .text:08049677 mov [esp+4], ecx ; nptr
189. .text:0804967B call sub_8048E80
190. .text:08049680 cmp eax, 0
191. .text:08049683 jz loc_80497FC
192.  
193. After checking if the buffer index has reached 6 a sub function is called with
194. the token buffer (TOKEN_BUF) and the buffer with the selected values
195. (ENTERED_BUF). This pretty much looks like the verification function! So let's
196. have a look inside:
197.  
198. .text:08048E89 mov eax, [ebp+token]
199. .text:08048E8C mov ecx, [ebp+entered]
200. .text:08048E8F xor edx, edx
201. .text:08048E91 mov esi, 10h
202. .text:08048E96 mov edi, [ebp+token]
203. .text:08048E99 mov [esp], edi ; nptr
204. .text:08048E9C mov dword ptr [esp+4], 0 ; endptr
205. .text:08048EA4 mov dword ptr [esp+8], 10h ; base
206. .text:08048EAC mov [ebp+var_20], eax
207. .text:08048EAF mov [ebp+var_24], ecx
208. .text:08048EB2 mov [ebp+var_28], edx
209. .text:08048EB5 mov [ebp+var_2C], esi
210. .text:08048EB8 call _strtoul
211. .text:08048EBD mov [ebp+var_10], eax
212. .text:08048EC0 imul eax, [ebp+var_10], 1337h
213. .text:08048EC7 mov [esp], eax ; seed
214. .text:08048ECA call _srand
215.  
216. First thing it does is getting the numerical value of the TOKEN_BUF string
217. that is initialized as explained above using strtoul(). Then it multiplies
218. that value with 0x1337 and calls srand() to initialize the pseudo-random
219. number generator.
220. Following is what must be the verification of every single digit entered.
221. It looks like this:
222.  
223. .text:08048ECF mov ecx, [ebp+entered]
224. .text:08048ED2 movsx ecx, byte ptr [ecx]
225. .text:08048ED5 mov [esp], ecx
226. .text:08048ED8 mov [ebp+var_30], eax
227. .text:08048EDB call sub_8048AE0
228. .text:08048EE0 mov bx, ax
229. .text:08048EE3 mov [ebp+var_12], bx
230. .text:08048EE7 mov eax, [ebp+entered]
231. .text:08048EEA movsx eax, byte ptr [eax+1]
232. .text:08048EEE mov [esp], eax
233. .text:08048EF1 call sub_8048B30
234. .text:08048EF6 mov bx, ax
235. .text:08048EF9 mov [ebp+var_14], bx
236. .text:08048EFD mov eax, [ebp+entered]
237. .text:08048F00 movsx eax, byte ptr [eax+2]
238. .text:08048F04 mov [esp], eax
239. .text:08048F07 call sub_8048B80
240. .text:08048F0C mov bx, ax
241. .text:08048F0F mov [ebp+var_16], bx
242. .text:08048F13 mov eax, [ebp+entered]
243. .text:08048F16 movsx eax, byte ptr [eax+3]
244. .text:08048F1A mov [esp], eax
245. .text:08048F1D call sub_8048BE0
246. .text:08048F22 mov bx, ax
247. .text:08048F25 mov [ebp+var_18], bx
248. .text:08048F29 mov eax, [ebp+entered]
249. .text:08048F2C movsx eax, byte ptr [eax+4]
250. .text:08048F30 mov [esp], eax
251. .text:08048F33 call sub_8048C40
252. .text:08048F38 mov bx, ax
253. .text:08048F3B mov [ebp+var_1A], bx
254. .text:08048F3F mov eax, [ebp+entered]
255. .text:08048F42 movsx eax, byte ptr [eax+5]
256. .text:08048F46 mov [esp], eax
257. .text:08048F49 call sub_8048CE0
258. .text:08048F4E mov ecx, 0Ah
259. .text:08048F53 mov edx, 1Eh
260. .text:08048F58 lea esi, aUUUUUU ; "%u %u %u %u %u %u"
261. .text:08048F5E mov bx, ax
262. .text:08048F61 mov [ebp+var_1C], bx
263.  
