The first part is to "find" the binary.
http://quals.ddtek.biz/quals/b500_478f0845e1bbd201.html was with following content, which led to a 404-Notfound.
<html>
<head>
<title>Bin500</title>
<meta http-equiv="refresh" content="0;url=http://ddtek.biz/bin5oo.html">
</head>
<body>
<H1>Bin500</H1>
</body>
</html>
So the real binary was located at
http://quals.ddtek.biz/quals/b500_478f0845e1bbd201.bin
I assume everybody got this fast.
noname:b500 macpro$ file b500_478f0845e1bbd201.bin
b500_478f0845e1bbd201.bin: gzip compressed data, from Unix, last modified: Fri May 21 08:04:12 2010
After extraction we have two filess
noname:b500 macpro$ file c500_b6427ab1a64e6836*
c500_b6427ab1a64e6836.bin: ELF 64-bit MSB executable, SPARC V9, total store ordering, version 1 (SYSV), dynamically linked (uses shared libs), stripped
c500_b6427ab1a64e6836.dat: data
Now the funny part begins :)
Lets talk about the constrains.
- No access to a SUN
- No knowledge about SPARC-ASM
- But we have IDA which could read the binary
The disassembly looks like:
.text:0000000100000CB8 mov 0x125, %l0
.text:0000000100000CBC stx %l0, [%fp+arg_7CF]
.text:0000000100000CC0 stx %l3, [%fp+arg_7D7]
.text:0000000100000CC4 mov 8, %l0
.text:0000000100000CC8 stx %l0, [%fp+arg_7DF]
.text:0000000100000CCC ldx [%fp+arg_7CF], %o0
.text:0000000100000CD0 call _SUNW_C_GetMechSession
We looked into the documentation of getmechsession() and found the following call.
CK_RV SUNW_C_GetMechSession(CK_MECHANISM_TYPE mech,
CK_SESSION_HANDLE_PTR hSession);
You can see in the assembly that mech has the constant parameters 125 and 8.
By looking into pkcs11t.h you can see the following constant.
It looks like, the binary uses a DES-CBC encryption. By googling we found one example implementation on suns website#define CKM_DES_CBC_PAD 0x00000125
It looks like they implemented this sample code :)
mechanism.mechanism = CKM_DES_CBC_PAD;
mechanism.pParameter = des_cbc_iv;
mechanism.ulParameterLen = 8;
rv = SUNW_C_GetMechSession(mechanism.mechanism, &hSession);
So lets look where the IV is stored:
Looking at the beginning of main() we see:
set 0x100000, %l1
sllx %l1, 12, %l1
bset 0xFE0, %l1
What is located at 0x100000FE0?
0x100000FE0: 0xdeadbeefbaadfoodSounds like an IV :-))
But DES also needs a KEY. Lets look further into the code
.text:0000000100000D6C ldx [%fp+arg_7BF], %o0
.text:0000000100000D70 sethi %hi(0x3800), %g5
.text:0000000100000D74 btog -0x101, %g5
.text:0000000100000D78 add %fp, %g5, %o1
.text:0000000100000D7C add %fp, arg_7C7, %o3
.text:0000000100000D80 mov 5, %o2
.text:0000000100000D84 call _C_CreateObject
Looking into the sample:
rv = C_CreateObject(hSession, template, sizeof (template) / sizeof (CK_ATTRIBUTE), &hKey);and the template has this format:
CK_ATTRIBUTE template[] = {
{CKA_CLASS, &class, sizeof (class) },
{CKA_KEY_TYPE, &keyType, sizeof (keyType) },
{CKA_TOKEN, &falsevalue, sizeof (falsevalue) },
{CKA_ENCRYPT, &truevalue, sizeof (truevalue) },
{CKA_VALUE, &des_key, sizeof (des_key) }
};
In our assembly the value for sizeof (template) / sizeof (CK_ATTRIBUTE) == 5, so we have also 5 CK_ATTRIBUTEs like the sample.
now you can try to understand SPARC-ASM but getting the key is easier than getting the IV :-)
looking into the .data section in IDA you will find a global variable called k, yes k like KEY :-)
0x100101668 k: DD73CC7FDD7ECC7F
Now you can decrypt the .dat file
noname:b500 macpro$ openssl enc -d -des-cbc -in c500_b6427ab1a64e6836.dat -K DD73CC7FDD7ECC7F -iv DEADBEEFBAADF00D
allthatworkanditsjustDES!?!
Isn't it ironic? 500 points level got solved pretty fast without executing the binary and Packet Madness 100 took us 2 days :-)
If you have questions or suggestions for improvements, you can send an e-mail to my gmail.com account "bashrx".
5 Merit Casino - Find a Casino in India
AntwortenLöschen5 Merit Casino is 10cric a well-known casino in India, 메리트카지노 with a history in the gaming industry and reputation for delivering quality casino クイーンカジノ games.