Tag: IDA

RSS

Posts Tagged ‘IDA’

Hackvent 2019: Day 23

24 Dec 2019

CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com

Date Completed: 23 December 2019

Challenge

HV19.23 Internet Data Archive

Introduction
Today's flag is available in the Internet Data Archive (IDA).
Resources
http://whale.hacking-lab.com:23023/

Introduction

Today's flag is available in the Internet Data Archive (IDA).

Resources

http://whale.hacking-lab.com:23023/

Solution

We are presented with the following website:

We are allowed to enter a username and select some data to download except the flag which is classified. Upon doing this a unique zip file is generated for us containing our files and we are also provided with a password that allows us to open the encrypted zip file.

By playing around with the website we learn the following things:

Usernames are truncated to be at most 12 characters long (alphanumberis)
Passwords are always 12 digits (alphanumeric) and look like this: BxxRGJAMpmbJ
All links to download files contain the input username with -data appended. Example for username of mo: http://whale.hacking-lab.com:23023/tmp/mo-data.zip
Can pass in req instead of req[] as PHP post argument to trigger PHP error:

r /> Warning: Invalid argument supplied for foreach() in /var/www/html/archive.php on line 19 No files!

1
2
3

r />
Warning: Invalid argument supplied for foreach() in /var/www/html/archive.php on line 19 
No files!
Can pass in username[] instead of username as PHP post argument to make name be parsed as Array: http://whale.hacking-lab.com:23023/tmp/Array-data.zip
We cannot use the username Santa (it is explicitly disallowed!)

We shortly find out that the tmp directory where files are hosted has indexing on and we can see all the files that are being created. By sorting by oldest files first we discover two interesting files:

We download Santa-data.zip and discover that it contains a file called flag.txt! However, we do not know the password for this archive.
Assuming alphanumerics are used as the charset for the password our bruteforce complexity is 62^12 which not feasible.

Next, we inspect the phpinfo for any valuable information, we take note of the PHP version 7.4.1 and that the sodium module is loaded (although this doesn’t matter).

Next we write a password generator script to generate a lot of tokens:

# Hackvent 2019 - Day 24
# Mo Beigi (https://mobeigi.com)
import re
import requests
f = open("passwords.txt", "a")
# Until user exits
while True:
r = requests.post('http://whale.hacking-lab.com:23023/archive.php', data={'username': 'Santa1', 'req[]': 'candle'})
if r.status_code == 200:
m = re.search('<p>Your one-time Password is: <strong>(.*?)</strong></p>', r.text)
if m:
# Verify length
token = m.group(1)
if len(token) != 12:
print(f'Unexpected token found: {token}')
# Append to file
f.write(token + "\n")
f.flush()
else:
print('Failed to get token...trying again.')

# Hackvent 2019 - Day 24

# Mo Beigi (https://mobeigi.com)

import re

import requests

f = open("passwords.txt", "a")

# Until user exits

while True:

r = requests.post('http://whale.hacking-lab.com:23023/archive.php', data={'username': 'Santa1', 'req[]': 'candle'})

if r.status_code == 200:

m = re.search('Your one-time Password is: (.*?)', r.text)

if m:

# Verify length

token = m.group(1)

if len(token) != 12:

print(f'Unexpected token found: {token}')

# Append to file

f.write(token + "\n")

f.flush()

else:

print('Failed to get token...trying again.')

After generating 1000 passwords we run frequency analysis on the payload and discover that certain characters never appear. These characters are 0, 1, l, I, N, n, O, o. Perhaps these characters are committed as they look similar to other characters. Eliminating this characters from our charset brings down our bruteforce complexity to 54^12 which is still not feasible.

We note the title of the challenge page IDA Pro and after researching for IDA Pro PRNG we come across this interesting article:
https://devco.re/blog/2019/06/21/operation-crack-hacking-IDA-Pro-installer-PRNG-from-an-unusual-way-en/

The author describes the same exact charset that is in use here so we try to use the same approach to break the PRNG used to encrypt the Santa-data.zip file. We decide to use PHP for this with the same version 7.4.1 as the challenge website to ensure consistency.

We make the following bruteforce.php script:

<?php
# Hackvent 2019 - Day 24
# Mo Beigi (https://mobeigi.com)
$alphabet = 'abcdefghijkmpqrstuvwxyzABCDEFGHJKLMPQRSTUVWXYZ23456789';
$alphaLength = strlen($alphabet) - 1; //put the length -1 in cache
for ($i = 0; $i < pow(2,32)-1 ; $i++) {
srand($i);
$pass = "";
for ($j = 0; $j < 12; $j++) {
$n = rand(0, $alphaLength);
$pass .= $alphabet[$n];
}
print($pass . "\n");
}
?>

<?php

# Hackvent 2019 - Day 24

# Mo Beigi (https://mobeigi.com)

$alphabet = 'abcdefghijkmpqrstuvwxyzABCDEFGHJKLMPQRSTUVWXYZ23456789';

$alphaLength = strlen($alphabet) - 1; //put the length -1 in cache

for ($i = 0; $i < pow(2,32)-1 ; $i++) {

srand($i);

$pass = "";

for ($j = 0; $j < 12; $j++) {

$n = rand(0, $alphaLength);

$pass .= $alphabet[$n];

}

print($pass . "\n");

}

This script simply generates a random 12 length password using the first 12 bytes of randomness generated by the RNG for each seed between 0 to 2^32. However, we cannot save this data to disk easily so we will instead stream the data to a ZIP cracking utility like John the Ripper to attempt to crack the file on the fly.

