EasyCTF2017{67K_Rev_Writeup}

8:09:00 AM aymen borgi 1 Comments


67K, Reverse Engineering, 400 pt 
After we have extracted the file ==67k.zip a huge number of files appears with a HEX names .


Static analysis 


Pick up the first bin file 00000.exe and analyze it  
$ objdump -d 00000.exe


After looking a while and comparing the different assembly code of many files, all the binaries share  the same code logic.
  1. 1. Reading an input from the user 
  2. 2. Comparing the input with a character cmp 0x40306c , $eax, [if the cmp is false then      jump  JNE  0x40205a ]
  3. 3. Output an answer! [ when the input is false, the bin.exe file output this MSG >I think my       dog  figured this out before you. ]


Core idea ! 


Our main idea was to change the condition from JNE (jump if not equal) to JE (Jump if equal) and patch the PE files to return always True and output the flag!, so, no need to guess the character even a false one returns always the flag .

When we change the opcode in HEX format using HxD form 75  to 74  we can get out the right flag in our case the first bin file returns (J) !!

Writing a script !


Here is a dirty script to convert all the bin files to HEX format ,fetching and replacing the 75  (JNE) to 74  (JE) and convert the HEX code to Binary file again .
Not the most elegent code ! but it works pretty c00l ! :p  
#!/usr/bin/env python3
import glob
import binascii
import fileinput


def serch_pattern(file_in): #serach and replace pattern 751e ==> 741e
    fileToSearch = file_in
    textToSearch ="751e"
    textToReplace ="741e"
    with fileinput.FileInput(fileToSearch, inplace=True, backup='.bak') as file:
        for line in file:
            print(line.replace(textToSearch, textToReplace))



def file_to_HEX(file_in,file_out): # convert file to hex
    k = open(file_out,"wb")
    with open(file_in, 'rb') as f:
        content = f.read()
    print(binascii.hexlify(content))
    k.write(binascii.hexlify(content))
    k.close()




def hex_to_bin(file_in,file_out): # convert hex to file.exe [binary]
    with open(file_in) as f, open(file_out, 'wb') as fout:
        for line in f:
            fout.write(
                binascii.unhexlify(''.join(line.split()))
            )






if __name__ == '__main__':
    a = glob.glob("*.exe")
    for i in a:
        file_to_HEX(i,"out.txt")
        serch_pattern("out.txt")
        hex_to_bin("out.txt",i)
All files are patched successfully .Now let's run all the PE files and grab the flag ! .
for file in task/* ; do echo "A" | wine $file >> flag.txt; done
The time execution is about 1h  !, because of the huge number of files ! .

 Check out the flag.txt .

No flag !!!! 


 It's obviously a JS obfuscation ! writing ,another script to extract the code !. 
flag = ""
with open("flag.txt") as f:
    for line in f:
        if(line.find("(")>-1):
            flag+= line[line.find("(")+1:line.find("(")+2]
print flag
text_file = open("solve.js", "w")
text_file.write(flag)
text_file.close()
Finally we get the JavaScript code 

Fixing some bugs and Run the code .



 We have spent a great time solving this task it takes 2-3 h to solve it ! .

aymen borgi

1 comment:

Subscribe to: Post Comments (Atom)