264. The pattern is pretty clear: Take a byte value from ENTERED_BUF and pass it
265. to the distinctive sub function. The result is then stored in a corresponding
266. local variable (var_12, var_14, var_16, var_18, var_1A, and var_1C).
267. You can see this happening for each of the 6 digits entered. Let's rename the
268. sub functions to calc_char_0 .. calc_char_5 so it looks like this:
269.  
270. .text:08048ECF mov ecx, [ebp+entered]
271. .text:08048ED2 movsx ecx, byte ptr [ecx]
272. .text:08048ED5 mov [esp], ecx
273. .text:08048ED8 mov [ebp+var_30], eax
274. .text:08048EDB call calc_char_0
275. .text:08048EE0 mov bx, ax
276. .text:08048EE3 mov [ebp+var_12], bx
277. .text:08048EE7 mov eax, [ebp+entered]
278. .text:08048EEA movsx eax, byte ptr [eax+1]
279. .text:08048EEE mov [esp], eax
280. .text:08048EF1 call calc_char_1
281. .text:08048EF6 mov bx, ax
282. .text:08048EF9 mov [ebp+var_14], bx
283. .text:08048EFD mov eax, [ebp+entered]
284. .text:08048F00 movsx eax, byte ptr [eax+2]
285. .text:08048F04 mov [esp], eax
286. .text:08048F07 call calc_char_2
287. .text:08048F0C mov bx, ax
288. .text:08048F0F mov [ebp+var_16], bx
289. .text:08048F13 mov eax, [ebp+entered]
290. .text:08048F16 movsx eax, byte ptr [eax+3]
291. .text:08048F1A mov [esp], eax
292. .text:08048F1D call calc_char_3
293. .text:08048F22 mov bx, ax
294. .text:08048F25 mov [ebp+var_18], bx
295. .text:08048F29 mov eax, [ebp+entered]
296. .text:08048F2C movsx eax, byte ptr [eax+4]
297. .text:08048F30 mov [esp], eax
298. .text:08048F33 call calc_char_4
299. .text:08048F38 mov bx, ax
300. .text:08048F3B mov [ebp+var_1A], bx
301. .text:08048F3F mov eax, [ebp+entered]
302. .text:08048F42 movsx eax, byte ptr [eax+5]
303. .text:08048F46 mov [esp], eax
304. .text:08048F49 call calc_char_5
305. .text:08048F4E mov ecx, 0Ah
306. .text:08048F53 mov edx, 1Eh
307. .text:08048F58 lea esi, aUUUUUU ; "%u %u %u %u %u %u"
308. .text:08048F5E mov bx, ax
309. .text:08048F61 mov [ebp+var_1C], bx
310.  
311. Also you can see "%u %u %u %u %u %u" format string and if you continue looking
312. you will find out that it will print the result of every function on the
313. screen with mvprintw.
314.  
315. After that it will verify the result for every digit, and logically AND the
316. resulting values here:
317.  
318. .text:08048FC5 movzx ecx, [ebp+var_12]
319. .text:08048FC9 movzx edx, [ebp+var_14]
320. .text:08048FCD and ecx, edx
321. .text:08048FCF movzx edx, [ebp+var_16]
322. .text:08048FD3 and ecx, edx
323. .text:08048FD5 movzx edx, [ebp+var_18]
324. .text:08048FD9 and ecx, edx
325. .text:08048FDB movzx edx, [ebp+var_1A]
326. .text:08048FDF and ecx, edx
327. .text:08048FE1 movzx edx, [ebp+var_1C]
328. .text:08048FE5 and ecx, edx
329. .text:08048FE7 mov [ebp+var_48], eax
330. .text:08048FEA mov eax, ecx
331.  
332. So only if all of the sub functions returns TRUE this function (verify_code)
333. will return TRUE, otherwise FALSE.
334.  
335. Now let's find out how the code is calculated.
336.  