We run:

zip2john Santa-data.hash > Santa.hash
php bruteforce.php | john --stdin Santa.hash 
john --show Santa.hash

zip2john Santa-data.hash > Santa.hash

php bruteforce.php | john --stdin Santa.hash

john --show Santa.hash

After about 2 minutes we have a successful crack:

Santa-data.zip/flag.txt:Kwmq3Sqmc5sA:flag.txt:Santa-data.zip:Santa-data.zip
1 password hash cracked, 0 left

Santa-data.zip/flag.txt:Kwmq3Sqmc5sA:flag.txt:Santa-data.zip:Santa-data.zip

1 password hash cracked, 0 left

Thus our password is Kwmq3Sqmc5sA and the original seed used was 4333287.
We open flag.txt to get our daily flag!

Flag: HV19{Cr4ckin_Passw0rdz_like_IDA_Pr0}

No Comments

Posted Mo BeigiPersianMG in Hackvent 2019

Hackvent 2019: Day 20

20 Dec 2019

CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com

Date Completed: 20 December 2019

Challenge

HV19.20 i want to play a game

Introduction
Santa was spying you on Discord and saw that you want something weird and obscure to reverse?
your wish is my command.
Resources
HV19-game.zip

Introduction

Santa was spying you on Discord and saw that you want something weird and obscure to reverse?

your wish is my command.

Resources

HV19-game.zip

Resource mirror: HV19-game.zip

Solution

We are given a binary and told it is something obscure we have to reverse. We download the binary and open it in IDA. After some digging around we realise the file has something to do with the PS4 and this is consistent with the hint in the zip file name too.

We dig around in IDA where we find a single main() method. We see that we seem to read in a file called /mnt/usb0/PS4UPDATE.PUP and then take the MD5 hash of this file and compare it to f86d4f9d2c049547bd61f942151ffb55. After googling this hash we find the file in question is the PS4 5.05 firmware.

We decide to decompile the code to C and are presented with the following:

int __cdecl main(int argc, const char **argv, const char **envp)
{
__int64 v3; // rcx
__int64 v4; // rcx
__int64 v5; // r13
unsigned int v6; // eax
__int64 v7; // rcx
__int16 *v8; // r15
__int64 v9; // rcx
__int64 v10; // r12
__int64 v11; // rdx
__int64 i; // rax
__int64 v13; // r13
__int64 v14; // rcx
__int64 v15; // r12
__int64 j; // rax
__int64 v17; // rcx
__int64 v18; // rcx
__int64 v20; // [rsp+8h] [rbp-520h]
void (*v21)(void); // [rsp+10h] [rbp-518h]
void (*v22)(void); // [rsp+18h] [rbp-510h]
__int64 v23; // [rsp+27h] [rbp-501h]
char v24; // [rsp+30h] [rbp-4F8h]
__int16 v25; // [rsp+40h] [rbp-4E8h]
__int16 v26; // [rsp+42h] [rbp-4E6h]
int v27; // [rsp+44h] [rbp-4E4h]
char v28[32]; // [rsp+50h] [rbp-4D8h]
char v29[32]; // [rsp+70h] [rbp-4B8h]
refptr_initKernel(argc, argv, envp);
refptr_initLibc();
refptr_initNetwork();
(*(void (__fastcall **)(_QWORD, _QWORD, _QWORD, _QWORD))refptr_sceKernelLoadStartModule)(0i64, 0i64, 0i64, 0i64);
refptr_sceKernelDlsym(v3, &v21);
refptr_sceKernelDlsym(v4, &v22);
(*(void (**)(void))refptr_malloc)();
(*(void (**)(void))refptr_malloc)();
v21();
v22();
v5 = (*(__int64 (**)(void))refptr_fopen)();
(*(void (**)(void))refptr_malloc)();
refptr_MD5Init();
while ( 1 )
{
v6 = (*(__int64 (__fastcall **)(__int64, __int64))refptr_fread)(v5, 1024i64);
if ( !v6 )
break;
refptr_MD5Update(v7, v6);
}
v8 = (__int16 *)&v24;
refptr_MD5Final();
(*(void (**)(void))refptr_fclose)();
v10 = v20;
do
{
v11 = *(unsigned __int8 *)v8;
v8 = (__int16 *)((char *)v8 + 1);
v10 += 2i64;
(*(void (__fastcall **)(__int64, __int64))refptr_sprintf)(v9, v11);
}
while ( &v25 != v8 );
if ( !(*(unsigned int (**)(void))refptr_strcmp)() )
{
for ( i = 0i64; i != 26; ++i )
v28[i] = byte_300[i];
v13 = 4919i64;
v15 = (*(__int64 (__fastcall **)(_BYTE *))refptr_fopen)(byte_300);
do
{
(*(void (__fastcall **)(__int64, _QWORD))refptr_fseek)(v14, 0i64);
(*(void (__fastcall **)(__int64, __int64))refptr_fread)(v15, 1i64);
for ( j = 0i64; j != 26; ++j )
v28[j] ^= v29[j];
v13 += 4919i64;
}
while ( v13 != 24201480 );
(*(void (**)(void))refptr_fclose)();
strcpy((char *)&v23, "sendflag");
v25 = 528;
v27 = 16777343;
v26 = (*(__int64 (**)(void))refptr_sceNetHtons)();
(*(void (__fastcall **)(__int64, __int64))refptr_memset)(v17, 6i64);
(*(__int64 (__fastcall **)(_QWORD, __int64))refptr_sceNetSocket)(0i64, 1i64);
(*(void (__fastcall **)(__int64, __int64))refptr_sceNetConnect)(v18, 16i64);
(*(void (__fastcall **)(_QWORD, __int64))refptr_sceNetSend)(0i64, 26i64);
(*(void (**)(void))refptr_sceNetSocketClose)();
}
return 0;
}

