 What's up YouTube? My name is John Hammond. This is the challenge Quack Me from Pico CTF 2018. I'm going to try and spend a little bit more deliberate, dedicated time to this because it doesn't have a whole lot of solves and I think it tripped a few people up. So let's take a look. It says, can you deal with the Duck Web? Get us the flag from this program. You can also find the program at this location on the Shell server and we have a link to download it. So I can dub you get it if I wanted to. I've already got it downloaded though. So let's take a look at what we actually have to work with here. If I run this binary, it says you've now entered the Duck Web and you're in for a honkin' good time. Can you figure out my trick? Some input, let's just say, please subscribe and that says that's all folks. So, okay, what do we do here? If we wanted to, we could check out the hints. It says object dump or something similar is probably a good place to start. So this is in the reversing category, right? This is a reverse engineering challenge. The challenge is called Quack Me and I think that that is a reference to a Crack Me or is in kind of like, you know, binaries that are meant to be reversed and understood and just trying to, kind of manipulated or trying to find out the key or the correct input that will actually solve it for you, like trying to pick the lock. So interesting thing. Let's open it up in Hopper and that's what I'm going to use as my, I guess, static analysis program here. Let's go ahead and open up the YouTube Pico for Quack Me. Quack Me, there we go. Open up main and let's jump to our main function over here and I'll just check it out. I'm gonna hit Alt and Enter so I can decompile it or at least try and get pseudocode. So it sets a buffer up here that works just fine for us, displays this line of text, that string that we saw earlier and then tries to run this function called do magic and then puts that's all folks. So do magic is probably where magic's at. Let's go ahead and just copy this code because I want to be able to manipulate it. There's a lot here, right? So we want to be able to reverse engineer it. I'm going to work with it in sublime text just so I can actually handle it and understand a little bit more. So that way we can get syntax highlighting and it's nice and pretty and stuff. So this is our function, do magic. It looks like it takes in our input from this function read input. So let's set var 14 to be our input, good. And var 10 looks like it's just taking the length of it. So let's change that length or that variable name to length of our input. I'm using control H by the way and then control alt enter just to be able to make rapid changes throughout the entire thing. It gets the stack pointer and it tries to allocate some memory with the length of our input and plus one. So probably a null byte at the end. So let's just say that var C is actually memory for our input, control alt enter. And then if it is not zero, so if it's able to properly allocate it, it will jump to this location. And this location sets up memory for input, length of our input and looks like it's trying to, okay, allocate. Initialize input, how about that? We'll just call that control H initialize input. Sweet. So once we're initializing our input, we actually set some variables here that I'm just going to consider var 18 and var one C, whatever we'll just call these zero. Since they're just being initialized to zero, we'll call them zero for now. And then if we understand them anything, anything more later than we can change the name and this can also be a zero var, zero var two. Okay. And then we go to this location. So this location tests if EX is zero var, length of our input, otherwise it will go to some location and go to dot L one. Where's that at? Oh, so go to let's call that dot L one can just be end function or like, so if our length of input, if EX is our length of input, we go to this location and this location will do something. It's like it's testing zero message. There's a zero var two added onto our greeting message and the memory address is zero message. So it's trying to get a specific character out of the greeting message and it's ended with zero XFF. So it's just going to be a single byte. And if it's all equal to our input plus zero var two. So zero var two must be doing something. Looks like it actually, okay, that's got to be an iterator, right? We can actually see this location down here, increment. So let's just change this to increment iterator. And then zero var two will actually just be called our iterator and then it will go back to, okay, test. Go back, if after it's iterated, we'll go back to test length, if EX is equal to less than our input and otherwise it will go to. So length of our input must be zero X19, right? Because zero var, another zero var. So this got to be another iterator. Where else is zero var being used? It's not. Oh, which is being used as a counter to determine whether or not we're going to continue to iterate. So we have a loop here, right? I think we can kind of generally understand it. It's trying to iterate a number over our message and our input, trying to get a value there. And it looks like it's trying to XOR that. You can see the symbol here with our iterator at a specific memory address. So we have some bit of memory that we're testing this with and it's XORed