337. Looking into first function it looks really simple. It calls rand() and does
338. modulo 16 with the result, giving a number 0..15. That result is stored in a
339. global variable, let's call it char_0_res. It is then compared to the value
340. that was entered by the user.
341. So calc_char_0 returns TRUE or FALSE, based on the input.
342.  
343. In pseudo code it looks like this:
344.  
345. BOOL calc_char_0(char a1)
346. {
347. char_0_res = rand() % 16;
348. return a1 == char_0_res;
349. }
350.  
351. calc_char_1 is doing a little more. It also calls rand() and does modulo 16,
352. and stores the result in another global that we call char_1_res. Now the
353. result for the FIRST digit is multiplied by 8 and then modulo'ed with the
354. char_1_res, finally comparing it to the input:
355.  
356. BOOL calc_char_1(char a1)
357. {
358. char_1_res = rand() % 16;
359. return (8 * char_0_res % char_1_res) == a1;
360. }
361.  
362. Next up is calc_char_2. After calculating the rand() modulo 16 again and
363. storing it in another global char_2_res, it will add up that value with the
364. result of the first and second value, and ANDs it with 15, then compares it
365. with the input:
366.  
367. BOOL calc_char_2(char a1)
368. {
369. char_2_res = rand() % 16;
370. return ((char_2_res + char_1_res + char_0_res) & 0xF) == a1;
371. }
372.  
373. Now we have calc_char_3. This one is a little different. It will again do the
374. usual rand() % 16 and store it it char_3_res.
375. But then it subtracts the result of the 3rd digit (char_2_res) from the result
376. of the 1st digit (char_0_res) and adds the result of ANOTHER call to rand() to
377. it. Then it ANDs it with 15 and compares it with the input value:
378.  
379. BOOL calc_char_3(char a1)
380. {
381. char v1;
382.  
383. char_3_res = rand() % 16;
384. v1 = char_0_res - char_2_res;
385. return ((rand() + v1) & 0xF) == a1;
386. }
387.  
388. Then we have calc_char_4. This one again is different. We have the usual
389. char_4_res = rand() % 16. Then it will do a loop with char_4_res iterations,
390. and in very iteration it calls rand() (so minimum of 0, maximum of 15
391. iterations). After the loop it will do rand() % 4 giving a result that is then
392. used in another calculation with yet another rand(). Just look at the
393. pseudo-code, which will be easier to understand than words. Of course the
394. final result is compared to the input value:
395.  
396. BOOL calc_char_4(char a1)
397. {
398. int v1;
399. unsigned int i;
400.  
401. char_4_res = rand() % 16;
402. for ( i = 0; i < char_4_res; ++i )
403. rand();
404. v1 = rand() % 4;
405. return (rand() % 5 * v1 % 16) == a1;
406. }
407.  
408. Finally calc_char_5. This function is first doing the usual
409. char_5_res = rand() % 16, and also, like calc_char_4, doing a loop with rand()
410. calls based on that result as the number of iterations. After that, it does a
411. calculation with all the previous results (calc_0_res through calc_5_res) and
412. comparing it with the value passed as argument.
413. Again, easier to just understand the pseudo-code:
414.  
415. BOOL calc_char_5(char a1)
416. {
417. unsigned int v1;
418. unsigned int i;
419.  
420. char_5_res = rand() % 16;
421. for ( i = 0; i < char_5_res; ++i )
422. rand();
423. v1 = char_3_res * ((char_0_res << char_1_res) / (unsigned int)char_2_res);
424. return (((unsigned char)(rand() % 5) * (uint8_t)v1 - char_4_res % 7 / (char_5_res & 0xF)) & 0xF) == a1;
425. }
426.  
427. So now that we know how it verifies the code, we can easily write a keygen
428. for it. Basically we just take all the 6 functions and remove the comparison
429. with the input value. It will leave us with these 6 functions:
430.  
