PWNing 2017 CTF - Uber Keygen Reverse Engineering task
Hello guys
Sincerely I didn't have much time lately. But I've got holidays now and I will update a blog as soon as possible because I solved a few interesting tasks. Today I'm gonna show you how to crack Uber Keygen challenge. This hacking exercise is from PWNing CTF from 2017. Sincerely I had some problems with this task, but finally, I can do a write-up and I'm happy about it. :) Let's get started.
After our earlier analyzes, we already know that we should look for the call and compare instructions. So let's take a look into the checkFlag function.
From the first picture, we can deduce that the argument which was passed into the checkFlag function is basically a password from the user. So now we can change the name of a variable from mysterious var_18 to the more familiar password. var_4 is basically a char from this password. add rax, <something> means - "set pointer to <something> byte of password". For example - add rax, 1Ch (28 in dec) means - "move twenty-eight char of written password into rax". Shift Arithmetic Instruction is the extension of sar. This instruction shifts bits in the left operand for the given number of fields. After this operation shifted bit is compared with one by and instruction. If shifted bit after AND operation is 0 or is 1 then jump into next block of code - this is an explanation of cmp instructions.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
So for now on we have these conclusions:
1) add rax, <something> -> <something> is an index of a char in a flag
2) sar eax, <something> -> <something> is important value that will give us a correct character because we can reverse right shifted arithmetic operation to left shifted arithmetic operation
3) cmp [rbp+char_from_this_password], <0> -> this means that this operation is usless
4) cmp [rbp+char_from_this_password], <1> -> this means that this operation is the key to guessing a character
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IDA gave us interesting information that the blocks of code are repeatable. And this is very good news for us. Look at my write-up about Simple-Keygen: https://shizz3r.blogspot.com/2018/06/pwning-2017-ctf-simple-keygen-reverse.html#more. In that challenge we used Regular Expressions to pull off some values from the Assembly code. And now we will repeat this kind of solution. First of all, you should copy the whole checkFlag function code from IDA to the text file which may look like this:
Here is the code which was written by me to crack the password (except one letter :) ):
I think some stuff from the above code needs to be explained.
First:
Several blocks of code have the same index of the char. So it is logical that we should add values from each block of code with the same index as earlier.
(ascii_of_the_char += (1 << bit_to_check))
Second:
Analysed file checks the ascii of each character in the password with sar instruction which is shift arithmetic right operation. So if we want to recover the correct character we should reverse it by the shift arithmetic left operation.
(ascii_of_the_char += (1 << bit_to_check))
Third:
When will we know that we should check another character from the password and reset the ascii_of_the_char variable? When our bits_counter will be 8 because the size of unsigned char is exactly 1 byte == 8 bits.
if bits_counter > 8:
bits_counter = 1
if bits_counter == 1 and bit_to_check_is_one:
ascii_of_the_char = 1
elif bits_counter == 1 and not bit_to_check_is_one:
ascii_of_the_char = 0
I think the rest of the program is understandable. And here is our flag:
Properly the flag is pwn{instrumented_run_one_bit_at_a_time}, but sometimes in CTF's we don't have time to looking for a little mistake in our code. In this situation is easy to guess one letter of a flag.
Thanks for attention and I hope you enjoy it. :)
Sincerely I didn't have much time lately. But I've got holidays now and I will update a blog as soon as possible because I solved a few interesting tasks. Today I'm gonna show you how to crack Uber Keygen challenge. This hacking exercise is from PWNing CTF from 2017. Sincerely I had some problems with this task, but finally, I can do a write-up and I'm happy about it. :) Let's get started.
After our earlier analyzes, we already know that we should look for the call and compare instructions. So let's take a look into the checkFlag function.
From the first picture, we can deduce that the argument which was passed into the checkFlag function is basically a password from the user. So now we can change the name of a variable from mysterious var_18 to the more familiar password. var_4 is basically a char from this password. add rax, <something> means - "set pointer to <something> byte of password". For example - add rax, 1Ch (28 in dec) means - "move twenty-eight char of written password into rax". Shift Arithmetic Instruction is the extension of sar. This instruction shifts bits in the left operand for the given number of fields. After this operation shifted bit is compared with one by and instruction. If shifted bit after AND operation is 0 or is 1 then jump into next block of code - this is an explanation of cmp instructions.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
So for now on we have these conclusions:
1) add rax, <something> -> <something> is an index of a char in a flag
2) sar eax, <something> -> <something> is important value that will give us a correct character because we can reverse right shifted arithmetic operation to left shifted arithmetic operation
3) cmp [rbp+char_from_this_password], <0> -> this means that this operation is usless
4) cmp [rbp+char_from_this_password], <1> -> this means that this operation is the key to guessing a character
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IDA gave us interesting information that the blocks of code are repeatable. And this is very good news for us. Look at my write-up about Simple-Keygen: https://shizz3r.blogspot.com/2018/06/pwning-2017-ctf-simple-keygen-reverse.html#more. In that challenge we used Regular Expressions to pull off some values from the Assembly code. And now we will repeat this kind of solution. First of all, you should copy the whole checkFlag function code from IDA to the text file which may look like this:
Here is the code which was written by me to crack the password (except one letter :) ):
I think some stuff from the above code needs to be explained.
First:
Several blocks of code have the same index of the char. So it is logical that we should add values from each block of code with the same index as earlier.
(ascii_of_the_char += (1 << bit_to_check))
Second:
Analysed file checks the ascii of each character in the password with sar instruction which is shift arithmetic right operation. So if we want to recover the correct character we should reverse it by the shift arithmetic left operation.
(ascii_of_the_char += (1 << bit_to_check))
Third:
When will we know that we should check another character from the password and reset the ascii_of_the_char variable? When our bits_counter will be 8 because the size of unsigned char is exactly 1 byte == 8 bits.
if bits_counter > 8:
bits_counter = 1
if bits_counter == 1 and bit_to_check_is_one:
ascii_of_the_char = 1
elif bits_counter == 1 and not bit_to_check_is_one:
ascii_of_the_char = 0
I think the rest of the program is understandable. And here is our flag:
Properly the flag is pwn{instrumented_run_one_bit_at_a_time}, but sometimes in CTF's we don't have time to looking for a little mistake in our code. In this situation is easy to guess one letter of a flag.
Thanks for attention and I hope you enjoy it. :)
Pwning 2017 Ctf - Uber Keygen Reverse Engineering Task >>>>> Download Now
ReplyDelete>>>>> Download Full
Pwning 2017 Ctf - Uber Keygen Reverse Engineering Task >>>>> Download LINK
>>>>> Download Now
Pwning 2017 Ctf - Uber Keygen Reverse Engineering Task >>>>> Download Full
>>>>> Download LINK UG