with our input. So properties of XOR, right? We've got the greeting message that we're looking at and our input and some address and memory. So let's find this address and memory. There's got to be something there that we can retrieve and that XORed with our greeting message should be what the input we need to supply. So we can figure out the crack me if we just XOR the greeting message and the memory at just location. Let's do it. Okay. Looks like we, and then okay we would display you're a winner if we get the flag there. So there's something peculiar. Let's see if we can go back to Hopper and then get this information out of there. Well, let's say greeting message and where is that? That's got to be probably that you've now entered the duck web. If we view this in Hopper, can you go by trick? Yep, it's in main. It's also noted as greeting message. So that is the string that we have here. And if we're gonna actually use XOR, we can probably just go ahead and create a get flag strip in Python where we know we're gonna XOR them. I'm gonna use PoneTools to XOR them. So let's use user bin environment Python. Let's say greeting message can equal that. Oh, let's use double quotes and we don't need that backslash on. Let's use it as for real, for real there. Let's import Pone. If you don't have PoneTools, you can just install it and find online. I cover it in a ton of other videos but it helps XOR things very, very easily in Python. So now we want to know where that memory address is. So back in our sublime text, let's go ahead and steal that address so we can go to it in Hopper. So I've just copied and pasted it and then I click control G or just simply G and paste it into go to that address. You can see, oh, it's right here. So secret buffer, huh, peculiar, right? Let's go ahead and copy all this. And I would go ahead and scrape out the ASCII but note that some of it is noted as just a simple period. That's probably because it's not a printable character even though in hex it is something right there. So we do want that in hex handled. Let's go ahead and try and carve that out in Python. I'm actually just going to do sublime text, 0x dot dot. So once I hit and select all those, let's do find all, delete everything else, paste them. Oh, I'm sorry. So find all, control X to cut them. Now they're all there. Now I've got them all. And then that 0x I'll replace with a backslash X and I'll replace all the new lines with emptiness. So now I've got a Python string that I can handle and use in Python. So let's say XOR string can equal that and let's try and use Pwn to print XOR greeting message. And the XOR string, XOR them together, Pico CTF quack me. We just got the flag, awesome, cool. So that was that, that's it, that's all we needed. Looks like that that is the flag that we want here. Let's actually just import RE and let's do RE dot find all, Pico CTF, get our flag format set up, carve it out and let's make that lazy so it doesn't get all of it. Great, there's our flag. Let's go ahead and submit that and we've solved quack me or an interesting crack me challenge. Normally when you see crack me is the first kind of start of them, some of the simple ones we'll just try and do an XOR operation. But I hope that was kind of fun and kind of cool to literally take apart that like this function here this do magic and then just kind of change the name just follow through it and try to understand where it's going and how it's going there, why it's going there, what it's doing and just changing these variables so they make a little bit more sense. And that's I think a good thing to do when you have a big function that is seemingly doing something interesting like magic as it says and you could use that to figure out what's really going on. So, cool, did I submit that already? I did, all right. Before I go, I wanna give a quick shout out to the people that support me on Patreon. Thank you guys so much, I cannot say it enough. I know I say it all the time, still not enough. One dollar a month on Patreon will give you a special shout out just like that at the end of every video. Just kind of your name of the lights visible for a little bit of the very end. It's just a feel good thing. Hopefully you feel like a good Samaritan or someone just helping me out. I'm really grateful for whatever support you're willing to give. It just, I don't know, it motivates me and helps the channel grow, so thank you. Five dollars a month on Patreon will give you early access to everything that I release on YouTube before it goes live. So all these Pico CTF videos, you don't have to wait for them to be uploaded. They're just, as I've got them recorded, I'll put them in a folder and you'll be able to access them. It's nice and easy. And that happens forever, like you'll get that forever. As long as I make stuff, it's nice. Hopefully. I appreciate your support. Hey, if you did like this video, please do like, comment, and subscribe. Join our Discord server, link in the description. It is a cool community full of CTF players, programmers, and hackers who can hang out with me, other smart people, people that play CTFs, and we're gonna be tackling a whole bunch of CTFs. It's a CTF work camp. So just helping yourself learn, helping yourself get plugged into the scene. It's awesome. Thanks. Hope to see you guys in the next video. Hope to see you on Patreon. I love you. Bye.