Mittwoch, 18. Januar 2012

Nullcon CTF 2012 Reverse Engineering Writeup

Reversing 1 justdoit.exe

The file is packed. There are no AntiDBG Protections so you can run it in OllyDBG.

If you start the application, it will send KeyPressed calls to press the WIN Button and arrow up to click on run and enter wplayer.exe to start windows media player. Later it will type the flag.

By Setting a Breakpoint to 0x004040A5 you will see the routine for calling this function.

Flag: We could talk all day about what AutoHotKey can do for an online poker player

Reversing 2

It was like a redherring with the binary. Sometime later, there was a hint to the .rsrc section.

Then i just executed code in the .rsrc section. It had 5 decryption routines, which you can see in the screenshot. After the last decrpytion EAX was pointing to the flag.



Flag: AreYouHappyNow?

Level 3: null Mobile Android App


We're proud to announce the null Mobile Android App Project, however the application is currently in Beta Phase and requires lot of attention from the testers.
In keeping with the spirit of HackIM we've hidden a Flag inside. Your task is to find the Flag

extract the file and look into the files.
res/raw/code.js is a redherring.

view res/raw/junk.php there is a javascript inside.

Analyse/unpack this javascript and you will see, that there is a hidden function, which holds the key.

   function mikcah(a, b) {
galf = "Do not let what you cannot do interfere with what you can do.";
}


Flag: Do not let what you cannot do interfere with what you can do.

Level 4

$ file script2
script2: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, stripped
$ objdump -R script2

script2: file format elf64-x86-64

DYNAMIC RELOCATION RECORDS
OFFSET TYPE VALUE
0000000000601fe0 R_X86_64_GLOB_DAT __gmon_start__
0000000000602ee0 R_X86_64_COPY __environ
0000000000602ee8 R_X86_64_COPY stderr
0000000000602000 R_X86_64_JUMP_SLOT getenv
0000000000602008 R_X86_64_JUMP_SLOT __errno_location
0000000000602010 R_X86_64_JUMP_SLOT getpid
0000000000602018 R_X86_64_JUMP_SLOT __stack_chk_fail
0000000000602020 R_X86_64_JUMP_SLOT __libc_start_main
0000000000602028 R_X86_64_JUMP_SLOT memcmp
0000000000602030 R_X86_64_JUMP_SLOT calloc
0000000000602038 R_X86_64_JUMP_SLOT putenv
0000000000602040 R_X86_64_JUMP_SLOT atoll
0000000000602048 R_X86_64_JUMP_SLOT fprintf
0000000000602050 R_X86_64_JUMP_SLOT time
0000000000602058 R_X86_64_JUMP_SLOT __xstat
0000000000602060 R_X86_64_JUMP_SLOT malloc
0000000000602068 R_X86_64_JUMP_SLOT __isoc99_sscanf
0000000000602070 R_X86_64_JUMP_SLOT execvp
0000000000602078 R_X86_64_JUMP_SLOT sprintf
0000000000602080 R_X86_64_JUMP_SLOT strdup
0000000000602088 R_X86_64_JUMP_SLOT strerror
$ ltrace ./script2
__libc_start_main(0x40147d, 1, 0x7fff1c8bd988, 0x401540, 0x4015d0
atoll(0x6020c0, 11, 0, 92, 0x7fdc0795f300) = 0x4f0f26a8
time(NULL) = 1327077060
__errno_location() = 0x7fdc07b626a8
__errno_location() = 0x7fdc07b626a8
fprintf(0x7fdc0795e860, "%s%s%s: %s\n", "./script2", "", "", "has expired!\nSeems the Devils Lu"..../script2: has expired!
Seems the Devils Luck prevails yet. Use Time Machine to overcome it
) = 92
+++ exited (status 1) +++

main is at 0x400f99, running in gdb

some constants at the beginning
gdb$ x/s 0x602ce0
0x602ce0: "has expired!\nSeems the Devils Luck prevails yet. Use Time Machine to overcome it"
gdb$ x/s 0x6020c0
0x6020c0: "1326393000"

first check to bypass
if (_atoll("1326393000") < _time(0)) goto end
b *0x400ffd
some vars after memcpy()

0x6020cd: "/bin/sh"
0x6020d5: "-c"
0x602ccf: "exec '%s' \"$@\""
0x602cdf: ""
0x602d71: "location has changed!"
0x602d42: "location has changed!"
0x602d71: "location has changed!"
0x602d5d: "abnormal behavior!"