431. uint8_t char_0_res = 0;
432. uint8_t char_1_res = 0;
433. uint8_t char_2_res = 0;
434. uint8_t char_3_res = 0;
435. uint8_t char_4_res = 0;
436. uint8_t char_5_res = 0;
437.  
438. static uint8_t calc_char_0()
439. {
440. char_0_res = rand() % 16;
441. return char_0_res;
442. }
443.  
444. static uint8_t calc_char_1()
445. {
446. char_1_res = rand() % 16;
447. return 8 * char_0_res % char_1_res;
448. }
449.  
450. static uint8_t calc_char_2()
451. {
452. char_2_res = rand() % 16;
453. return (char_2_res + char_1_res + char_0_res) & 0xF;
454. }
455.  
456. static uint8_t calc_char_3()
457. {
458. char v1;
459. char_3_res = rand() % 16;
460. v1 = char_0_res - char_2_res;
461. return ((unsigned char)rand() + v1) & 0xF;
462. }
463.  
464. static uint8_t calc_char_4()
465. {
466. unsigned int v1;
467. unsigned int i;
468.  
469. char_4_res = rand() % 16;
470. for (i = 0; i < char_4_res; ++i)
471. rand();
472. v1 = rand() % 4;
473. return rand() % 5 * v1 % 16;
474. }
475.  
476. static uint8_t calc_char_5()
477. {
478. unsigned int v1;
479. unsigned int i;
480.  
481. char_5_res = rand() % 16;
482. for (i = 0; i < char_5_res; ++i)
483. rand();
484. v1 = char_3_res * ((char_0_res << char_1_res) / (unsigned int)char_2_res);
485. return ((unsigned char)(rand() % 5) * (uint8_t)v1 - char_4_res % 7 / (char_5_res & 0xF)) & 0xF;
486. }
487.  
488.  
489. Now, the only thing we have to do is allowing to input a token value so we
490. can initialize the pseudo random number generator.
491. I ended up with this main function:
492.  
493.  
494. int main(int argc, char **argv)
495. {
496. if (argc < 2) {
497. char *prog = strrchr(argv[0], '/');
498. printf("Usage: %s TOKEN\n", (prog) ? prog+1 : argv[0]);
499. return -1;
500. }
501.  
502. uint32_t token = strtoul(argv[1], NULL, 16);
503.  
504. printf("TOKEN IS 0x%x\n", token);
505.  
506. srand(token * 0x1337);
507.  
508. uint8_t c0 = calc_char_0();
509. uint8_t c1 = calc_char_1();
510. uint8_t c2 = calc_char_2();
511. uint8_t c3 = calc_char_3();
512. uint8_t c4 = calc_char_4();
513. uint8_t c5 = calc_char_5();
514.  
515. printf("CODE: %x %x %x %x %x %x\n", c0, c1, c2, c3, c4, c5);
516.  
517. return 0;
518. }
519.  
520. The full C file can be found here: https://pastebin.com/pGNp3hHY
521.  
522. Just run this on your linux box passing the token value (expected to be
523. hexadecimal), and it will calculate and print the corresponding code.
524.  
525. Then you can log in to the secrebox server, pass the token from that
526. session to the key generator, and enter the correct code. You will get the
527. flag printed on screen.
528. But hey. Couldn't we just extract the flag from the binary? No, because it's
529. not included. So how is the flag retrieved? What happens when you enter the
530. correct code, actually?
531. Let's jump back to the main function. If verfiy_code returns TRUE, the jump
532. after it will not be taken. The code following has a reference to a string
533. "CORRECT" and also a "secret.txt", followed by a call to another sub function:
534.  
