Showing posts with label Binary. Show all posts
Showing posts with label Binary. Show all posts

Sunday, June 2, 2013

ebCTF 2013 Teaser - Dice Game (100pts)

Yesterday De Eindbazen organised a preview of their CTF and they called it a teaser. :D

To be honest, all the challenges are quite fun but the "Teaser" lasted only 8hrs and most of my team are busy.
I didn't solve this during the 8hrs as i was busy as well. I've got time this morning to start looking at it and "Oh boy". It's definitely good challenges.

Given Hints:
Challenge BIN100 “Dice Game”

Beat our dice game and get the flag.

This is the backup of the original file:
ebCTF-Teaser-BIN100-Dice.zip

Required Tools:
IDA Pro
Protection iD
ASM OPCodes Reference

Initial Analysis:
Usually before i start to reverse any binary, i would normally checked using PiD on whether is the binary packed.

Figure 1: Using ProtectioniD to scan for packer

The results showed that it's most probably not packed by any known packers.

Now let's start to run the application and see what does it do.

Figure 2: Initial startup of Dice Game.exe

Ok, it seems to want us to roll a 3. But usually such binaries which require us to get certain numbers or sequence will not be easy. Let's load it up with IDA Pro and further analyse it.
If we look carefully at the "Strings subview", we can guess that the sequence of this dice game is to get 3-1-3-3-7 based on the screenshot below.

Figure 3: Strings subview from IDA Pro

Ok, let's check the CFG (Control Flow Graph) on where are the checks for 3-1-3-3-7

Further Analysis:
Ok, i've found my 1st check at loc_4018B5 as shown here.

Figure 4: 1st Check for 3

Since the chances of getting a 3 is 1 out of 6. What you can do is simply patched the instruction from "JNZ" to "JZ" and do it for the rest of the checks.
You can use IDA Pro's "Edit->Patch Program->Change Bytes" feature to do that.
After you are done, simply do "Edit->Patch Program->Apply Patches to Input File..." and save it.

Then finally, run the newly patched .exe and you should get this.

Figure 5: Final flag

The flag for this challenge is ebCTF{64ec47ece868ba34a425d90044cd2dec}

cheers
0x4a61636f62
Posted by at No comments:
Labels: , , ,

Saturday, June 1, 2013

Reversing.kr - Easy Keygen (100pts)

You can register and download this file here.
http://reversing.kr/download.php?n=2
Alternatively, i've uploaded a copy of it here:
Easy_KeygenMe.zip

Given Hints:
ReversingKr KeygenMe


Find the Name when the Serial is 5B134977135E7D13


Required Tools:
IDA Pro

Initial Analysis:
Let's load the binary with IDA Pro.
You will see something like the image below.


It seems to me that the username is 8 characters and there is an int array containing 16,32 & 48.
Let's move further down the CFG (Control-Flow Graph) and analyse further and we get something like this.


It's probably clearer now that every character in the user's supplied username is being XOR-ed with the int array.
Since the given hints is to find the Name when the Serial is 5B134977135E7D13 and we know that every character is being XOR-ed with the int array.
Let's XOR-ed back the given serial to find the username.

Conclusion:
From the information which we have gathered so far. Our pseudo code will look something like this.
int iNum[3] = {16,32,48};
int iCounter = 0;
int i=0;
char dest[3];
char *szSerial = "5B134977135E7D13";
char *szUserName;

szUserName = (char*)calloc(9,sizeof(char));
for( i=0; i<strlen(szSerial); iCounter++, i+=2 ){
if( iCounter==3 ){
iCounter = 0;
}
strncpy_s( dest, _countof(dest), &szSerial[i], 2);
dest[2] = '\0';
sprintf_s(szUserName, 9,"%s%c", szUserName, strtol(dest, NULL, 16)^iNum[iCounter]);
}
printf("Original username: %s\n", szUserName);

Eventually, you will see what is the original username that will match 5B134977135E7D13 is "K3yg3nm3"

I hope that it's a simple to understand solution.

cheers
0x4a61636f62
Posted by at No comments:
Labels: , ,

Thursday, May 30, 2013

Reversing.kr - Easy Crack (100pts)

This writeup had been sitting on my PC for some time.
I think it's probably a good time to release it. :D

You can register and download this file here.
http://reversing.kr/download.php?n=1
Alternatively, here is the mirror of the file.
Easy_CrackMe.zip

Required Tools:
IDA Pro

Initial Analysis:
Let's load this binary up with IDA Pro.


From the above image, we can see the "WinMain" which is calling "DialogFunc".

