# Reverse Engineering
ChallengeLink
Sanity-check (57 pts)Here
lumine's-license (120 pts)🥇Here
lumine's-license-revenge (120 pts)🥇Here
## Sanity-check (57 pts) ### Description \- ### Solution Diberikan file ELF 64 bit , terlihat dari pseucodenya bahwa dilakukan pengecekan panjang dan nilai dari flag, dimana pengecekan nilai flagnya menggunakan perhitungan aritmatika.
Jadi untuk menyimpan tenaga di soal selanjutnya maka untuk soal ini kami gunakan automated tools yaitu angr, dan ternyata bisa dan cepat selesainya. Berikut script yang kami gunakan berdasarkan referensi dari ```python import angr import claripy target = angr.Project('./sanity') base_address = 0x400000 desired_adr = base_address + 0x1712 wrong_adr = base_address + 0x173B len_flag = 34 flag = claripy.BVS('flag', len_flag*8) entry_state = target.factory.entry_state(args=["sanity", flag]) simulation = target.factory.simulation_manager(entry_state) simulation.explore(find = desired_adr, avoid = wrong_adr) flag_int = simulation.found[0].solver.eval(flag) res = "" for i in range(len_flag): res = chr(flag_int & 0xff) + res flag_int = flag_int >> 8 print(res) ``` Flag : IFEST2021{ch3ck\_ch3ck\_4nd\_23ch3ck} ## lumine's-license (120 pts) ### Description \- ### Solution Diberikan file ELF 64 . Selanjutnya kami coba membukanya menggunakan IDA. Karena beberapa nama fungsi tidak terbaca pada IDA maka kami gunakan bantuan dari gdb.
Jadi intinya program diatas melakukan write library ke directory tmp lalu memanggil fungsi licenseCheck dimana input kita digunakan sebagai argumen pada pemanggilan fungsi tersebut. Jadi pertama kita perlu mendapatkan file library tersebut terlebih dahulu
Breakpoint pada pemanggilan fungsi openlib untuk mengetahui address dimana input kita disimpan dan lokasi library
Salin library tersebut dan analisis menggunakan IDA. Ternyata file library tersebut dibuat menggunakan GO , berikut inti dari fungsi license check ```c for ( i = 0LL; i < v6; i = v21 ) { v20 = i; v11 = *(unsigned __int8 *)(result + i); if ( v11 >= 128 ) { runtime_decoderune(a1, a2, i, v6, v3, v4); LOBYTE(v11) = v17; v9 = v18; } else { v9 = (void *)(i + 1); } v10 = off_110328[0]; v12 = (unsigned __int8)(v11 + 55); if ( (__int64 *)v12 >= off_110328[0] ) runtime_panicIndex((__int64)off_110328[0], (__int64)v9); v21 = (__int64)v9; v14 = runtime_bss; v13 = *((_QWORD *)main_crc_table + v12); math_rand___Rand__Seed((__int64)off_110328[0], (__int64)v9); for ( j = 0LL; j < 5; j = v19 + 1 ) { v19 = j; math_rand_Int((__int64)v10); result = v14; if ( v20 >= qword_110348 ) runtime_panicIndex((__int64)v10, (__int64)v9); v9 = main_license[3 * v20 + 1]; v10 = (__int64 *)v19; if ( v19 >= (unsigned __int64)v9 ) runtime_panicIndex(v19, (__int64)v9); if ( *((_QWORD *)main_license[3 * v20] + v19) != v14 ) return result; } a2 = v22; a1 = v21; result = v22; v6 = v16; } ``` Karena pada binary golang hasil decompile cukup lumayan abstract, maka untuk mempermudah analisis nya kita lakuakn dengan dynamic analysis. Caranya set hardware breakpoint ke address dari input kita
Lalu continue kemudian finish sampai masuk ke binary golang
Selanjutnya kita sudah masuk ke binary golang
Pada saat dynamic analysis kita ketahui bahwa input kita ditambah 0x1337 kemudian dijadikan sebagai index pada main\_crc\_table , jadi lakukan dump pada main\_crc\_table
Nantinya nilai tersebut dijadikan sebagai argumen random seed lalu dilakukan pemanggilan fungsi random dan dibandingkan dengan hardcode value pada binary. Disini saya melakukan parsing terhadap nilai dari hardcode value tersebut menggunakan gdb scripting , berikut script yang saya gunakan ```python #!/usr/bin/python3 static_val=[] class SolverEquation(gdb.Command): def __init__ (self): super (SolverEquation, self).