Because reversing an obfuscated jit'ed virtual machine for 3 points is fun!
In this task we got an ELF binary. Looking at it's disassembly was really hard - lots of obfuscated code was put there - I thought that for 3 points we were supposed to use something easier.
Tracing the binary, we notice a lot of gettimeofday calls. This was a function checking
current time - something which should not be present in legitimate key checking code.
I created a simple replacement function (tofd.c), which I then LD_PRELOAD'ed to achieve
deterministic execution.
In my solution, I used instruction counting to get the flag. The idea is, that the code
checks flag characters one by one, exitting early if a character is wrong. We can exploit
this - when we supply a good prefix of the flag, the binary will execute slightly longer
than with a wrong one. Using doit.py and Intel's pin, we brute forced the solution
one char at a time in around an hour (this could take shorter time, but I wanted to stay
on the safer side and used string.printable as the character set).