EasyCTF2017{67K_Rev_Writeup}
67K, Reverse Engineering, 400 ptAfter we have extracted the file ==67k.zip a huge number of files appears with a HEX names .
Static analysis
Pick up the first bin file 00000.exe and analyze it
$ objdump -d 00000.exe
After looking a while and comparing the different assembly code of many files, all the binaries share the same code logic.
- 1. Reading an input from the user
- 2. Comparing the input with a character cmp 0x40306c , $eax, [if the cmp is false then jump JNE 0x40205a ]
- 3. Output an answer! [ when the input is false, the bin.exe file output this MSG >I think my dog figured this out before you. ]
Core idea !
When we change the opcode in HEX format using HxD form 75 to 74 we can get out the right flag in our case the first bin file returns (J) !!
Writing a script !
Not the most elegent code ! but it works pretty c00l ! :p
#!/usr/bin/env python3 import glob import binascii import fileinput def serch_pattern(file_in): #serach and replace pattern 751e ==> 741e fileToSearch = file_in textToSearch ="751e" textToReplace ="741e" with fileinput.FileInput(fileToSearch, inplace=True, backup='.bak') as file: for line in file: print(line.replace(textToSearch, textToReplace)) def file_to_HEX(file_in,file_out): # convert file to hex k = open(file_out,"wb") with open(file_in, 'rb') as f: content = f.read() print(binascii.hexlify(content)) k.write(binascii.hexlify(content)) k.close() def hex_to_bin(file_in,file_out): # convert hex to file.exe [binary] with open(file_in) as f, open(file_out, 'wb') as fout: for line in f: fout.write( binascii.unhexlify(''.join(line.split())) ) if __name__ == '__main__': a = glob.glob("*.exe") for i in a: file_to_HEX(i,"out.txt") serch_pattern("out.txt") hex_to_bin("out.txt",i)All files are patched successfully .Now let's run all the PE files and grab the flag ! .
for file in task/* ; do echo "A" | wine $file >> flag.txt; doneThe time execution is about 1h !, because of the huge number of files ! .
Check out the flag.txt .
No flag !!!!
It's obviously a JS obfuscation ! writing ,another script to extract the code !.
flag = "" with open("flag.txt") as f: for line in f: if(line.find("(")>-1): flag+= line[line.find("(")+1:line.find("(")+2] print flag text_file = open("solve.js", "w") text_file.write(flag) text_file.close()Finally we get the JavaScript code
Fixing some bugs and Run the code .
We have spent a great time solving this task it takes 2-3 h to solve it ! .
Nice :D
ReplyDelete