__init__ ("solve-equation",gdb.COMMAND_OBSCURE) def invoke (self, arg, from_tty): global static_val gdb.execute("b *0x00007ffff6ab9bed") # address cmp rdx,rax for i in range(65*5): # length flag gdb.execute("c") val = addr2num(gdb.selected_frame().read_register("rdx")) gdb.execute("set $rax=$rdx") static_val.append(val) print(static_val) def addr2num(addr): try: return int(addr)&0xffffffffffffffff except: return long(addr) # Python 2 SolverEquation() ``` Selanjutnya tinggal melakukan reverse pada alur tersebut , generate semua nilai random menggunakan golang dengan seed dari 0 sampai 255. Karena pengecekan dilakukan 5 kali namun nilai pengecekan adalah 64 bit maka kami asumsikan untuk range 0-255 tidak ada nilai random yang sama dengan seed tersebut , jadi kami cukup gunakan nilai random pertama. Lakukan pencarian index dari nilai pembanding lalu bruteforce nilai flag yang menghasilkan index tersebut berdasarkan perhitungan aritmatika pada index dan array crc table. Berikut solver yang kami gunakan ```go package main import ( "fmt" "math/rand" ) func main() { for i, val := int64(1), int64(257); i
Flag terpotong namun masih bisa ditebak yaitu mine} , disini terpotong karena salah di jumlah looping yang dilakukan saat pengambilan nilai pembanding. Flag : IFEST2021{what\_you\_cracking\_lumine\_license?\_vengeance\_will\_be\_mine} ## lumine's-license-revenge (120 pts) ### Description \- ### Solution Diberikan file ELF 64 bit , selanjutnya kami coba analisis menggunakan IDA.
Terdapat pengecekan ptrace diawal kemudian dilakukan penulisan file library di /tmp , disini ketika kami lakukan breakpoint pada openlib anehnya file library pada tmp size nya 0 atau tidak ada isinya , jadinya kami lakukan breakpoint pada fwrite pada packer kemudian lakukan memory dump berdasarkan argument fwrite tersebut. Bypass ptrace
Selanjutnya kami buka file result.bin , isinya kurang lebih sama , hanya berbeda pada nilai dar crc table dan juga pembandingnya , jadi tinggal lakukan hal yang sama seperti pada lumine’s-license. Sebelum itu karena file .so nya tidak kewrite ( size 0 ) jadi tinggal lakukan copy result.bin ke nama file .so yang sesuai dengan nilai pada saat pemanggilan fungsi openlib. Berikut solver yang kami gunakan ```python crc_table = [0x0, 0x2d, 0x5a, 0x77, 0xb4, 0x99, 0xee, 0xc3, 0x45, 0x68, 0x1f, 0x32, 0xf1, 0xdc, 0xab, 0x86, 0x8a, 0xa7, 0xd0, 0xfd, 0x3e, 0x13, 0x64, 0x49, 0xcf, 0xe2, 0x95, 0xb8, 0x7b, 0x56, 0x21, 0xc, 0x39, 0x14, 0x63, 0x4e, 0x8d, 0xa0, 0xd7, 0xfa, 0x7c, 0x51, 0x26, 0xb, 0xc8, 0xe5, 0x92, 0xbf, 0xb3, 0x9e, 0xe9, 0xc4, 0x7, 0x2a, 0x5d, 0x70, 0xf6, 0xdb, 0xac, 0x81, 0x42, 0x6f, 0x18, 0x35, 0x72, 0x5f, 0x28, 0x5, 0xc6, 0xeb, 0x9c, 0xb1, 0x37, 0x1a, 0x6d, 0x40, 0x83, 0xae, 0xd9, 0xf4, 0xf8, 0xd5, 0xa2, 0x8f, 0x4c, 0x61, 0x16, 0x3b, 0xbd, 0x90, 0xe7, 0xca, 0x9, 0x24, 0x53, 0x7e, 0x4b, 0x66, 0x11, 0x3c, 0xff, 0xd2, 0xa5, 0x88, 0xe, 0x23, 0x54, 0x79, 0xba, 0x97, 0xe0, 0xcd, 0xc1, 0xec, 0x9b, 0xb6, 0x75, 0x58, 0x2f, 0x2, 0x84, 0xa9, 0xde, 0xf3, 0x30, 0x1d, 0x6a, 0x47, 0xe4, 0xc9, 0xbe, 0x93, 0x50, 0x7d, 0xa, 0x27, 0xa1, 0x8c, 0xfb, 0xd6, 0x15, 0x38, 0x4f, 0x62, 0x6e, 0x43, 0x34, 0x19, 0xda, 0xf7, 0x80, 0xad, 0x2b, 0x6, 0x71, 0x5c, 0x9f, 0xb2, 0xc5, 0xe8, 0xdd, 0xf0, 0x87, 0xaa, 0x69, 0x44, 0x33, 0x1e, 0x98, 0xb5, 0xc2, 0xef, 0x2c, 0x1, 0x76, 0x5b, 0x57, 0x7a, 0xd, 0x20, 0xe3, 0xce, 0xb9, 0x94, 0x12, 0x3f, 0x48, 0x65, 0xa6, 0x8b, 0xfc, 0xd1, 0x96, 0xbb, 0xcc, 0xe1, 0x22, 0xf, 0x78, 0x55, 0xd3, 0xfe, 0x89, 0xa4, 0x67, 0x4a, 0x3d, 0x10, 0x1c, 0x31, 0x46, 0x6b, 0xa8, 0x85, 0xf2, 0xdf, 0x59, 0x74, 0x3, 0x2e, 0xed, 0xc0, 0xb7, 0x9a, 0xaf, 0x82, 0xf5, 0xd8, 0x1b, 0x36, 0x41, 0x6c, 0xea, 0xc7, 0xb0, 0x9d, 0x5e, 0x73, 0x4, 0x29, 0x25, 0x8, 0x7f, 0x52, 0x91, 0xbc, 0xcb, 0xe6, 0x60, 0x4d, 0x3a, 0x17, 0xd4, 0xf9, 0x8e, 0xa3] rand_val = [5577006791947779410,1543039099823358511,6640668014774057861,2244708090865615074,7414159922357799360,3305628230121721621,8475284246537043955,4151935814835861840,33637761161952934,5221277731205826435,843730692693298265,5920220759044228662,1867598462707500820,6983250812964535273,3758955014375802183,8983684945297836708,4857682683582858106,504964077767592151,5674494734864815533,1529696544168006410,6716322972832630888,2336222419191169341,7490268378518980123,3435842073965383672,8265398494186050766,4181354163708859819,109644547962523393,5208419189196424286,1997484376588750140,7170856948881707665,3096034203233537903,7976952885284408524,3907598285724783138,9005749761689705215,4940269171359879125,562108776949057970,5677982989783584400,1627080603035261797,6487165804597876931,2413392765264322080,7583692527210419958,3440579354231278675,251513763977812265,5413015802706811526,1286953267001023460,6221915760995177657,2131792501560531351,7242948915431007092,3191372560272332874,7980955223660909863,3893522058333705853,9089160393923123162,4962825957129609400,640689511373858317,5808350187452060395,1699320416679203912,7734251198537064862,3625335277596597883,8742171837404537681,4686835390834924846,371726973825147404,5468946319893389025,1434841208743649343,6244971197480001948,2132891175288101490,7305500510606483407,3195588658657258661,8076863717714554370,4049952640584604512,9145552407857028149,5976249522851863827,1887287744869459696,6968770674466368454,2912563419380967587,7738200939323288057,3650210942611531606,8870694286263313460,4483587699270576521,395109794268767847,5546554562088839108,1421548406427776282,6318095958501225975,2229795846362309325,7380189774069719210,4192423822581491080,83919117275411037,5224138235137373115,1153115817264279832,5962362153924129262,1891341967343133515,7058674695343435809,2701145264672043390,7870139286188142300,3798911674434236337,8904391377063935119,4539983056484153964,471945069774843714,5568959583171603487,2431074399724039541,7530908113823513298,3458446502666714032,8630057722575452421,4197053122619582947,114101309358254912,5300321450371709078,1173753986978658675,6111904775574730313,2021376072520218662,7136346967742904580,2794397338261894617,7873316981833414455,3791853067300730004,8979110119208203626,5720157575853032135,1682346040150214557,6868751741434053882,2455432726962713176,7605419046915322669,3517276477450502155,8633694140516516328,4298591892051934910,265214635311284123,5361704182646325489,1034712584668954190,6131264207482994476,2024464587623873665,7194998065524326751,3951430161546133180,9122524665446534162,5093049506799537391,679297032929229381,5869187428135123874,1777995026331355264,6853629930839330261,2530261893322328755,7629850207798462480,3595783557180180838,8482983218023220803,4374144623231470361,284902264973935862,5438166484635305428,2173181796696770217,7362134789251011591,3270957568700175716,8135329800540996154,4083397992257357719,16728625015443565,5116652288554160586,755390686555738920,5855808307149705213,1782735040914277595,6949389388498079416,2590055109414196110,7776363141409525867,3695662976279072193,417409108466110238,5588169032586501116,1516119462828167505,6611459435000990255,2324307252517342092,7422242948838739170,3348298096488716735,8230147854535564949,4094260983529117810,5606810724879696,5194011423408789029,778884831776839555,6000020788127979744,1911130342819435958,7891932283352816403,3838965923706053609,8916903960471279942,4852714765607212708,510813498707874681,5663492986607654999,1575305934992810548,6471186846909277962,2346974814041448423,7499875904862065988,3409139274810266266,8243093277513588599,4188304131653477581,151794608759053738,6116370591994651400,2078480718903798877,7177553516403629371,3068703584258204184,7951067382816119790,3843288906732150987,8984818092324268449,4695904353088909054,588134211321916508,5758772346473060657,1648990527395470991,6456593632460367724,2422629169789512898,7520416741290354207,4355733112234748661,304877456117898194,5418234919562519984,1328773758399916677,6191541784334492515,2063974025443682496,7253959442559513110,3163853692856136435,8029045110994184265,3981322459343921446,9132102333929367172,4721020347380756441,646815681151218871,5760166840965869972,1669986