535. .text:0804967B call verify_code
536. .text:08049680 cmp eax, 0
537. .text:08049683 jz loc_80497FC
538. .text:08049689 mov eax, 200h
539. .text:0804968E xor ecx, ecx
540. .text:08049690 mov edx, ds:stdscr
541. .text:08049696 mov [esp], edx ; WINDOW *
542. .text:08049699 mov dword ptr [esp+4], 200h ; attr_t
543. .text:080496A1 mov dword ptr [esp+8], 0 ; void *
544. .text:080496A9 mov [ebp+var_11C], eax
545. .text:080496AF mov [ebp+var_120], ecx
546. .text:080496B5 call _wattr_on
547. .text:080496BA mov ecx, 3
548. .text:080496BF mov edx, 28h ; '('
549. .text:080496C4 lea esi, aCorrect ; "CORRECT"
550. .text:080496CA mov dword ptr [esp], 3 ; int
551. .text:080496D1 mov dword ptr [esp+4], 28h ; '(' ; int
552. .text:080496D9 mov [esp+8], esi ; char *
553. .text:080496DD mov [ebp+var_124], eax
554. .text:080496E3 mov [ebp+var_128], ecx
555. .text:080496E9 mov [ebp+var_12C], edx
556. .text:080496EF call _mvprintw
557. .text:080496F4 lea ecx, aSecretTxt ; "secret.txt"
558. .text:080496FA mov [esp], ecx ; filename
559. .text:080496FD mov [ebp+var_130], eax
560. .text:08049703 call sub_8048DA0
561.  
562. The purpose of that function is easily identified. It opens a file, gets its
563. size, calls 'malloc' with that size, and reads the contents of that file into
564. that buffer. That's it. After returning from that function, you can see it
565. will do some ncurses printing that will eventually print whatever is in that
566. secret.txt file:
567.  
568. .text:08049708 mov ecx, 5
569. .text:0804970D mov edx, 1Eh
570. .text:08049712 lea esi, asc_8049F7C ; "+---------------------------------+"
571. .text:08049718 mov [ebp+var_28], eax
572. .text:0804971B mov dword ptr [esp], 5 ; int
573. .text:08049722 mov dword ptr [esp+4], 1Eh ; int
574. .text:0804972A mov [esp+8], esi ; char *
575. .text:0804972E mov [ebp+var_134], edx
576. .text:08049734 mov [ebp+var_138], ecx
577. .text:0804973A call _mvprintw
578. .text:0804973F mov ecx, 6
579. .text:08049744 mov edx, 1Eh
580. .text:08049749 lea esi, a30s ; "|%30s |"
581. .text:0804974F mov edi, [ebp+var_28]
582. .text:08049752 mov dword ptr [esp], 6 ; int
583. .text:08049759 mov dword ptr [esp+4], 1Eh ; int
584. .text:08049761 mov [esp+8], esi ; char *
585. .text:08049765 mov [esp+0Ch], edi
586. .text:08049769 mov [ebp+var_13C], eax
587. .text:0804976F mov [ebp+var_140], ecx
588. .text:08049775 mov [ebp+var_144], edx
589. .text:0804977B call _mvprintw
590. .text:08049780 mov ecx, 7
591. .text:08049785 mov edx, 1Eh
592. .text:0804978A lea esi, asc_8049F7C ; "+---------------------------------+"
593. .text:08049790 mov dword ptr [esp], 7 ; int
594. .text:08049797 mov dword ptr [esp+4], 1Eh ; int
595. .text:0804979F mov [esp+8], esi ; char *
596. .text:080497A3 mov [ebp+var_148], eax
597. .text:080497A9 mov [ebp+var_14C], ecx
598. .text:080497AF mov [ebp+var_150], edx
599. .text:080497B5 call _mvprintw
600.  
601. So if you enter the correct code, the output will look like this:
602.  
603. SAFEBOX KEYPAD
604. Token: A1F0
605. ┌───────────────────┐
606. │ 002530 │ CORRECT
607. │ │
608. │ [0] [1] [2] [3] │ +---------------------------------+
609. │ [4] [5] [6] [7] │ | flag{welc0me_to_H1T13}
610. │ [8] [9] [A] [B] │ +---------------------------------+
611. │ [C] [D] [E] [F] │
612. │ │
613. │ │ 1 1 1 1 1 1
614. └───────────────────┘
615.  
616. You've pressed [0]
617.  
618.  
619. That's it! Now you know the flag :)