Google CTF 2016 // Unbreakable Enterprise Product Activation (150 points)

Capture the Flag, Google CTF 0 Comment 1723

We need help activating this product — we’ve lost our license key 🙁

You’re our only hope!

ubuntu@ip-172-31-15-71:~$ ./unbreakable-enterprise-product-activation
unbreakable-enterprise-product-activation: ./unbreakable_enterprise_product_activation product-key
ubuntu@ip-172-31-15-71:~$ ./unbreakable-enterprise-product-activation test
Product activation failure 255

Opening the executable in Binary Ninja and looking at the main function shows that there’s a lot of calls being made. It appears to be a relatively straightforward program, each call will check a condition to see if our input key is valid.

main function

Out of all these functions, there’s only two important ones: the activation failure and success printfs. To find these, you could either look through all of the functions (since there isn’t that many), or use string XREFs to locate them (which is what I did).

Activation failure function.

The failure printf function is at 0x400850.

Activation success function
And the success printf function is at 0x400830.

Because we know what function we want to end up in (0x400830), symbolic execution is the most logical choice to solve the unknown input. angr is one popular framework and works fantastic on these types of problems. Technically you probably could solve this challenge by hand too, but it would take an excessive amount of time.

To install angr, using Docker is my favorite method. (Feel free to use another install method though.)

ubuntu@ip-172-31-15-71:~$ sudo docker pull angr/angr # This will always be the latest build!
ubuntu@ip-172-31-15-71:~$ git clone # This is just for the examples, you can omit this. I think the docs are included in the Docker image too.. oops.
ubuntu@ip-172-31-15-71:~$ sudo docker run -it -v /home/ubuntu/angr-doc:/angr-doc angr
(angr)angr@8a69340dc95c:~$ python -c 'import angr' && echo 'angr is installed!'
angr is installed!

The full solution script can be found here (which includes inline comments to help explain what each line does). Please actually go to GitHub if you want to use this code, since it might change.

Screenshot 2016-05-08 at 01.22.49

Running the script prints out the solution in a mere 4.5 seconds.

(angr)angr@8a69340dc95c:~$ cd /angr-doc/examples/google2016_unbreakable_0/
(angr)angr@8a69340dc95c:/angr-doc/examples/google2016_unbreakable_0$ ./

Leave a Reply


Back to Top