int __cdecl main(int argc, const char **argv, const char **envp)

{

__int64 v3; // rcx

__int64 v4; // rcx

__int64 v5; // r13

unsigned int v6; // eax

__int64 v7; // rcx

__int16 *v8; // r15

__int64 v9; // rcx

__int64 v10; // r12

__int64 v11; // rdx

__int64 i; // rax

__int64 v13; // r13

__int64 v14; // rcx

__int64 v15; // r12

__int64 j; // rax

__int64 v17; // rcx

__int64 v18; // rcx

__int64 v20; // [rsp+8h] [rbp-520h]

void (*v21)(void); // [rsp+10h] [rbp-518h]

void (*v22)(void); // [rsp+18h] [rbp-510h]

__int64 v23; // [rsp+27h] [rbp-501h]

char v24; // [rsp+30h] [rbp-4F8h]

__int16 v25; // [rsp+40h] [rbp-4E8h]

__int16 v26; // [rsp+42h] [rbp-4E6h]

int v27; // [rsp+44h] [rbp-4E4h]

char v28[32]; // [rsp+50h] [rbp-4D8h]

char v29[32]; // [rsp+70h] [rbp-4B8h]

refptr_initKernel(argc, argv, envp);

refptr_initLibc();

refptr_initNetwork();

(*(void (__fastcall **)(_QWORD, _QWORD, _QWORD, _QWORD))refptr_sceKernelLoadStartModule)(0i64, 0i64, 0i64, 0i64);

refptr_sceKernelDlsym(v3, &v21);

refptr_sceKernelDlsym(v4, &v22);

(*(void (**)(void))refptr_malloc)();

v21();

v22();

v5 = (*(__int64 (**)(void))refptr_fopen)();

(*(void (**)(void))refptr_malloc)();

refptr_MD5Init();

while ( 1 )

{

v6 = (*(__int64 (__fastcall **)(__int64, __int64))refptr_fread)(v5, 1024i64);

if ( !v6 )

break;

refptr_MD5Update(v7, v6);

}

v8 = (__int16 *)&v24;

refptr_MD5Final();

(*(void (**)(void))refptr_fclose)();

v10 = v20;

{

v11 = *(unsigned __int8 *)v8;

v8 = (__int16 *)((char *)v8 + 1);

v10 += 2i64;

(*(void (__fastcall **)(__int64, __int64))refptr_sprintf)(v9, v11);

}

while ( &v25 != v8 );

if ( !(*(unsigned int (**)(void))refptr_strcmp)() )

{

for ( i = 0i64; i != 26; ++i )

v28[i] = byte_300[i];

v13 = 4919i64;

v15 = (*(__int64 (__fastcall **)(_BYTE *))refptr_fopen)(byte_300);

{

(*(void (__fastcall **)(__int64, _QWORD))refptr_fseek)(v14, 0i64);

(*(void (__fastcall **)(__int64, __int64))refptr_fread)(v15, 1i64);

for ( j = 0i64; j != 26; ++j )

v28[j] ^= v29[j];

v13 += 4919i64;

}

while ( v13 != 24201480 );

(*(void (**)(void))refptr_fclose)();

strcpy((char *)&v23, "sendflag");

v25 = 528;

v27 = 16777343;

v26 = (*(__int64 (**)(void))refptr_sceNetHtons)();

(*(void (__fastcall **)(__int64, __int64))refptr_memset)(v17, 6i64);

(*(__int64 (__fastcall **)(_QWORD, __int64))refptr_sceNetSocket)(0i64, 1i64);

(*(void (__fastcall **)(__int64, __int64))refptr_sceNetConnect)(v18, 16i64);

(*(void (__fastcall **)(_QWORD, __int64))refptr_sceNetSend)(0i64, 26i64);

(*(void (**)(void))refptr_sceNetSocketClose)();

}

return 0;

}

The above decompilation is not perfect but we see the general structure of the program. First we initialise an array of 32 bytes with some data from byte_300 and store this as our flag data. Next we open our /mnt/usb0/PS4UPDATE.PUP file. We initialise our file pointer value to 0x1337 and start looping, adding 0x1337 to our seek pointer each iteration. Finally, we read 26 bytes from the file and xor this with the current flag data. At the end, we should our flag in our array.

