[CTF Series #6] Brute Force With Assembly

Firstly, I need to say thank you to woitheuk for this reverse challenge because I only manage to solve this by referring to his writeup. In this article, I will demonstrate on how to write a simple assembly code to brute force the flag from the binary file as the previous writeup didn’t mention on the steps to implement the code in detailed manner. It was a very interesting solution since it is less likely to have people solve a reverse challenge by writing a assembly code and execute directly inside the binary file.

Topics Covered

  • Write a simple assembly brute force code on x32 dbg

Descriptions

  1. Find the location to store the printable characters in .data segment.

In order to find the correct segment to insert the value, go to the memory map section and look for the data segment with the Protection “RW”.

The Write in the memory rights enable the overwritting of the code that can be access by the code instruction. If not there will have EXCEPTION_ACCESS_VIOLATION during debugging process.

In this article, I will just store all those user declared value on the memory dump address with Protection Writeable, which is the .datasegment in this case. There is a way to modify the memory rights in the memory map by Right-click the highlighted address > Set Page Memory Rights > Select All > FULL ACCESS > Set Rights.

Memory Map -> .data (Readable/Writeable)
Set Memory Rights

Check for the dump of the .datasegment and determine the location to store the index count and the printable characters. Then, go to the memory dump section and Right click > Binary > Edit.

Right click -> Binary -> Edit
Insert all the printable character in the ASCII box.

After that, remember the addresses that used as the index count and the strings.

i. Address for index count = 0x00103020
ii. Address for string array = 0x00103030

It will looks like this after all the data insertion was done 😬

Let’s look at the code to get some idea on how it works.

Compare the length of the argument with 0x2 (2 in decimal)
Compare the length of the user input with 0x18 (24 in decimal)
Validation of the user input

At address 0x00101060, the user input will pass to bl register for further manipulation and check whether it is correct or not. The jp (jump parity) will perform the checking to check the validity of the password. The cmp instruction at address 0x001010AE will effect the output of the binary as the cmovne (Conditional move not equal) only works if execution of the instruction in 0x001010AE makes zf=0.

Now its time for write the brute force script within the assembly code.
There will have two parts of code need to be done:
1. Modification of the jump instruction into the specific address.
2. New code section for the strings iteration.

Check the comment section on the right hand side of the picture for the code descriptions.

Code modification on jump instruction

It begins by assigning 0 into the address of the index count (0x00103020). All destination of the jp instruction change to the beginning address of the string iteration section (0x001010D6) as when the value goes wrong, it will loop into next character in the string array and revalidate again.

Code for string iteration

As for the string iteration coding, i had commented on the written code that briefly explain on how it works in higher level language.

Place the breakpoint at the address 0x001010A7 and press F9 to keep it run until it hits the breakpoint. Check the memory dump of the ESI register to obtain the flag.

Flag get!!!

References

https://github.com/WargamesMY/2018
https://x64dbg.com/blog/

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec