search
TwitterGithub

Reverse Engineering

Challenge
Link

Star (201 pts) πŸ₯‡

Here

Just TV (326 pts) πŸ₯ˆ

Here

Cursed Protocol (500 pts)

Here

hashtag
Star (201 pts)

hashtag
Description

I made my own file manager... Here you have a DEMO version of it.

Author: Rivit

nc star.nc.jctf.pro 1337

hashtag
Solution

Given ELF 64 bit file, open it using IDA. I rebase the program by using Edit->Segments->Rebase Program and put 0x555555554000 as value to make it same like in GDB.

main
void __fastcall __noreturn main(int a1, char **a2, char **a3)
{
  __int64 v3; // rsi
  void (__fastcall ***v4)(_QWORD); // rax
  char v5[8]; // [rsp+8h] [rbp-B0h] BYREF
  char v6[8]; // [rsp+10h] [rbp-A8h] BYREF
  char v7[8]; // [rsp+18h] [rbp-A0h] BYREF
  char v8[8]; // [rsp+20h] [rbp-98h] BYREF
  char v9[8]; // [rsp+28h] [rbp-90h] BYREF
  char v10[8]; // [rsp+30h] [rbp-88h] BYREF
  char v11[8]; // [rsp+38h] [rbp-80h] BYREF
  char v12[8]; // [rsp+40h] [rbp-78h] BYREF
  __int64 (__fastcall **v13)(); // [rsp+48h] [rbp-70h] BYREF
  char v14[8]; // [rsp+50h] [rbp-68h] BYREF
  char v15[8]; // [rsp+58h] [rbp-60h] BYREF
  char v16[8]; // [rsp+60h] [rbp-58h] BYREF
  char v17[8]; // [rsp+68h] [rbp-50h] BYREF
  char v18[8]; // [rsp+70h] [rbp-48h] BYREF
  char v19[8]; // [rsp+78h] [rbp-40h] BYREF
  char v20[8]; // [rsp+80h] [rbp-38h] BYREF
  char v21[8]; // [rsp+88h] [rbp-30h] BYREF
  char v22[8]; // [rsp+90h] [rbp-28h] BYREF
  unsigned __int64 v23; // [rsp+98h] [rbp-20h]

  v23 = __readfsqword(0x28u);
  sub_555555559840();
  sub_55555555E300(v5);
  sub_55555555F2F0(v14, v5);
  sub_55555555F2C0(v5);
  sub_55555555E440(v6);
  sub_55555555F3C0(v15, v6);
  sub_55555555F390(v6);
  sub_55555555E580(v7);
  sub_55555555F490(v16, v7);
  sub_55555555F460(v7);
  sub_55555555E6C0(v8);
  sub_55555555F560(v17, v8);
  sub_55555555F530(v8);
  sub_55555555E800(v9);
  sub_55555555F630(v18, v9);
  sub_55555555F600(v9);
  sub_55555555E940(v10);
  sub_55555555F700(v19, v10);
  sub_55555555F6D0(v10);
  sub_55555555EA80(v11);
  sub_55555555F7D0(v20, v11);
  sub_55555555F7A0(v11);
  sub_55555555EBC0(v12);
  sub_55555555F8A0(v21, v12);
  sub_55555555F870(v12);
  sub_55555555EA80(&v13);
  sub_55555555F7D0(v22, &v13);
  sub_55555555F7A0(&v13);
  while ( 1 )
  {
    v13 = off_555555566978;
    sub_55555555D250();
    v3 = (unsigned int)choose_menu();
    sub_55555555AED0((__int64)v14, v3);
    v4 = (void (__fastcall ***)(_QWORD))sub_55555555FA20();
    (**v4)(v4);
  }
}

So basically there will be dynamic call to the function after we input the menu number. All the available command can be seen on 0x0000555555566968 - 0x0000555555566AD0.

Based on the description, the given executable is DEMO version and from above image we can see that there are only 6 command include exit. Looking at available command on program we found that there is "compress" command.

So we need to find number for compress command first. Lets go to GDB.

Now we need to find the address for menu 1 and menu 2. Go to first menu by putting 1 as the input.

Go to second menu by putting 2 as the input.

Lets calculate the number for compress menu, first find the reference for address 0x555555566A90 (CommpressCommand).

Lets try with number 7 and we will go to compress command.

Our objective is getting RCE to get flag on server. Compress command utilize system function to do compressing, lets dump the argument.

So it use tar command to do compression, looking at GTFOBins we know that we can abuse tar command to get shell. tar also vulnerable to wildcard injection, so we can get shell by using wildcard injection with argument same like in GTFOBins. Looking at rename command we found that we can input any character as the new filename, now we can utilize all available command to make the payload for RCE.

Flag: justCTF{th3_st4r_1s_sh1n1ng}

hashtag
Just TV (326 pts)

hashtag
Description

My favorite TV channel has recently become more interactive...

hashtag
Solution

Given .asn files, after searching for a while we found repository that looks like have the same file https://github.com/igilham/mheg-slatearrow-up-right. Looking at the reference for mheg we found that we can decompile the given file to the source code using mhgencarrow-up-right. After getting the source code actually it still hard to get the flag because we're not familiar with the code. Looking at another reference we found that we can debug the file using MHEGPlayerarrow-up-right.

With above directory structure we can run the file using below command then click populate carousel from disk.

Click Play in realtime so we can interact with the program. To go to the flag validation program we can follow the screen instruction.

Now we need to find where is our input processed. When we input invalid value the background will be red, so if we check in the source code we see that there is call of setBackgroundColor with color 0xff0000

So the link identifier is 2583, we can trace the call by searching 2583.

We can see on image above there is :Activate (2583) which mean that link 2583 bound with those line of code. After Activate instruction there is TestVariable instruction, lets try to find the emulator source code so we can see what is TestVariable do and also its constant. Found this referencearrow-up-right on github. Now we have the operator and its value on this codearrow-up-right.

So for line 5070 until 5072 we can convert to below pseudocode

Until this step we know that the function that process our input is on :Link 117 (line 1228). Set breakpoint on line 1235 (click on line number) and lets analyze what the call means. To trigger the breakpoint input any value then select "Confirm".

  • 27 is identifier for GSL

  • 34 is identifier for False

  • 53 is our input

  • 61 is output

What is GSL mean? lets try to take a look on mhegplusarrow-up-right emulator.

  • mhegplus-code/MhegPlus.Compiler/src/bbc/dtv/mhegplus/mhegactions/MhegCall.java

So GSL is Get String Length which same like strlen. Through stepping we can see that it is a valid strlen.

Okay now we know the approach to understand the code, lets convert each part

Continue to next part, basically we just need to reverse one function for 611 - 678 because it do the same thing but with different value (based on index). It was like loop flow that has been flattened.

Continue to next part

Now we have reproduce the flow, looks like we can simplify some of the process. Lets simplify it.

Now just reverse the algorithm. Although we've successfully reverse the algorithm but we can't find the valid flag. So we just notice that the length flag is not 67, so the next step we do is implement bruteforce for flag length during the reverse process.

Flag: justCTF{0ld_TV_c4n_b3_InTeR4ctIv3}

hashtag
Cursed Protocol (500 pts)

hashtag
Description

Dedicated for IoT devices, this handshake protocol will defeat any hacker that might try to reverse engineer the control application.

hashtag
Solution

0 solve... TBU

PreviousJustCTFNextForensic

Last updated