If we follow to "DialogFunc", we will see that it will call "sub_401080" as shown in the image below.


So let's take a quick look at "sub_401080" and if we practice enough with keygen and crackmes, you will know by now that we should check out GetDlgItemText first.


Further Analysis on the Algorithm:
If we study hard enough, you will see that after the application grabbed the user's input data, it will do a comparison with the 2nd byte as shown here.
cmp byte ptr [esp+5], 61h ; Compare 2nd byte with 0x61.
This means that our 2nd character must be a since 61h means "a" according to http://www.asciitable.com/

Let's move on the 2nd comparison.

As we can see from the image above, it's trying to compare user's 3rd and 4th bytes with "5y"

Now let's move downwards.

Ok, now it's trying to load the 5th bytes until end of user input and comparing byte by byte with "R3versing"

Finally, we saw another comparison. This time round, it's trying to compare the 1st byte with 0x45 which is "E"

Conclusion:
Now let's move back all the newly acquired clues before we are being told whether the input key is valid or not.
E + a + 5y + R3versing == Ea5yR3versing

Now let's enter this key "Ea5yR3versing" and we have successfully solved this binary.

cheers
0x4a61636f62
Posted by at No comments:
Labels: , ,

Second Puzzle on 0x41414141.com

After solving the first challenge, we got an email reply with the following contents.

You've got the idea. E-mails don't require a subject or body.

Do those skills extend to a PE?

0x41414141.com/bfab4d3c076ac4059f3c1e680c7a6933/

Visiting the given url, we are given a copy of the .exe
Here is a backup of the binary in case the website disappear forever.
bfab4d3c076ac4059f3c1e680c7a6933.zip

Since it's an .exe let's load it up in OllyDbg and have a quick look.


From the above image, we can see that there is a clue, "Email is return value of fn in form 0x12345678 zero padded to eight digits"

Immediately, there is a function call at address 0x00401000
It is loading "0x0C0FFEE" into eax then xor it with 0x401000 then xor the value with 0x8744EE and the results is "7AB00"

Looking at the hint again, the email had to be padded to eight digits, thus the email address which we should send to is 0x0007AB00@challenge.0x41414141.com


cheers
0x4a61636f62
Posted by at No comments:
Labels: , ,

Hack.Lu CTF 2011 Space Station 0xA1EA512A

Hack.Lu CTF 2011 : Space Station 0xA1EA512A


Hints given to us:
Space Station 0xA1EA512A

You have seen a deserted space station. Your task is to enter it. The first barrier is the access system. But you can find a module with the application on it. Here is the file:

https://ctf.hack.lu/files/0xA1EA512A.apk

What is the key?

(There is also station B. Station B is the advanced one.)

Here is a copy of the apk file.
0xA1EA512A.zip

Recommended Tools:
1. android emulator (http://developer.android.com/sdk/index.html)

2. dex-translator (http://code.google.com/p/dex2jar/downloads/detail?name=dex-translator-0.0.9.3.zip&can=2&q=) - convert android apps to Java jar file

3. DJ Java Decompiler (http://members.fortunecity.com/neshkov/dj.html) - java decompiler

Key Logic:
if(k == (j1 ^ (0x67782aef ^ j1 ^ j - 1422) ^ j - 2))
    textview.append("That's OK. Come in.");
else
    textview.append("No, that is not OK!");

where
    k = inputs that user type
    j = 0x67782aef + 2
    j1 can be 12 from the code

More Information:
Decompiling the file reveals 2 java files in which only the AccessControl.java is of interest to us.
My approach in finding the condition in gaining access is to find the line where it indicates that you are “authorized”.
In this puzzle that will be “That’s OK. Come in.”
The If statement has a total of 3 unknown variables. After tracing upwards, you will discover that k is actually what the user type in the text box. J is defined as 0x67782aef + 2 and j1 can be either 12 or 3L * (16 + (0x67782aef - 2)) - 0x57bac1daL - 2L;

Let’s take the easy way out by letting j1 be 12. We write a 1 liner PHP script and run the result. Type in the emulator and test if it works.

Solution:
Run a php script =D


Result:
0x67782563
Screenshot:


Using the answer, we solved the Android CrackMe. :D

cheers
Elucidator
Posted by at No comments:
Labels: , , ,

Wednesday, May 29, 2013

HackYou CTF 2012 : Binary - OpenSource

HackYou CTF 2012 : Binary - OpenSource

Hints given to us:


Choosing "Open-Source", we got a code.c file. Inside this .c file, we got the following source code.