0x604170: "exec '/path/to/script2' \"$@\""
b *0x4010ed for some check results from 0x400f99

0x602d89: "" gdb
$ x/s 0x602280
0x602280: "#!/bin/sh\n", '#' ...
0x602cb9: "shell has changed!"
0x602d8b: "shell has changed!"

gdb$ dump binary memory dump.raw 0x602280 0x602d00

dump.raw is a shell script, and here the interesting part

       flagreq=0
if [ $flagreq -eq 1 ]
then
echo "Nature has neither kernel nor shell; she is everything at once"
fi


Flag: Nature has neither kernel nor shell; she is everything at once

Level 5: Got Dumped :(

$ file lol.dmp
lol.dmp: MDMP crash report data
Some information extracted using Visual Studio
Last Write Time: 08.01.2012 14:38:14
Process Name: Stub.exe : E:\Projects\Nullcon 2012\HackIM\RE2\Stub\Release\Stub.exe
OS Version: 5.1.2600

Modules:
Stub.exe E:\Projects\Nullcon 2012\HackIM\RE2\Stub\Release\Stub.exe 0.0.0.0
ntdll.dll C:\WINDOWS\system32\ntdll.dll 5.1.2600.5512
kernel32.dll C:\WINDOWS\system32\kernel32.dll 5.1.2600.5512
user32.dll C:\WINDOWS\system32\user32.dll 5.1.2600.5512
gdi32.dll C:\WINDOWS\system32\gdi32.dll 5.1.2600.5512

Stack:
> deadbabe()
Stub.exe!00401290()
[Frames below may be incorrect and/or missing, no symbols loaded for Stub.exe]
Stub.exe!00402921()
kernel32.dll!7c817067()

The AsmCode at 0x401000 before the crash
push    ebp
mov ebp, esp
push 0FFFFFFFEh
push offset dword_409598
push offset sub_402730
mov eax, large fs:0
push eax
sub esp, 24h
mov eax, dword_40A004
xor [ebp-8], eax
xor eax, ebp
mov [ebp-28], eax
push ebx
push esi
push edi
push eax
lea eax, [ebp-16]
mov large fs:0, eax
mov [ebp-24], esp
mov eax, dword_409270
mov [ebp-48], eax
mov ecx, dword_409274
mov [ebp-44], ecx
mov edx, dword_409278
mov [ebp-40], edx
mov eax, dword_40927C
mov [ebp-36], eax
mov cx, word_409280
mov [ebp-32], cx
mov dl, byte_409282
mov [ebp-30], dl
push 0DEADBABEh
retn

This function prepares the stack this way
deadbabe push deadbabe
e0442488 push eax - esp is pointing here
fffffffe push edi
00000000 push esi
00000001 push ebx
fffffffe unitialized value -2

bc9398a4 *(409270)
a184818f *(409274)
82839b8f *(409278)
0000978f *(40927C)
00000000 *(409280)2bytes + *(409282) 2bytes
e0442488 0x0E056DBB8 xor ebp (0x12FF30)
0012feec (esp)
e0164840 unitialized value 4093F8? // SEH is prepared here
0012ffb0 large fs:0 (pointer to next seh)
00402730 //Address to jump on exception like 0xdeadbabe
e0164e20 0x409598 xor 0x0E056DBB8 (*40A004) exception_handler_table
fffffffe

0012ffc0 saved ebp - ebp is pointing here
00401290 saved eip


After the crash the exception handler function @00402730 will be called.

The pushed value of A49893BC8F8184A18F9B83828F97 looked like an encrypted flag for me.

First of all i thought, the exception handler have to called and the flag will be decrypted and shown to the user.

If you scroll down a little you will notice this peace of code.

004010DA  /.  33F6          XOR ESI,ESI
...
004010F2 |> FE4435 D0 /INC BYTE PTR SS:[ESI+EBP-30]
...
00401106 |. 304435 D0 |XOR BYTE PTR SS:[ESI+EBP-30],AL
0040110A |. 46 |INC ESI
...
00401113 |.^ 7C DD \JL SHORT 004010F2
...
00401117 |. 68 84924000 PUSH OFFSET 00409284 ; Pointing to the string "Flag"



That looks like, that the flag is executed. Every Byte is XORed with another byte. I guessed that this is always the same byte, so i wrote a a simply bruteforcer in python.

flag = "A49893BC8F8184A18F9B83828F97"

for key in range(256):
out=""
for i in range(0,len(flag),2):
c = int(flag[i:i+2],16)+1
out += chr(c^key)
print out


The output was like
KwzS~lkL~rjm~v
Jv{RmjMsklw
UidM`ruR`lts`h
TheLastSamurai
WkfObpwPbnvqbj
VjgNcqvQcowpck
Qm`IdvqVdhpwdl


Flag: TheLastSamurai




For corrections and other feedback send me an e-mail to bashrc at intruded dot net

Kommentare:

  1. And for its precision, it has witnessed so many successes and brought dre beats headphones
    dre beats
    cheap beats by dre
    monster beats ibeats
    monster beats tour
    so many innovations to the Olympic Games over the years

    AntwortenLöschen
  2. I’ve learn several excellent stuff here. Definitely value bookmarking canada goose online for revisiting. I surprise how much effort you canada goose jackets outlet put to make the sort of great informative site.

    AntwortenLöschen