547964243818,7759169960989729863,3634066516662693149,8822616177788809850,4452305747960458200,307895667843543213,5477979376681726475,1404349533080353512,6214507853684879422,2213962014026934683,7311658561229942385,2951839603696565070,8127732579850238252,3985623230370905601,9117985992006104799,5949580584562502716,1823767318043162002,7044690812865837679,2684347161044907973,7780889967971939490,3711063127928076800,8850214224129524565,4457955327924451379,404360543726761232,5553153239972181734,1175872179778058179,6360417749801762969,2236448430661273078,7389049080527257428,4168614439200142377,63663649728496007,5231658302155358820,910650991074280378,6008116629520284951,1969284747103437293,7068728357567299274,2670400153008799912,7860507033804635517,3739746349940734555,8638909380838653880,4586232567201663246,478703219369283051,5646513961354197825,2404623999413943326,7503464871359937916] cmp_value = [7311658561229942385, 965425327336957467, 6534480070166635653, 5060194421483947492, 3076430102628446336, 1543039099823358511, 2444694468985893231, 474893212811123542, 1097372909064907392, 5665646427999639242, 2131792501560531351, 896740308936338827, 7385961883997524074, 4913289931853794380, 1541381341132833816, 5546554562088839108, 574101237670530390, 7323515782795309376, 283331026935465882, 7110503023052586787, 6131264207482994476, 8151587946992462082, 4972276579074893495, 4098413521811790178, 6459474213772735345, 4686835390834924846, 2027712301985422765, 5511182398921371444, 2048462211564489190, 5072722827237429764, 8630057722575452421, 7352901384129712505, 3244579555511559864, 5890121257593901481, 9108079788524738934, 4686835390834924846, 2027712301985422765, 5511182398921371444, 2048462211564489190, 5072722827237429764, 4857682683582858106, 2327090483396309081, 3613784090314853756, 698076293205660725, 1899521683292490282, 5413015802706811526, 8329303007219115323, 8023429357096944597, 348348948830695939, 2497133846171838139, 5976249522851863827, 5216240840118466837, 5199664480467286354, 9098005140277247765, 5361130560580970253, 1823767318043162002, 5102452004530278588, 4980406996901871422, 4836773677668530144, 4443820979336851402, 2213962014026934683, 6618313290521004795, 658601228953619277, 8323351277983587206, 175473632067485719, 1823767318043162002, 5102452004530278588, 4980406996901871422, 4836773677668530144, 4443820979336851402, 1823767318043162002, 5102452004530278588, 4980406996901871422, 4836773677668530144, 4443820979336851402, 2213962014026934683, 6618313290521004795, 658601228953619277, 8323351277983587206, 175473632067485719, 1823767318043162002, 5102452004530278588, 4980406996901871422, 4836773677668530144, 4443820979336851402, 1823767318043162002, 5102452004530278588, 4980406996901871422, 4836773677668530144, 4443820979336851402, 1823767318043162002, 5102452004530278588, 4980406996901871422, 4836773677668530144, 4443820979336851402, 2213962014026934683, 6618313290521004795, 658601228953619277, 8323351277983587206, 175473632067485719, 2794397338261894617, 8799160800070306321, 1800747465094034477, 4499320937847467969, 7900796522929586467, 7068728357567299274, 579636335510899398, 8648914859018516242, 1974409049675233946, 3923178664644022383, 8979110119208203626, 769872480526979666, 1206338996105806290, 9211876855796631113, 2479236875721088511, 7068728357567299274, 579636335510899398, 8648914859018516242, 1974409049675233946, 3923178664644022383, 3711063127928076800, 699859221473004636, 7831340352326215015, 6735875077338549541, 8533672328730730912, 8076863717714554370, 3436184449733891797, 4060187091357330605, 4838224933930428478, 1904171945579899313, 2794397338261894617, 8799160800070306321, 1800747465094034477, 4499320937847467969, 7900796522929586467, 8979110119208203626, 769872480526979666, 1206338996105806290, 9211876855796631113, 2479236875721088511, 2794397338261894617, 8799160800070306321, 1800747465094034477, 4499320937847467969, 