Sunday, June 2, 2013

ebCTF 2013 Teaser - Dice Game (100pts)

Yesterday De Eindbazen organised a preview of their CTF and they called it a teaser. :D

To be honest, all the challenges are quite fun but the "Teaser" lasted only 8hrs and most of my team are busy.
I didn't solve this during the 8hrs as i was busy as well. I've got time this morning to start looking at it and "Oh boy". It's definitely good challenges.

Given Hints:
Challenge BIN100 “Dice Game”

Beat our dice game and get the flag.

This is the backup of the original file:

Required Tools:
Protection iD
ASM OPCodes Reference

Initial Analysis:
Usually before i start to reverse any binary, i would normally checked using PiD on whether is the binary packed.

Figure 1: Using ProtectioniD to scan for packer

The results showed that it's most probably not packed by any known packers.

Now let's start to run the application and see what does it do.

Figure 2: Initial startup of Dice Game.exe

Ok, it seems to want us to roll a 3. But usually such binaries which require us to get certain numbers or sequence will not be easy. Let's load it up with IDA Pro and further analyse it.
If we look carefully at the "Strings subview", we can guess that the sequence of this dice game is to get 3-1-3-3-7 based on the screenshot below.

Figure 3: Strings subview from IDA Pro

Ok, let's check the CFG (Control Flow Graph) on where are the checks for 3-1-3-3-7

Further Analysis:
Ok, i've found my 1st check at loc_4018B5 as shown here.

Figure 4: 1st Check for 3

Since the chances of getting a 3 is 1 out of 6. What you can do is simply patched the instruction from "JNZ" to "JZ" and do it for the rest of the checks.
You can use IDA Pro's "Edit->Patch Program->Change Bytes" feature to do that.
After you are done, simply do "Edit->Patch Program->Apply Patches to Input File..." and save it.

Then finally, run the newly patched .exe and you should get this.

Figure 5: Final flag

The flag for this challenge is ebCTF{64ec47ece868ba34a425d90044cd2dec}


No comments:

Post a Comment