#include <stdio.h>
#include <string.h>

int main(int argc, char *argv[]) {
    if (argc != 4) {
        printf("what?\n");
        exit(1);
    }

    unsigned int first = atoi(argv[1]);
    if (first != 0xcafe) {
        printf("you are wrong, sorry.\n");
        exit(2);
    }

    unsigned int second = atoi(argv[2]);
    if (second % 5 == 3 || second % 17 != 8) {
        printf("ha, you won't get it!\n");
        exit(3);
    }

    if (strcmp("h4cky0u", argv[3])) {
        printf("so close, dude!\n");
        exit(4);
    }

    printf("Brr wrrr grr\n");

    unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207;

    printf("Get your key: ");
    printf("%x\n", hash);
    return 0;
}

Recommended Tools:
Brains
C Compiler

Solution to this challenge:
I've started solving this by analysing the source code.

...
if (argc != 4) {
...

Looking at the above code snippet, since "argc" must be 4. We know that it requires 3 arguments.


...
unsigned int first = atoi(argv[1]);
if (first != 0xcafe) {
    printf("you are wrong, sorry.\n");
    exit(2);
}
...

Now, the first argument is being converted to int and stored inside unsigned int, first.
Then the value of first is being compared to 0xcafe.
As 0xcafe is in hex, converting this to int means that argv[1] must be 51966.
In case you are wondering why did i confirm that, please read the documentation of atoi.

...
unsigned int second = atoi(argv[2]);
if (second % 5 == 3 || second % 17 != 8) {
    printf("ha, you won't get it!\n");
    exit(3);
}
...

Now, let's take a look at the 2nd argument.
It's being converted to int like the 1st argument and stored inside unsigned int, second.
The value that we want is that when divided by 5 must not have remainder 3 and when divided by 17 must have a remainder of 8.
Now's that's easy. Let's satisfy the 2nd condition. Since second divided by 17 must have a remainder of 8.
Thus, second must be 17+8 = 25
Ok, using 25 as the value of second. Let's check whether it satisfy the condition of the first one.
17%5=2
It satisfy the first condition as well as the remainder is 2.
Thus, we now know that argv[2] is 25

...
if (strcmp("h4cky0u", argv[3])) {
    printf("so close, dude!\n");
    exit(4);
}
....

Ok, looking at the documentation for strcmp.
We know that argv[3] must be h4cky0u

Now, you can either compile the above source code and feed in the arguments or you can manually calculate it.
I chose the latter option.

unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207;
printf("Get your key: ");
printf("%x\n", hash);

Substituting all the arguments with the values that we have gotten. We got the following.
51966 * 31337 + (25%17)*11 + 7 - 1615810207
1628458542 + 88 - 7 - 1615810207
12648430

Since the final value of the hash is in hexadecimal, using calc to convert it.
The key is C0FFEE

cheers,
0x4a61636f62
Posted by at No comments:
Labels: , , ,

pCTF 2011 : Mission 6 - Fun with Numb3rs (100 Points)

pCTF 2011 : Mission 6 - Fun with Numb3rs (100 Points)

Hints given to us:
Uh oh… This door is protected with number scroll authenticator. There's "powered by .NETv4" sign.
Find out the combination and get the key!

These are the original files:
D573190633309f8a930bccbd199a16a4564c35fb.zip
Readme_Fun_with_Numb3rs.txt

Recommended Tools:
Reflector Decompiler (http://www.reflector.net/); Decompile .net
Use SandBoxie (http://www.sandboxie.com/) to siam the 30 days trial

Key Logic behind cracking the mission:
if ((((((num + num4) - num2) + ((num * num) * num2)) - num3) == ((num2 * ((num3 * 0x22) + (num5 - num))) + 0x1d40)) && (num > 0x4d))

Brute force the logic:
for(int a = 78; a <= 255; a++){     for(int b = 0; b <= 255; b++){         for(int c = 0; c <= 255; c++){             if((a + b*c) - b + ((a*a*b) - c) == (b * ((c * 34) + ((3*a) - a)))+ 7488){                 System.out.println("a : " + a);                 System.out.println("b : " + b);                 System.out.println("c : " + c);             }         }     } }



Answer:
You will get the following results.
a : 89
b : 144
c : 233

Making use of the numbers
Since we got the 3 numbers, let's use it on the binary by adjusting the sliders like this.