7900796522929586467, 8076863717714554370, 3436184449733891797, 4060187091357330605, 4838224933930428478, 1904171945579899313, 3951430161546133180, 129472845689532730, 1734533163341706204, 9728228812079354, 1037702845781222686, 2346974814041448423, 6987789502510914975, 8559805422786017685, 2332800739348944453, 1487942255258844204, 2346974814041448423, 6987789502510914975, 8559805422786017685, 2332800739348944453, 1487942255258844204, 2794397338261894617, 8799160800070306321, 1800747465094034477, 4499320937847467969, 7900796522929586467, 1648990527395470991, 759909635359291161, 6080126135521694769, 8342435412973702840, 4138097710940192629, 2213962014026934683, 6618313290521004795, 658601228953619277, 8323351277983587206, 175473632067485719, 3893522058333705853, 6164845938608892732, 3083795589842122694, 6360690084447539553, 6800786784483146222, 2794397338261894617, 8799160800070306321, 1800747465094034477, 4499320937847467969, 7900796522929586467, 8076863717714554370, 3436184449733891797, 4060187091357330605, 4838224933930428478, 1904171945579899313, 2213962014026934683, 6618313290521004795, 658601228953619277, 8323351277983587206, 175473632067485719, 2794397338261894617, 8799160800070306321, 1800747465094034477, 4499320937847467969, 7900796522929586467, 3711063127928076800, 699859221473004636, 7831340352326215015, 6735875077338549541, 8533672328730730912, 2213962014026934683, 6618313290521004795, 658601228953619277, 8323351277983587206, 175473632067485719, 8076863717714554370, 3436184449733891797, 4060187091357330605, 4838224933930428478, 1904171945579899313, 2794397338261894617, 8799160800070306321, 1800747465094034477, 4499320937847467969, 7900796522929586467, 5477979376681726475, 4918543392339093659, 3917229356096781737, 3593341708270633230, 5598294562298399418, 7891932283352816403, 5446570970787718271, 789261716880653148, 8499915902702159997, 7377717336339111039, 9089160393923123162, 513661405391347292, 6867086547310289167, 3566151616792248411, 8548643272332062296, 5477979376681726475, 4918543392339093659, 3917229356096781737, 3593341708270633230, 5598294562298399418, 6611459435000990255, 2285576180761649566, 428278845177127106, 1149438870086554318, 4445297159104682823, 7520416741290354207, 2224084037192351585, 2846729235525136856, 3829258625824789820, 3361148676381343074, 3951430161546133180, 129472845689532730, 1734533163341706204, 9728228812079354, 1037702845781222686, 5758772346473060657, 6123646121198181377, 186879161956993788, 2364235638795718714, 5865382196423641995, 2794397338261894617, 8799160800070306321, 1800747465094034477, 4499320937847467969, 7900796522929586467, 7177553516403629371, 8433128584008334976, 7384078392223356602, 5555729193110679773, 409006627084378072, 2229795846362309325, 2942839269942203703, 6640521998887157301, 4996227674809307823, 1538690366986353808, 7177553516403629371, 8433128584008334976, 7384078392223356602, 5555729193110679773, 409006627084378072, 2794397338261894617, 8799160800070306321, 1800747465094034477, 4499320937847467969, 7900796522929586467, 3893522058333705853, 6164845938608892732, 3083795589842122694, 6360690084447539553, 6800786784483146222, 6949389388498079416, 4315125200491185117, 836901937496747185, 4072037150247978804, 7036831171247353876, 3893522058333705853, 6164845938608892732, 3083795589842122694, 6360690084447539553, 6800786784483146222, 7605419046915322669, 1126516962345083650, 491689066931827319, 7576090403022489992, 2136835802404937919] map_value = [] flag = "" for i in range(0,len(cmp_value),5): tmp = rand_val.index(cmp_value[i]) tmp += 1 for j in range(0xff+1): if(crc_table[(j+0x7331)&0xff]==tmp): flag += chr(j) print flag ```
Flag : IFEST2021{NOoOOoOOOo\_didnt\_i\_tell\_you\_to\_not\_crackme?\_;-;\_uwu} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kos0ng.gitbook.io/ctfs/write-up/2021/ifest/reverse-engineering.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.