RSS
 

Posts Tagged ‘reverse engineering’

IOLI Crackme Write-up

30 Dec 2019
CTF: Miscellaneous
Link to challenge: https://github.com
Date Completed: 29 December 2019

Overview

The goal of this crackme is to find out what password(s) make the program print out Password OK :).
We ended up looking at the Windows binaries only.

Write-up

crackme0x00

Takes input through scanf and performs quick  strcmp with string 250382 from strings table.

Password: 250382

crackme0x01

As above but strcmp with integer 5274 read by scanf instead.

Password: 5274

crackme0x02

scanf  input is read and stored as integer. We then perform some arithmetic which ends up adding two integers (90+492 = 582) before doing the multiplication 582*582=338724. Finally, our scanf_input and this value is compared.

Password: 338724

crackme0x03

The final comparison logic is now moved into a _test subroutine. No other behaviour has changed and our password from the previous level is still valid. However, we notice the Password OK!!! 🙂 and Password Invalid! strings are no longer present and instead we see some cipher text which looks like Lqydolg#Sdvvzrug$  and Sdvvzrug#RN$$$#=,. This is because they have been encoded with a cipher and the _shift subroutine deciphers the ciphertext before they are printed using printf. The cipher is a simple ASCII Caesar shift with a shift of 3.

Password: 338724

crackme0x04

All of the interesting functionality is inside a check subroutine which our input_pass_string is passed to. The sub iterates over the input string and performs a sscanf call which attempts to parse each character as an integer (%d  format identifier). Each digit value is then added to some total integer before being compared with the integer value of 15. Therefore, our input can be any sequence of digit characters that sum to 15.

Password: Any sequence of digit characters that sum to 15. (i.e. 96, 76, 78, 87, 69, 555, 111111111111111).

crackme0x05

Same as 0x05 except compare value is now 16 instead of 15 and one final check is done in the new _parell sub.

This final sub simply takes in a character, converts it to a digit then performs the following two operations on it:

To reach the Password OK branch we need the test instruction to set the zero flag. This will only happen if EAX  is 0 when the TEST  instruction is executed. For this to be the case, the original EAX  value which was used in the AND  instruction with the immediate value must have a least significant bit of 0. In other words the sscanf_digit must be an even number.

As this sub is only called once the original conditions are met (total value having a value of 16) our input simply must end with an even digit.

Password: Any sequence of digit characters that sum to 16 where final digit is even. (i.e. 916, 556, 111111111111112).

crackme0x06

Same as 0x06 except we notice that envp is passed down to our check sub from the entry point. This assembly suggests the original source code had a main function that took in a third argument:

The array of pointers to the programs environment variables are passed to this dummy  sub. In this sub we traverse the array of pointers and call strncmp  with every environmental variable and the string LOLO  with a MaxCount  of 3. Note that environmental variables are strings in the form of MYENV=1 . Therefore, we are simply iterating the environmental variables to see if any start with the string “LOL” (due to 3 character MaxCount).

Password: Any sequence of digit characters that sum to 16 where final digit is even. (i.e. 916, 556, 111111111111112). Requires environmental variable that starts with string “LOL” to be set.

crackme0x07

Same as 0x07 functionality wise. However, we now have a windows application that enters via the  WinMain entrypoint in console mode.
We also have a code segment in memory that is unreferenced. It seems as if this code block prints “wtf?\n” and leaves if the length of the input password is more than 9 characters long.

Password: Any sequence of digit characters that sum to 16 where final digit is even. (i.e. 916, 556, 111111111111112). Requires environmental variable that starts with string “LOL” to be set.

crackme0x08

Exactly the same as 0x07 but executable contains embedded pdb debug symbols which make reversing much easier. (File size gives this away also).

Password: Any sequence of digit characters that sum to 16 where final digit is even. (i.e. 916, 556, 111111111111112). Requires environmental variable that starts with string “LOL” to be set.

crackme0x09

Exactly the same as 0x07 except binary hashes are not identical but have the same exact byte size. Most likely just the same source code recompiled with no/very minor changes.

Password: Any sequence of digit characters that sum to 16 where final digit is even. (i.e. 916, 556, 111111111111112). Requires environmental variable that starts with string “LOL” to be set.

 
No Comments

Posted in Miscellaneous

 

Hackvent 2019: Day 16

16 Dec 2019
CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com
Date Completed: 16 December 2019

Challenge

HV19.16 B0rked Calculator

Resources: HV19.16-b0rked.zip

Solution

We are presented with a x86 Windows binary file. Upon inspection it looks to be a simple calculator but unfortunately its borked!

It supports the following operations: + -  *  and /.
However, it seems like it either ignores the left or right operand in calculations. In the example above, it ignored the right operand.
We find the following problems:

We open the binary in IDA Pro and discover that each operation is contained in its own method and is passed two doublewords as arguments:

However, each method was broken in some way:

  • Missing stack variable definitions
  • Now loading arguments into registered
  • Not calling required ASM function to perform operation (add, sub, mul, div)

Each method conveniently was padded with 0x90 NOP opcodes which meant we did not have to change the size of the binary. We patch all these method one by one, running the binary again after each correction to check functionality works.

These were the changes made where white is old binary and green is new binary:

IDA Diff:

Running the binary one more time and clicking on calc showed us our flag on the screen:

Flag:  HV19{B0rked_Flag_Calculat0r}

 
No Comments

Posted in Hackvent 2019

 

HACKvent 2015: Day 14

14 Dec 2015
CTF: Hackvent 2015
Link to challenge: http://hackvent.hacking-lab.com
Date Completed: 14 December 2015

Challenge

The following Windows binary was also provided: Download EXE File

Solution

I download the binary and run it and am presented with the following program:

Hackvent Day 14 Program

It turns out that this program will tell you (via a messagebox) if you enter in the correct daily nugget or not!
So all we have to do is check the binary to see what causes the successful message box to appear.

Note: You can do this challenge using IDA or a .NET disassembler like ILSpy (link).

If using IDA, its useful to be familiar with CIL instructions.

ILSpy Approach
I decided to use ILSpy as it is apparently a very good .NET disassembler. I open the program and load the binary and it disassembles it into various classes as you would expect.
We are mainly interested in the hv15 class. By searching for strings like yes, that is the key! we realise the only important functions we need to look at are Button1_Click and  Encrypt .

This is the code for both:

Button1_Click

Encrypt

It becomes super simple to solve this challenge at this stage. The input parameter is just the text we enter into the textbox and the pass parameter is  Form1.GlobalVariables.assembly which is defined to be the string  __ERROR_HANDLER. All we have to do is reverse the encryption starting with an input that equals  zV5/UFU8PUD3N2T49IBuCwvGzCLYz39tkMZts7rfBU4=. We first decode the base64 string into a byte array and then run the program again but with  rijndaelManaged.CreateEncryptor() changed to rijndaelManaged.CreateDecryptor().

I wrote a small C# program that accomplishes what we want to do:

We run the above program and get our flag!

Flag:  HV15-uQEJ-4HPX-Qcau-Xvt7-NAlP

 
No Comments

Posted in Hackvent 2015