Sunday 11 February 2018

Quad Math - HackIM 2018

This time HackIM had a variety of RE challenges. There was one LLVM IR, one ARM, one Mach-O, one Linux x64 and one more(didn't unlock it, so don't know about that).

I solved the ARM challenge, named Quad math. It was a 150 pointer challenge. I couldn't run it. So I fired up radare to analyse it statically. The main function looked something like this:

       

From the disassembly, it is clear that the binary takes one string as input, then it goes through a series of checks, and finally the result gets printed out. There were a total of 65 check functions which checked the input, character by character. But the checks turned out to be a little short as multiple correct answers were being accepted by the binary. It will become clear in a little while. And each of the checking functions looked something like this:

 

It is actually checking the first and third character of the input(i.e. flag).

        void func_6b8()
        {
             fin = input[0] * input[0] - 203 * input[0] != -10296 || input[2] * input[2] - 203 * input[2] != -10296;
        }

Rest of the characters were being checked similarly(i.e. two alternate characters at a time). So, what I did is, I wrote a z3 script to find the correct input.


As I earlier said, the constraints for checking the flag were a little less, therefore the script printed out many possible answers. So I sent few of them having only printable characters to the admin and he was kind enough to send me the correct flag which will be accepted by the server.

The correct flag was:

hackim18{'W0W_wow_w0w_WoW_y0u_h4v3_m4th_sk1ll5_W0oW_w0ow_wo0w_Wo0W'}

Tuesday 6 February 2018

Codegate CTF 2018 Preliminary - Boom

Even though I didn't solve any challenge during the CTF, Codegate was fun. There were a variety of RE challenges this time. Half of the day I tried the challenge Easy Serial. I understood that it was a haskell program. I haven't used it before and debugging in GDB did not make much sense as haskell programs do not use the conventional stack. I read about haskell program and it's stack structure then left it midway to look at the challenge Boom. I guess this challenge can be solved in many ways. I approached it in the following way:

Boom was written in rust. I tried running the program.


From the output it is evident that there are 5 stages in this challenge.

Let's figure out what is the first one. Inside the main::main function there is a function called main::func1 which looks interesting. The first input and check happens in that function itself.
We can see an if statement and a string compare in it. Our input is compared with the string "Know what? It's a new day~". If it is correct then main::func13 checks if the file /tmp/files/1 is present or not. If that is present then only we move on to the second check.
The second check happens in the function main::func2. First of all it checks if the input has 7 characters. In this case, the characters are space separated integers which will become clear with little debugging.

This is a predefined array in the program:
f7*zq5$ase0t6ui#^yd2owgb_n8pu4!k&vc@lrj19mx3h

The input is 7 integers which after few calculations must match with the position of characters of the string pand0ra in the above array. With a little trial and error along with one of my teammates, I was able to find the correct input as 57 14 23 92 50 7 14. If it is correct then the check for file /tmp/files/6 happens. If that is present then we move on to the next check.

The third input is also a string of integers i.e. 25 space separated integer values. Put a breakpoint in GDB at the address of _ZN4main5func717h1a0f9200721da090E+2791 and we can observe that the value at rdx (our input, one character at a time) is compared with QWORD PTR [rax+rsi*8]. To get all the values at that memory location, I wrote a small GDB script.
Running the script at that address gives the correct input and that is:
17 24 1 8 15 23 5 7 14 16 4 6 13 20 22 10 12 19 21 3 11 18 25 2 9

Now make the file named 10 at the same location as other files. So now we have passed the first 3 checks. Moving onto the 4th check. 

The 4th input is just an integer. The most important check for it happens in the function _ZN4main6func1217h2c7664a1999a9c74E. The integer should be such that the return value of the function must be 0x6b.

I was too lazy to reverse the function, so I wrote a GDB script to bruteforce the correct input. The correct input is 188. Also we need to have a file named 13 at the location /tmp/files.
The final input is a bit confusing because many values are possible (that might be the reason why they hosted the challenge on a server). We need to enter 4 indexes as input. I gave the input 1 1 1 1 and it worked.

The complete output of the binary:

This is just a brief summary of how to solve the challenge. There are many checks and exception handling in the program. I hope giving these inputs on the remote server will print the flag, can't confirm as the server is down after the CTF.