We translate this to python code and get the following:

# Hackvent 2019 - Day 20
# Mo Beigi (https://mobeigi.com)
flag = bytearray(b'\xCE\x55\x95\x4E\x38\xC5\x89\xA5\x1B\x6F\x5E\x25\xD2\x1D\x2A\x2B\x5E\x7B\x39\x14\x8E\xD0\xF0\xF8\xF8\xA5\x00')
# Read PS4 firmware with MD5 f86d4f9d2c049547bd61f942151ffb55
f = open("PS4UPDATE.PUP", "rb")
offset = 0x1337
while offset != 0x1714908:
# Absolute seek to offset
f.seek(offset, 0)
read_bytes = f.read(26)
# xor flag with read bytes
for j in range(0, 26):
flag[j] ^= read_bytes[j]
offset += 0x1337
# Print flag
print(''.join(chr(i) for i in flag))

# Hackvent 2019 - Day 20

# Mo Beigi (https://mobeigi.com)

flag = bytearray(b'\xCE\x55\x95\x4E\x38\xC5\x89\xA5\x1B\x6F\x5E\x25\xD2\x1D\x2A\x2B\x5E\x7B\x39\x14\x8E\xD0\xF0\xF8\xF8\xA5\x00')

# Read PS4 firmware with MD5 f86d4f9d2c049547bd61f942151ffb55

f = open("PS4UPDATE.PUP", "rb")

offset = 0x1337

while offset != 0x1714908:

# Absolute seek to offset

f.seek(offset, 0)

read_bytes = f.read(26)

# xor flag with read bytes

for j in range(0, 26):

flag[j] ^= read_bytes[j]

offset += 0x1337

# Print flag

print(''.join(chr(i) for i in flag))

Running this gives us our flag!

Flag: HV19{C0nsole_H0mebr3w_FTW}

No Comments

Posted Mo BeigiPersianMG in Hackvent 2019

Hackvent 2019: Day 12

13 Dec 2019

CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com

Date Completed: 12 December 2019

Challenge

HV19.12 back to basic

Introduction
Santa used his time machine to get a present from the past. get your rusty tools out of your cellar and solve this one!
Resources
HV19.12-BackToBasic.zip

Introduction

Santa used his time machine to get a present from the past. get your rusty tools out of your cellar and solve this one!

Resources

HV19.12-BackToBasic.zip

Resources: HV19.12-BackToBasic.zip

Solution

We download the above zip file and find a Windows PE executable called BackToBasic.exe.
Upon opening the file we are prompted for some input but our input is always wrong.

Initially, we open this file in IDA Pro and inspect it. Its a smallish executable that was originally written in Visual Basic.
We decide to complete this challenge using only static analysis. We use a combination of IDA Pro and another tool called VB Decompiler.
This decompiler was specifically designed to decompile Visual Basic code so its a good bet!

We get the following decompilation result:

Private Sub Text1_Change() '401F80
Dim Me As Me
Dim var_4C As Variant
loc_00402072: var_48 = Text1.Text
loc_004020A6: var_34 = var_48
loc_00402228: var_ret_7 = (Mid(var_34, 1, 1) = &H401B20) And (Mid(var_34, 2, 1) = &H401B28) And (Mid(var_34, 3, 1) = &H401B30) And (Mid(var_34, 4, 1) = &H401B38)
loc_00402235: var_1C0 = CBool(var_ret_7)
loc_00402280: If var_1C0 Then
loc_004022A2:   var_5C = Len(var_34)
loc_004022B9:   If (var_5C = 33) Then
loc_0040230D:     var_ret_8 = Len(var_34) - 1
loc_0040232D:     For var_24 = 6 To var_ret_8 Step 1
loc_00402339: 
loc_0040233B:       If var_1D4 Then
loc_00402375:         var_154 = Asc(CStr(Mid(var_34, CLng(var_24), 1)))
loc_00402391:         call Xor(var_7C, var_15C, var_24, var_4C, Me, Me, %S_eax_S = CLng(%StkVar1), %x1 = Mid(%StkVar2, %StkVar3, %StkVar4), 00000002h)
loc_00402398:         var_ret_A = CLng(Xor(var_7C, var_15C, var_24, var_4C, Me, Me, var_ret_A = CLng(%StkVar1), %x1 = Mid(%StkVar2, %StkVar3, %StkVar4), 00000002h))
loc_004023C5:         var_44 = var_44 + Chr(var_ret_A)
loc_00402400:       Next var_24
loc_00402406:       GoTo loc_00402339
loc_0040240B:     End If
loc_00402433:     If (var_44 = "6klzic<=bPBtdvff'yFI Then
loc_00402456:       Label1.Caption = "Status: correct"
loc_00402477:     End If
loc_00402481:     GoTo loc_00402574
loc_00402486:   End If
loc_004024A7:   Label1.Caption = "Status: wrong"
loc_004024AE:   If var_4C < 0 Then
loc_004024B0:     GoTo loc_004024DC
loc_004024B2:   End If
loc_004024D3:   Label1.Caption = "Status: wrong"
loc_004024DA:   If var_4C >= 0 Then GoTo loc_004024EB
loc_004024DC:   'Referenced from: 004024B0
loc_004024E5:   var_4C = CheckObj(var_4C, global_00401B9C, 84)
loc_004024EB: End If
loc_004024F4: GoTo loc_00402479
loc_00402573: Exit Sub
loc_00402574: 'Referenced from: 00402481
End Sub

