Skip to content

Commit 52e5ddd

Browse files
bynectbynect
authored
Merge pull request #47 from TheRomanXpl0it/fix-qas
Clarify qas
2 parents 66c3aaf + 5ae44b1 commit 52e5ddd

1 file changed

Lines changed: 9 additions & 6 deletions

File tree

content/posts/uiuctf25-qas/index.md

Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,8 @@ prints the flag if the hashed output matches a constant.
3030
The code is very straightforward and the only annoyance
3131
is the usage of confusing type names for integer types.
3232

33+
Here's the code stripped from comments:
34+
3335
```c
3436
typedef int not_int_small;
3537
typedef short int_small;
@@ -122,7 +124,7 @@ int main() {
122124
printf("=== QUANTUM AUTHENTICATION SYSTEM v2.7.3 ===\n");
123125
printf("Initializing quantum security protocols...\n");
124126

125-
for (volatile int i = 0; i < 100000; i++) { /* quantum processing */ }
127+
for (volatile int i = 0; i < 100000; i++) { }
126128

127129
printf("Quantum entropy generated. System ready.\n");
128130
printf("Please enter your quantum authentication code: ");
@@ -143,14 +145,14 @@ int main() {
143145
printf("Quantum authentication failed!\n");
144146
printf("Access denied. Incident logged.\n");
145147
}
146-
147148
return 0;
148149
}
149150
```
150151
151-
Since the constant is known `0x555` and the domain of the input is small (32-bit), we can just bruteforce it!
152+
Since the constant is known (`0x555`) and the domain of the input is small (32-bit),
153+
we can just bruteforce it!
152154
153-
Valid solutions can be found by just changing the main function like so:
155+
Valid solutions can be found by changing the main function like so:
154156
155157
```c
156158
int main() {
@@ -200,12 +202,13 @@ Accessing secured vault...
200202
CLASSIFIED FLAG: uiuctf{qu4ntum_0v3rfl0w_2d5ad975653b8f29}
201203
```
202204

203-
Now that the cheesy solution is out of the way, what is the vuln here?
205+
With the cheesy solution out of the way, what is the vuln here?
204206

205207
`scanf("%d", (int*)&qdata.input.val)` reads 4 bytes into the input struct. But the `val` field is a short!
206208
Since the struct is packed, this means that we are overwriting the following field, which in this case is a `char[2]` called `padding`.
207209

208210
Contrary to common sense, this field is actually used in the hash function: `hash ^= input.padding[0] << 8 | input.padding[1];`
209211

210-
By providing certain negative numbers we can manipulate the input and win. Also note that there are no positive solutions.
212+
By providing certain negative numbers we can obtain the right output value and win.
213+
Also note that there are no positive solutions.
211214

0 commit comments

Comments
 (0)