Reverse-Engineering- Reloaded | CTF
Hello dear!
Welcome back to my blog channel. Today, I will write a write-up about reversing EXE files. If you are ready, let’s get started.
It is important to have a basic knowledge of reversing, disassembling and other techniques to understand a file. With this blog, I will show you how to start to reverse a file from beginner step to advance respectively. If you are ready let’s get started.
Level-0
This challenge is the most basic of RE. It will teach how to enumerate files and get juicy details.
Hint → Pull The Strings
We are going to analyze this file first.
We can see that this file was built with 32-bit, and that can be shown through detect-it-easy. You can also use other tools such as PE-bear and Pestudio, but it gave us a good idea to search for strings.
When we ran the program it asked us to enter a flag that we do not know yet.
I was going to use the “strings.exe” command and saw that a lot of strings appeared that we do not want. The best way to minimize and to have useful strings is “grep -E . {10,30}” which means that we are asking for 10 to 30 characters in this file.
Awesome! We get the flag.
Level-1
Level 0 was piece of cake for you now I am keeping my cake in the cage.
Hint --> Look for the value being loaded into the register before the jump.
We will use the same technique that we did at level 0.
File Type → PE32
Awesome! I am going to use the “strings.exe” command to see the results.
Nothing useful! Let me drop this file to ghidra
As you saw, we got a message “try again!”, I was going to search filters “try” again” but the reason is that there were a lot of functions which made it not understandable for us.
“if (param_1 == 0x6ad) then lucky number” let’s translate this to a decimal number
Awesome! we get the lucky number.
Level-2
As a security analyst, you found some suspicious app in your organization that enables employees secretly share their files with a rival organization. Your task is to find who is involved in this treachery, but the app needs some key to log in. Can you patch this app to bypass Authentication?
hint → Patch the instruction to fool the program to jump into a secret function that will lead to the flag.
It seems that we can patch the file so as to be able to bypass the authentication.
As always, I will patch the binary with the help of ghidra.
You can see, when we input a string it will compare with “param_1”, but we do not know about the password
Let me show the instructions:
In the 8085 Instruction set, we are having one mnemonic JNZ a16, which stands for “Jump if Not Zero” and “a16” stands for any 16-bit address.
Zero is used to represent false, and one is used to represent true.
If zero → We will get the flag
if not Zero → We will not get the flag
Now, I am going to patch the file to jump ‘if zero’
int strcmp(const char *str1, const char *str2)This function return values that are as follows −>
- if Return value < 0 then it indicates str1 is less than str2.
- if Return value > 0 then it indicates str2 is less than str1.
- if Return value = 0 then it indicates str1 is equal to str2.
As you can see!
The script has been modified. We can clearly see that: If we put the wrong password it will move to the “else statement”
Info → To patch an instruction, right-click on the instruction you want to modify and go to “Patch Instruction”. From there, you will see text boxes that you can type into.
To save the file:
Press ‘o’ and select “PE” and give an output
For more detail: https://vickieli.dev/binary%20exploitation/intro-to-binary-patching/
Level-3
Bob was fired due to his inappropriate behavior with colleagues. While leaving he deleted the code which decrypts the password stored in the code. As a reverse engineer, it’s your task to recover that master password since the code is in prod now and cant is modified but you have a copy of the app. everything depends on you now !!!
Hint → Look for the loop responsible for the XOR operation by pivoting through strings. Once you find the loop look for the value stored in the EAX before XOR.
When we run the file, we can see that it asks for the flag.
I am going to drop to ghidra or you can drop to cutter(debugger) program.
Let me show via Ghidra:
- It is asking for the flag
- It stores into the FUN_004014af function.
I will read and rename the functions to understand the algorithm.
It seems that we need to debug this code in x32dbg
I found the memory address of “Xor_function” -> You can set a breakpoint with the help of this command:
“bpx 004014bc” and run until its hit the breakpoint.
I am going to view the algorithm:
Each character is being XORed with 7
Let me code a simple script:
Awesome! we are done with this level.
Level-4
They are back!!! and using some sort of encryption algorithm to communicate. Although we intercepted their messages we cant decode them, Agent 35711 has successfully stolen their test encryption code. Now it’s on you to build a decryptor for test messages and save this world.
Hint → In the name of the agent and his middle number you will find the key
When we run the file, it seems that being encrypted password is given to us.
As always, being able to view the source code we can use Ghidra. We cannot use “find the string” because of being encrypted password which is encrypted by an algorithm that we do not know. There should be either “puts()” or “printf()” to give the output to us. In order to find printf() or puts() we should concern about symbols.
It was easy to be found:
- Look at the symbol tree -> (print) symbols and follow the line until you get the code.
2. Now, we found the code which encrypts the password, we need to understand the algorithm, however.
I am going to rename the variables.
It looks like the function gets the length of the flag, and performs a preliminary check on lines 10–11 if the string meets certain requirements, and the encryption algorithm is run against the flag string.
It is important to get the address of the function because we can set a breakpoint to see the behavior of the algorithm.
I am going to open x32dbg because of the 32-bit file.
- We set a breakpoint
- We know that the string was not being encrypted before the “for loop”.
- We are able to see the EAX register
As you can see we have successfully reversed all levels. I hope you enjoyed it and learned new techniques. More great CTF blogs-Programming-Reverse-Exploitation content will be written.
I am currently solving Leetcode problems, especially the “Math” topic
You can follow me on Social Media:
Instagram: https://instagram.com/0xcd4_
Linkedin: https://www.linkedin.com/in/ahmetgoker/
Twitter: https://twitter.com/TurkishHoodie_
GitHub: https://github.com/0xCD4
Please follow and subscribe for more awesome upcoming blogs.