Private Sub Text1_Change() '401F80

Dim Me As Me

Dim var_4C As Variant

loc_00402072: var_48 = Text1.Text

loc_004020A6: var_34 = var_48

loc_00402228: var_ret_7 = (Mid(var_34, 1, 1) = &H401B20) And (Mid(var_34, 2, 1) = &H401B28) And (Mid(var_34, 3, 1) = &H401B30) And (Mid(var_34, 4, 1) = &H401B38)

loc_00402235: var_1C0 = CBool(var_ret_7)

loc_00402280: If var_1C0 Then

loc_004022A2: var_5C = Len(var_34)

loc_004022B9: If (var_5C = 33) Then

loc_0040230D: var_ret_8 = Len(var_34) - 1

loc_0040232D: For var_24 = 6 To var_ret_8 Step 1

loc_00402339:

loc_0040233B: If var_1D4 Then

loc_00402375: var_154 = Asc(CStr(Mid(var_34, CLng(var_24), 1)))

loc_00402391: call Xor(var_7C, var_15C, var_24, var_4C, Me, Me, %S_eax_S = CLng(%StkVar1), %x1 = Mid(%StkVar2, %StkVar3, %StkVar4), 00000002h)

loc_00402398: var_ret_A = CLng(Xor(var_7C, var_15C, var_24, var_4C, Me, Me, var_ret_A = CLng(%StkVar1), %x1 = Mid(%StkVar2, %StkVar3, %StkVar4), 00000002h))

loc_004023C5: var_44 = var_44 + Chr(var_ret_A)

loc_00402400: Next var_24

loc_00402406: GoTo loc_00402339

loc_0040240B: End If

loc_00402433: If (var_44 = "6klzic<=bPBtdvff'yFI Then

loc_00402456: Label1.Caption = "Status: correct"

loc_00402477: End If

loc_00402481: GoTo loc_00402574

loc_00402486: End If

loc_004024A7: Label1.Caption = "Status: wrong"

loc_004024AE: If var_4C < 0 Then

loc_004024B0: GoTo loc_004024DC

loc_004024B2: End If

loc_004024D3: Label1.Caption = "Status: wrong"

loc_004024DA: If var_4C >= 0 Then GoTo loc_004024EB

loc_004024DC: 'Referenced from: 004024B0

loc_004024E5: var_4C = CheckObj(var_4C, global_00401B9C, 84)

loc_004024EB: End If

loc_004024F4: GoTo loc_00402479

loc_00402573: Exit Sub

loc_00402574: 'Referenced from: 00402481

End Sub

We clean this up a little by working through the variables making sense of it all:

Private Sub Text1_Change() '401F80
Dim Me As Me
Dim var_4C As Variant
loc_00402072: input_text_orig = Text1.Text //Originally HV19
loc_004020A6: input_text = input_text_orig
loc_00402228: first_four_chars = (Mid(input_text, 1, 1) = &H401B20) And (Mid(input_text, 2, 1) = &H401B28) And (Mid(input_text, 3, 1) = &H401B30) And (Mid(input_text, 4, 1) = &H401B38)
loc_00402235: is_bool = CBool(first_four_chars)
loc_00402280: If is_bool Then
loc_004022A2:   input_text_len = Len(input_text)
loc_004022B9:   If (input_text_len = 33) Then
loc_0040230D:     input_text_len_minus_1 = Len(input_text) - 1
loc_0040232D:     For char_counter = 6 To input_text_len_minus_1 Step 1 // From chars 6 to 32 inclusive
loc_00402339: 
loc_0040233B:       If var_1D4 Then
loc_00402375:         var_154 = Asc(CStr(Mid(input_text, CLng(char_counter), 1))) // Give the integer representation of the next character
loc_00402391:         call Xor(var_7C, var_15C, char_counter, var_4C, Me, Me, %S_eax_S = CLng(%StkVar1), %x1 = Mid(%StkVar2, %StkVar3, %StkVar4), 00000002h)
loc_00402398:         var_ret_A = CLng(Xor(var_7C, var_15C, char_counter, var_4C, Me, Me, var_ret_A = CLng(%StkVar1), %x1 = Mid(%StkVar2, %StkVar3, %StkVar4), 00000002h))
loc_004023C5:         flag_content = flag_content + Chr(var_ret_A)
loc_00402400:       Next char_counter // increment counter
loc_00402406:       GoTo loc_00402339
loc_0040240B:     End If
loc_00402433:     If (flag_content = "6klzic<=bPBtdvff'yFI Then
loc_00402456:       Label1.Caption = "Status: correct"
loc_00402477:     End If
loc_00402481:     GoTo loc_00402574
loc_00402486:   End If
loc_004024A7:   Label1.Caption = "Status: wrong"
loc_004024AE:   If var_4C < 0 Then
loc_004024B0:     GoTo loc_004024DC
loc_004024B2:   End If
loc_004024D3:   Label1.Caption = "Status: wrong"
loc_004024DA:   If var_4C >= 0 Then GoTo loc_004024EB
loc_004024DC:   'Referenced from: 004024B0
loc_004024E5:   var_4C = CheckObj(var_4C, global_00401B9C, 84)
loc_004024EB: End If
loc_004024F4: GoTo loc_00402479
loc_00402573: Exit Sub
loc_00402574: 'Referenced from: 00402481
End Sub

