team pong

Dutch CTF "team pong" write-ups and other stuff

CSAW 2012 – Reversing 400

leave a comment »

$ md5sum re400
1c58c4a9b3caaa41b7f377c898baaaee  re400

$ file re400
re400: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x012c3cf67d5aa15a9985ea064958921dc600c367, not stripped

Let’s open the binary in IDA.

The key is in plain sight:

.text:0000000000400650                 mov     [rbp+key], 9Ch
.text:0000000000400654                 mov     [rbp+key+1], 8Ch
.text:0000000000400658                 mov     [rbp+key+2], 9Eh
.text:000000000040065C                 mov     [rbp+key+3], 88h
.text:0000000000400660                 mov     [rbp+key+4], 96h
.text:0000000000400664                 mov     [rbp+key+5], 8Ch
.text:0000000000400668                 mov     [rbp+key+6], 8Ch
.text:000000000040066C                 mov     [rbp+key+7], 90h
.text:0000000000400670                 mov     [rbp+key+8], 97h
.text:0000000000400674                 mov     [rbp+key+9], 9Eh
.text:0000000000400678                 mov     [rbp+key+0Ah], 8Dh
.text:000000000040067C                 mov     [rbp+key+0Bh], 9Bh
.text:0000000000400680                 mov     [rbp+key+0Ch], 0A0h
.text:0000000000400684                 mov     [rbp+key+0Dh], 0A0h
.text:0000000000400688                 mov     [rbp+key+0Eh], 0C5h
.text:000000000040068C                 mov     [rbp+key+0Fh], 0D7h
.text:0000000000400690                 mov     [rbp+key+10h], 0

As is the decryption routine:

.text:00000000004005F3 decrypt         proc near               ; CODE XREF: .text:00000000004006CAp
.text:00000000004005F3
.text:00000000004005F3 key             = qword ptr -18h
.text:00000000004005F3 var_4           = dword ptr -4
.text:00000000004005F3
.text:00000000004005F3                 push    rbp
.text:00000000004005F4                 mov     rbp, rsp
.text:00000000004005F7                 mov     [rbp+key], rdi
.text:00000000004005FB                 mov     [rbp+var_4], 0
.text:0000000000400602                 jmp     short loc_40061E
.text:0000000000400604 ; ---------------------------------------------------------------------------
.text:0000000000400604
.text:0000000000400604 loc_400604:                             ; CODE XREF: decrypt+34j
.text:0000000000400604                 mov     rax, [rbp+key]
.text:0000000000400608                 movzx   eax, byte ptr [rax]
.text:000000000040060B                 mov     edx, eax
.text:000000000040060D                 not     edx
.text:000000000040060F                 mov     rax, [rbp+key]
.text:0000000000400613                 mov     [rax], dl
.text:0000000000400615                 add     [rbp+key], 1
.text:000000000040061A                 add     [rbp+var_4], 1
.text:000000000040061E
.text:000000000040061E loc_40061E:                             ; CODE XREF: decrypt+Fj
.text:000000000040061E                 mov     rax, [rbp+key]
.text:0000000000400622                 movzx   eax, byte ptr [rax]
.text:0000000000400625                 test    al, al
.text:0000000000400627                 jnz     short loc_400604
.text:0000000000400629                 mov     eax, [rbp+var_4]
.text:000000000040062C                 pop     rbp
.text:000000000040062D                 retn
.text:000000000040062D decrypt         endp

Similar to reverse engineering 100 points, a bitflip is used as obfuscation mechanism.

Key: csawissohard__:(

Written by teampong

October 24, 2012 at 5:44 am

Posted in Uncategorized

«
»

Leave a comment