Sunday, 18 December 2016

Sharif CTF : RE Challenges

The first 3 re challenges were very simple. Out of the 4 others 3 were windows re and 1 was an apk file.

I could solve only the first 3.

Getit - 50 Points challenge

This challenge I couldn't understand the disassembly much. I was just stepping through the code in GDB. Saw a string comparison, above that a string was being moved to edi. It turned out to be the flag. :-)

      0x40081c <main+198>: movsxd rbx,eax
      0x40081f <main+201>: mov    edi,0x6010e0
      0x400824 <main+206>: call   0x4005e0 <strlen@plt>
=> 0x400829 <main+211>: cmp    rbx,rax

The flag was stored at address 0x6010e0, it was moved to rdi.
We can see that by-

      x/s $rdi

Flag :

SharifCTF{b70c59275fcfa8aebf2d5911223c6589}


RepairMe - 100 Points challenge

I don't know why they gave this challenge. I got the flag while just executing it.

Flag :

SharifCTF{98ad7e41c78b7df41cb2ad0c17c61408}


SCrack- 150 Points challenge

In this challenge either you have to give right input to get the flag or you can get the flag directly by examining the disassembly. I chose the second way. Starting from the following address, start converting the hex value which is being moved to esi into character. First character will be 'S'. Till you get the whole flag repeat the same  process.

      0x0000000000400c50 <+515>: mov    esi,0x53
      0x0000000000400c55 <+520>: mov    edi,0x6021c0
      0x0000000000400c5a <+525>: call   0x4008e0  <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_c@plt>
      0x0000000000400c5f <+530>: mov    esi,0x68
      0x0000000000400c64 <+535>: mov    rdi,rax
      0x0000000000400c67 <+538>: call   0x4008e0    <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_c@plt>

Finally you will get the flag as:

SharifCTF{ed97d286f356dadb5cde0902006c7deb}

Monday, 21 November 2016

RC3 CTF - Logmein

This re challenge was pretty simple.

First of all I saw the following pseudo code of the binary file.
We can easily understand what is going on in the program by looking at the code.



We have to reach the CorrectPass function by giving the correct input i.e the flag.
I was particularly interested in the second if statement inside the for loop.

So I put a breakpoint  at that statement in GDB.



So the rdx and rdi values are being compared. After each true comparison we will get the char of the next comparison. So just make sure that you change your input according to the register values after each iteration.

Finally I found the flag to be:

RC3-2016-XORISGUD

Thanks for reading

Monday, 22 August 2016

BioTerra CTF - Wathzefugg

This RE challenge was pretty easy. It compares between each character  of two different strings and stores the character which has higher ascii value at another location. All the characters with the higher ascii value form the flag of the challenge.

I have used IDA pro and GDB to solve the challenge.

1. Go to the main function after loading the file in IDA. There we can see the two strings used for comparison and a function call before the puts statement, go to that function.

1

2. In that function we can see a comparison statement. It is used to compare between the ascii value of each character of string 1 with that of string 2.

21

3. After the comparison the value is stored at [rax], put a break point at the address of loc_400703 in GDB and then keep noting the [rax] value after each iteration.

22

After the final iteration you will get the flag as:

{Easy_P3aSyeLpk3NwraTJJmEcvKRUr}


Also for the better understanding of the you might want to look at the pseudocode produced by IDA :

23.jpg

Thanks for reading.

Wednesday, 4 May 2016

E2E Encryption Could Make WhatsApp a Spam Magnet

 WhatsApp has rolled out end-to-end encryption for its users to protect their privacy, but the move could make the service more attractive to spammers, too.


While encryption can safeguard information from data thieves, it also can block data protectors from detecting malicious activity on their networks.

Over the last three to four years, mobile carriers have made it harder for spammers to deliver their junk messages. That's prodded them to look for greener pastures.

Not only does it cost spammers less to spew their rubbish on WhatsApp, but it's easier to find targets there.

WhatsApp is a very friendly service to spammers because it allows them to validate phone numbers to see if they have a WhatsApp account, so they can upload large number ranges to test who has a WhatsApp account and just send bulk messages to them.

Because end-to-end encryption prevents protection systems from seeing what's in a spam message, they can't guard against malicious activity like phishing, account hijacking, spam and malware.

It's simple economics. As certain channels get closed off to these spammers, they're finding other ways to reach their targets. They only make money if they get their messages through and they get a reasonable conversion rate.