Private Sub Text1_Change() '401F80

Dim Me As Me

Dim var_4C As Variant

loc_00402072: input_text_orig = Text1.Text //Originally HV19

loc_004020A6: input_text = input_text_orig

loc_00402228: first_four_chars = (Mid(input_text, 1, 1) = &H401B20) And (Mid(input_text, 2, 1) = &H401B28) And (Mid(input_text, 3, 1) = &H401B30) And (Mid(input_text, 4, 1) = &H401B38)

loc_00402235: is_bool = CBool(first_four_chars)

loc_00402280: If is_bool Then

loc_004022A2: input_text_len = Len(input_text)

loc_004022B9: If (input_text_len = 33) Then

loc_0040230D: input_text_len_minus_1 = Len(input_text) - 1

loc_0040232D: For char_counter = 6 To input_text_len_minus_1 Step 1 // From chars 6 to 32 inclusive

loc_00402339:

loc_0040233B: If var_1D4 Then

loc_00402375: var_154 = Asc(CStr(Mid(input_text, CLng(char_counter), 1))) // Give the integer representation of the next character

loc_00402391: call Xor(var_7C, var_15C, char_counter, var_4C, Me, Me, %S_eax_S = CLng(%StkVar1), %x1 = Mid(%StkVar2, %StkVar3, %StkVar4), 00000002h)

loc_00402398: var_ret_A = CLng(Xor(var_7C, var_15C, char_counter, var_4C, Me, Me, var_ret_A = CLng(%StkVar1), %x1 = Mid(%StkVar2, %StkVar3, %StkVar4), 00000002h))

loc_004023C5: flag_content = flag_content + Chr(var_ret_A)

loc_00402400: Next char_counter // increment counter

loc_00402406: GoTo loc_00402339

loc_0040240B: End If

loc_00402433: If (flag_content = "6klzic<=bPBtdvff'yFI Then

loc_00402456: Label1.Caption = "Status: correct"

loc_00402477: End If

loc_00402481: GoTo loc_00402574

loc_00402486: End If

loc_004024A7: Label1.Caption = "Status: wrong"

loc_004024AE: If var_4C < 0 Then

loc_004024B0: GoTo loc_004024DC

loc_004024B2: End If

loc_004024D3: Label1.Caption = "Status: wrong"

loc_004024DA: If var_4C >= 0 Then GoTo loc_004024EB

loc_004024DC: 'Referenced from: 004024B0

loc_004024E5: var_4C = CheckObj(var_4C, global_00401B9C, 84)

loc_004024EB: End If

loc_004024F4: GoTo loc_00402479

loc_00402573: Exit Sub

loc_00402574: 'Referenced from: 00402481

End Sub

After a while we understand what the code is basically doing.
Our input string is first checked to ensure the first 4 characters equal HV19. If this condition is met, we check that our input string has a length of 33 characters. If this condition is met, we perform a loop from 6 to 32 inclusive. These bounds are interesting as Visual Basic starts indexes at 1 and the first 5 characters of our flag are typically HV19{ and the last character is }. Basically we are looping over the indexes belonging to the flag content. Next, we seem to perform some XOR operation on the ordinal of the character (VB Asc command) and some other unknown value. It took a little time to realise this other value was the current string index (which I named char_counter above). Finally, a check is made with the string 6klzic<=bPBtdvff'yFI~on//N. It is important to note that the string is UTF-16 little endian encoded.

Therefore, we simply have to reverse the operation to get our original flag. In other words, take our comparison string 6klzic<=bPBtdvff'yFI~on//N and XOR it with the corresponding index (6,7,etc).

Psuedocode:

input = Text1.Text
test = ''
if input[1] = 'H' & input = 'V' & input = '1' & input = '9':
if len(input) = 33:
for i = 6 to i = 33 - 1:
xor_res = ord(input[i]) ^ i
test = test + chr(xor_res)
if test == "6klzic<=bPBtdvff'yFI~on//N":
print("Status: correct")
else:
print("Status: wrong")

input = Text1.Text

test = ''

if input[1] = 'H' & input = 'V' & input = '1' & input = '9':

if len(input) = 33:

for i = 6 to i = 33 - 1:

xor_res = ord(input[i]) ^ i

test = test + chr(xor_res)

if test == "6klzic<=bPBtdvff'yFI~on//N":

print("Status: correct")

else:

print("Status: wrong")

We write a little python script to do this for us which provides us with our flag:

# Hackvent 2019 - Day 12
# Mo Beigi (https://mobeigi.com)
# Hex dump of comparison string UTF-16 little endian encoded
# UTF-16: 6klzic<=bPBtdvff'yFI~on//N
comp_string = b'\x36\x00\x6B\x00\x6C\x00\x7A\x00\x69\x00\x63\x00\x3C\x00\x3D\x00\x62\x00\x50\x00\x42\x00\x74\x00\x64\x00\x76\x00\x66\x00\x66\x00\x27\x00\x79\x00\x7F\x00\x46\x00\x49\x00\x7E\x00\x6F\x00\x6E\x00\x2F\x00\x2F\x00\x4E\x00'
flag_content = ''
for index, val in enumerate(comp_string.decode('utf-16')):
xor_val = ord(val) ^ index + 1 + len('HV19{') # VB indices start at 1
flag_content += chr(xor_val)
# Print final flag
flag = 'HV19{' + flag_content + '}'
print(flag)

# Hackvent 2019 - Day 12

# Mo Beigi (https://mobeigi.com)

# Hex dump of comparison string UTF-16 little endian encoded

# UTF-16: 6klzic<=bPBtdvff'yFI~on//N

comp_string = b'\x36\x00\x6B\x00\x6C\x00\x7A\x00\x69\x00\x63\x00\x3C\x00\x3D\x00\x62\x00\x50\x00\x42\x00\x74\x00\x64\x00\x76\x00\x66\x00\x66\x00\x27\x00\x79\x00\x7F\x00\x46\x00\x49\x00\x7E\x00\x6F\x00\x6E\x00\x2F\x00\x2F\x00\x4E\x00'

flag_content = ''

for index, val in enumerate(comp_string.decode('utf-16')):

xor_val = ord(val) ^ index + 1 + len('HV19{') # VB indices start at 1

flag_content += chr(xor_val)

# Print final flag

flag = 'HV19{' + flag_content + '}'

print(flag)

Flag: HV19{0ldsch00l_Revers1ng_Sess10n}

No Comments

Posted Mo BeigiPersianMG in Hackvent 2019

HACKvent 2015: Day 14

14 Dec 2015

CTF: Hackvent 2015
Link to challenge: http://hackvent.hacking-lab.com

Date Completed: 14 December 2015

Challenge

pull out the Nugget out of this binary.

1	pull out the Nugget out of this binary.

The following Windows binary was also provided: Download EXE File

Solution

I download the binary and run it and am presented with the following program:

Hackvent Day 14 Program

It turns out that this program will tell you (via a messagebox) if you enter in the correct daily nugget or not!
So all we have to do is check the binary to see what causes the successful message box to appear.

Note: You can do this challenge using IDA or a .NET disassembler like ILSpy (link).

If using IDA, its useful to be familiar with CIL instructions.

ILSpy Approach
I decided to use ILSpy as it is apparently a very good .NET disassembler. I open the program and load the binary and it disassembles it into various classes as you would expect.
We are mainly interested in the hv15 class. By searching for strings like yes, that is the key! we realise the only important functions we need to look at are Button1_Click and Encrypt .

This is the code for both:

Button1_Click

// hv15.Form1
private void Button1_Click(object sender, EventArgs e)
{
string text = this.TextBox1.Text;
string left = this.Encrypt(text, Form1.GlobalVariables.assembly);
if (Operators.CompareString(left, "zV5/UFU8PUD3N2T49IBuCwvGzCLYz39tkMZts7rfBU4=", false) == 0)
{
Interaction.MsgBox("yes, that is the key!", MsgBoxStyle.Information, "HACKVent 2015");
}
else
{
Interaction.MsgBox("nope, that is NOT the key!", MsgBoxStyle.Critical, "HACKVent 2015");
}
}

// hv15.Form1

private void Button1_Click(object sender, EventArgs e)

{

string text = this.TextBox1.Text;

string left = this.Encrypt(text, Form1.GlobalVariables.assembly);

if (Operators.CompareString(left, "zV5/UFU8PUD3N2T49IBuCwvGzCLYz39tkMZts7rfBU4=", false) == 0)

{

Interaction.MsgBox("yes, that is the key!", MsgBoxStyle.Information, "HACKVent 2015");

}

else

{

Interaction.MsgBox("nope, that is NOT the key!", MsgBoxStyle.Critical, "HACKVent 2015");

}

Encrypt

// hv15.Form1
public string Encrypt(string input, string pass)
{
RijndaelManaged rijndaelManaged = new RijndaelManaged();
MD5CryptoServiceProvider mD5CryptoServiceProvider = new MD5CryptoServiceProvider();
string result;
try
{
byte[] array = new byte[32];
byte[] sourceArray = mD5CryptoServiceProvider.ComputeHash(Encoding.ASCII.GetBytes(pass));
Array.Copy(sourceArray, 0, array, 0, 16);
Array.Copy(sourceArray, 0, array, 15, 16);
rijndaelManaged.Key = array;
rijndaelManaged.Mode = CipherMode.ECB;
ICryptoTransform cryptoTransform = rijndaelManaged.CreateEncryptor();
byte[] bytes = Encoding.ASCII.GetBytes(input);
result = Convert.ToBase64String(cryptoTransform.TransformFinalBlock(bytes, 0, bytes.Length));
}
catch (Exception expr_7B)
{
ProjectData.SetProjectError(expr_7B);
Exception ex = expr_7B;
Interaction.MsgBox(ex.Message, MsgBoxStyle.OkOnly, null);
result = "";
ProjectData.ClearProjectError();
}
return result;
}

