[CTF Series #1] Write-up on the reverse engineering challenge.

Objective:
To get the flag from the binary (ELF) file.

Topics Covered:
1. Radare2, x32/x64 dbg
2. Linux Command (objdump, awk, cut and grep)
3. Python Scripting

Procedure:
Here are the ideas on how to solve this challenge :D. Let’s perform static analysis on the binary file by using radare2 in linux machine (my favourite debugging tools).

After glance through the assembly codes, the binary looks like will receive a file as parameter and read it. It has a check and goodboy function looks that looks suspicious that will need further invertigation on it.

The code snippet on the left is the check function. It was very obvious that the value of eax register will compare with the value in the [local_8h] also known as ebp-0x08h to continue with its process. Then, try to look upwards to understand where does the value of eax and [local_8h] comes from. There is a xor operation on the al (the lower bytes of the eax) with a constant value. If the compared value is not the same, it will goes to badboy function in which the programme will terminated :(

So, we just need to get the value of the eax that equals to the compared value to prevent the code run the badboy function. Since the xor operation is reversible, then we can get the correct eax value by xor the constant with the [local_8h] (e.g 0xf7 ^ 0xa3). However, there are too many blocks of code that the be xor. So, it cannot be done manually, therefore a script is needed to make our life easier. But before to write the script, we need to extract and filter all the unnecessary opcode. Objdump will help us here.

objdump -d -M intel ch30.bin

Hmm. The results are very long and we need to do some filter on it. Here, i will use the linux string manipulator command: awk, cut and grep. I will leave the command used here and i wont explain it in detail. The command here was mixed with the command in the available writeup (only can be access after challenge solved opss…, thus some of the the awk and cut command are redacted with ‘x’ character).

objdump -d -M intel xxx | awk -F'xx' -v RS="xxxx" 'xxxxxxxxxx' | cut -fx | grep "some mov and xor"

Here are the important opcode needed to solve this challenge. In order to get the hex code inside these large piece of opcode, i wrote a python script to automate all the process. Here is the code snippet.

Basically, the idea is to using regex and conditional operation to filter out all the unnecessary strings then xor them to get the flag. But somehow there are some value that didn’t get xor at all. So, you have to figure it out by yourself to cope with such situation :D

After everything was done correctly, a base64 encoded strings appeared. After the strings get decoded, an EXE file appear (It can be recognised by the MZ in the header of the output, you can do some research on the File Signature). Wow! A file in a file. Then, let’s move on in the windows machine (You can continue with radare2 or IDA pro in your linux machine).

From the code snippet, it can be seen that the overall function of the EXE file is same with the previous ELF file. So, the same solution can be apply to solve the problem (You just need do some minor changes on the grep line and the code used to get the EXE).

Finally! The flag comes out as i expected.

That’s all for the write up, I hope you guys did enjoy my first ever write up on reverse engineering challenge. Cheers! I’m also hope that i can continue to publish some write up for the interesting challenges in the future.

Buy me a Pizza 🍕?

--

--

--

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

[LeetCode]Find in Mountain Array

Trainer Joe: Get DeFit — veJOE

Drupal Development Environments: Frankenstein-ed Happenings

Manage your multiple client projects in Azure DevOps

Rationalizing your redundant systems

After Covid-19, are programmers entitled to work from home?

Leetcode 633. Sum of Square Numbers

Ahh.. The Linux Terminal

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
GhouLSec

GhouLSec

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

More from Medium

Library Writeup

The toddler’s introduction to Heap exploitation (Part 2)

HackTheBox [FORGE]

HACK THE BOX — PAPER WALKTHROUGH