CSAW 2012 – Reversing 400
$ md5sum re400 1c58c4a9b3caaa41b7f377c898baaaee re400
$ file re400 re400: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x012c3cf67d5aa15a9985ea064958921dc600c367, not stripped
Let’s open the binary in IDA.
The key is in plain sight:
.text:0000000000400650 mov [rbp+key], 9Ch .text:0000000000400654 mov [rbp+key+1], 8Ch .text:0000000000400658 mov [rbp+key+2], 9Eh .text:000000000040065C mov [rbp+key+3], 88h .text:0000000000400660 mov [rbp+key+4], 96h .text:0000000000400664 mov [rbp+key+5], 8Ch .text:0000000000400668 mov [rbp+key+6], 8Ch .text:000000000040066C mov [rbp+key+7], 90h .text:0000000000400670 mov [rbp+key+8], 97h .text:0000000000400674 mov [rbp+key+9], 9Eh .text:0000000000400678 mov [rbp+key+0Ah], 8Dh .text:000000000040067C mov [rbp+key+0Bh], 9Bh .text:0000000000400680 mov [rbp+key+0Ch], 0A0h .text:0000000000400684 mov [rbp+key+0Dh], 0A0h .text:0000000000400688 mov [rbp+key+0Eh], 0C5h .text:000000000040068C mov [rbp+key+0Fh], 0D7h .text:0000000000400690 mov [rbp+key+10h], 0
As is the decryption routine:
.text:00000000004005F3 decrypt proc near ; CODE XREF: .text:00000000004006CAp .text:00000000004005F3 .text:00000000004005F3 key = qword ptr -18h .text:00000000004005F3 var_4 = dword ptr -4 .text:00000000004005F3 .text:00000000004005F3 push rbp .text:00000000004005F4 mov rbp, rsp .text:00000000004005F7 mov [rbp+key], rdi .text:00000000004005FB mov [rbp+var_4], 0 .text:0000000000400602 jmp short loc_40061E .text:0000000000400604 ; --------------------------------------------------------------------------- .text:0000000000400604 .text:0000000000400604 loc_400604: ; CODE XREF: decrypt+34j .text:0000000000400604 mov rax, [rbp+key] .text:0000000000400608 movzx eax, byte ptr [rax] .text:000000000040060B mov edx, eax .text:000000000040060D not edx .text:000000000040060F mov rax, [rbp+key] .text:0000000000400613 mov [rax], dl .text:0000000000400615 add [rbp+key], 1 .text:000000000040061A add [rbp+var_4], 1 .text:000000000040061E .text:000000000040061E loc_40061E: ; CODE XREF: decrypt+Fj .text:000000000040061E mov rax, [rbp+key] .text:0000000000400622 movzx eax, byte ptr [rax] .text:0000000000400625 test al, al .text:0000000000400627 jnz short loc_400604 .text:0000000000400629 mov eax, [rbp+var_4] .text:000000000040062C pop rbp .text:000000000040062D retn .text:000000000040062D decrypt endp
Similar to reverse engineering 100 points, a bitflip is used as obfuscation mechanism.
Key: csawissohard__:(
Leave a comment