// hv15.Form1

public string Encrypt(string input, string pass)

{

RijndaelManaged rijndaelManaged = new RijndaelManaged();

MD5CryptoServiceProvider mD5CryptoServiceProvider = new MD5CryptoServiceProvider();

string result;

try

{

byte[] array = new byte[32];

byte[] sourceArray = mD5CryptoServiceProvider.ComputeHash(Encoding.ASCII.GetBytes(pass));

Array.Copy(sourceArray, 0, array, 0, 16);

Array.Copy(sourceArray, 0, array, 15, 16);

rijndaelManaged.Key = array;

rijndaelManaged.Mode = CipherMode.ECB;

ICryptoTransform cryptoTransform = rijndaelManaged.CreateEncryptor();

byte[] bytes = Encoding.ASCII.GetBytes(input);

result = Convert.ToBase64String(cryptoTransform.TransformFinalBlock(bytes, 0, bytes.Length));

}

catch (Exception expr_7B)

{

ProjectData.SetProjectError(expr_7B);

Exception ex = expr_7B;

Interaction.MsgBox(ex.Message, MsgBoxStyle.OkOnly, null);

result = "";

ProjectData.ClearProjectError();

}

return result;

}

It becomes super simple to solve this challenge at this stage. The input parameter is just the text we enter into the textbox and the pass parameter is Form1.GlobalVariables.assembly which is defined to be the string __ERROR_HANDLER. All we have to do is reverse the encryption starting with an input that equals zV5/UFU8PUD3N2T49IBuCwvGzCLYz39tkMZts7rfBU4=. We first decode the base64 string into a byte array and then run the program again but with rijndaelManaged.CreateEncryptor() changed to rijndaelManaged.CreateDecryptor().

I wrote a small C# program that accomplishes what we want to do:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Security.Cryptography;
namespace ConsoleApplication1
{
class Program
{
static void Main(string[] args)
{
//Undo Encrypt function!
string input = "zV5/UFU8PUD3N2T49IBuCwvGzCLYz39tkMZts7rfBU4=";
string pass = "__ERROR_HANDLER";
//Decode base64
byte[] unb64 = Convert.FromBase64String(input);
//Set up the Rijndael keys in same way as before
byte[] result;
RijndaelManaged rijndaelManaged = new RijndaelManaged();
MD5CryptoServiceProvider mD5CryptoServiceProvider = new MD5CryptoServiceProvider();
byte[] array = new byte[32];
byte[] sourceArray = mD5CryptoServiceProvider.ComputeHash(Encoding.ASCII.GetBytes(pass));
Array.Copy(sourceArray, 0, array, 0, 16);
Array.Copy(sourceArray, 0, array, 15, 16);
rijndaelManaged.Key = array;
rijndaelManaged.Mode = CipherMode.ECB;
ICryptoTransform cryptoTransform = rijndaelManaged.CreateDecryptor(); //This time we make a decryptor
//Transform final block
result = cryptoTransform.TransformFinalBlock(unb64, 0, unb64.Length);
//Print result as ASCII
Console.WriteLine(Encoding.ASCII.GetString(result));
}
}
}

using System;

using System.Collections.Generic;

using System.Linq;

using System.Text;

using System.Threading.Tasks;

using System.Security.Cryptography;

namespace ConsoleApplication1

{

class Program

{

static void Main(string[] args)

{

//Undo Encrypt function!

string input = "zV5/UFU8PUD3N2T49IBuCwvGzCLYz39tkMZts7rfBU4=";

string pass = "__ERROR_HANDLER";

//Decode base64

byte[] unb64 = Convert.FromBase64String(input);

//Set up the Rijndael keys in same way as before

byte[] result;

RijndaelManaged rijndaelManaged = new RijndaelManaged();

MD5CryptoServiceProvider mD5CryptoServiceProvider = new MD5CryptoServiceProvider();

byte[] array = new byte[32];

byte[] sourceArray = mD5CryptoServiceProvider.ComputeHash(Encoding.ASCII.GetBytes(pass));

Array.Copy(sourceArray, 0, array, 0, 16);

Array.Copy(sourceArray, 0, array, 15, 16);

rijndaelManaged.Key = array;

rijndaelManaged.Mode = CipherMode.ECB;

ICryptoTransform cryptoTransform = rijndaelManaged.CreateDecryptor(); //This time we make a decryptor

//Transform final block

result = cryptoTransform.TransformFinalBlock(unb64, 0, unb64.Length);

//Print result as ASCII

Console.WriteLine(Encoding.ASCII.GetString(result));

}

We run the above program and get our flag!

Flag: HV15-uQEJ-4HPX-Qcau-Xvt7-NAlP

No Comments

Posted Mo BeigiPersianMG in Hackvent 2015

Mo Beigi

Posts Tagged ‘IDA’

Hackvent 2019: Day 23

Challenge

HV19.23 Internet Data Archive

Solution

Hackvent 2019: Day 20

Challenge

HV19.20 i want to play a game

Solution

Hackvent 2019: Day 12

Challenge

HV19.12 back to basic

Solution

HACKvent 2015: Day 14

Challenge

Solution

Pages

Recent Posts

Recent Comments

My Networks

Site Stats