After adjusting the sliders, you will get this messagebox, which is the key. :D



I have also attached the source code for the brute-force application.
File:Crack.java


cheers
Elucidator
Posted by at No comments:
Labels: , , ,

Padocon Qualifiers CTF 2010 : CatchMe - 200 Points

Padocon Qualifiers CTF 2010 : CatchMe - 200 Points

File given to us:
This is the original file:
CatchMeIfYouCan.zip


Recommended Tools:
Brains and Programming skills

Solving the Puzzle:
Let's fire up the binary which we are given.


Hmmmm...i can't seem to click on the button. I guess i have to click on the button in order to solve this.
As the button moved away whenever i placed my mouse cursor near it.
I guess i have to either reverse the application but i didn't want to spend too much time trying to reverse this application.

Thus, I've decided to make use of my development skills to solve this puzzle.

Logic behind this Solution:
Since moving my mouse cursor near the button will cause it to move away.

I've decided to send WM_LBUTTONDOWN (http://msdn.microsoft.com/en-us/library/windows/desktop/ms645607(v=vs.85).aspx) & WM_LBUTTONUP (http://msdn.microsoft.com/en-us/library/windows/desktop/ms645608(v=vs.85).aspx) messages with SendMessage function (http://msdn.microsoft.com/en-us/library/windows/desktop/ms644950(v=vs.85).aspx) to simulate the mouse cursor actions of clicking the button.

But in order to do that i need get the handle to CatchMeIfYouCan.exe.

So i've used FindWindow function (http://msdn.microsoft.com/en-us/library/windows/desktop/ms633499(v=vs.85).aspx) to look for "Catch Me If You Can!"
Then i get the area of the binary using GetClientRect function (http://msdn.microsoft.com/en-us/library/windows/desktop/ms633503(v=vs.85).aspx)

Brute-Force Logic:
#include<stdio.h>
#include<windows.h>
int main(int argc, char *argv[]){
    HWND hWnd;
    RECT rect1;
    hWnd = FindWindow(NULL,L"Catch Me If You Can!");
    GetClientRect(hWnd, &rect1);
    for( rect1.left = 0; rect1.left <= rect1.right ; rect1.left++ ){
        for( rect1.top = 0; rect1.top <= rect1.bottom ; rect1.top++ ){
            SendMessage(hWnd, WM_LBUTTONDOWN, 0, MAKELONG(rect1.left, rect1.top));
            SendMessage(hWnd, WM_LBUTTONUP, 0, MAKELONG(rect1.left, rect1.top));
        }
    }
}


Final Solution:
Once you have compiled the above code and get it to run. The button will stop moving and you can click on the button and you will be presented with a messagebox with the solution, "Zntus_WARTG_gAng"


I have attached the source code for the brute-force application so that you can try it on your own.


File:CatchMeIfYouCan.c


cheers
0x4a61636f62
Posted by at No comments:
Labels: , , ,

CodeGate CTF 2011 : Binary - 100 Points

CodeGate CTF 2011 : Binary - 100 Points

File given to us:
This is the original file:
87C483A4CA85374E98FFB85FD5E867EC.zip

Recommended Tools:
Google
Luck+memory
Windows Script Decoder (http://www.virtualconspiracy.com/index.php?page=scrdec/intro) - Decode encoded stuff by Microsoft Script Encoder
FireBug (http://getfirebug.com/)
TriD (http://mark0.net/soft-trid-e.html)

Analysing the File:
Using file and TriD and i cannot correctly identify what is this file. Then i opened up in Notepad++ and i find it familiar.
Thank goodness i'm a fan of Yosuke Hasegawa and i saw that this file bears resemblance to his jjencode (http://utf-8.jp/public/jjencode.html)

Ok, now i may be on the right track that this file may be encoded with jjencode...so how do i decode this? :(
I started googling for a decoder and i found this website (http://www.e-x-e.dk/2011/07/28/jjencode-decoder-jjdecode/).
But sadly it couldn't work for this. :(

Solving the Puzzle:
Finally, after several hours. i found this, Microsoft Script Encoder (http://www.microsoft.com/download/en/details.aspx?id=3375).
Could it be using this? So instantly i googled for the decoder for this and i found this useful tool, Windows Script Decoder (http://www.virtualconspiracy.com/index.php?page=scrdec/intro).
So i downloaded and tried it and i got back some Obfuscated looking Javascript like this.



Immediately, i placed the Obfuscated Javascript into a html file and start using Firebug to debug it.
Finally, i got the following key CodeGate_JavaScriptEncode_Key with value "120a151156120a163t111163120lea163u162e!" in the DOM tab. :P




cheers
0x4a61636f62
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)