ISCC 2016 Reverse Part writeup

ISCC2016 Reverse part by Goldsnow

Doing this set of topics feel a lot more posture. Slag residue can only be used for slag residue method

Topic download

Help me

Description: I ' ve got a difficult task and I can ' t solve it. I Need your help!

Idea: Blasting

ELF64-bit program, open directly in Ida, you can see that the idea should be relatively clear
First, go to the main function to analyze.

for ( i = 0; i <= 15; ++i ){    if ( !(v11 & 1) )      ++v5;    

First, this section of code analysis, through the bitwise operation, to determine the number of binary numbers 0
Obviously, it only needs three 0.

The MD5 here is a pit, and C doesn't have a library of its own, and it doesn't know what it's doing. Only know that he is compared with unk_6020a0 to try to MD5 the address of the data decryption, but eventually failed.

In another way, we can see that the word_602080 here has passed the XOR operation and then byte_6020c0 minus this value and then outputs the final flag so that the problem can be solved from this angle, where the face value is V10 that is the input number is not known, Can be achieved by brute force.
I used the C language to judge when I was doing the topic, judging whether the fifth letter was ' {'

Attached to my C program can refer to. unsigned char a[]={0x34,0x12,0x78,0x56,0xbc,0x9a,0xff,0xed,0xef,0xbe,0x7f,0x22,0xc3,0x90,0x76,0x82,0xad,0x99, 0x2e,0x14,0x7c,0x80};unsigned Char B[]={0x22,0x3f,0xd8,0xeb,0xcc,0xd2,0x42,0x87,0x61,0x75,0x01,0x09,0x27,0xf9, 0xdc,0xe8,0x16,0xfc,0x5f,0x89,0xb3,0xfd};__int16 c[6]={0x3412,0x7856,0xbc9a,0xffed,0xefbe,0x7f22};__int16 d[6];_ _int16 x1=0,x2=0xffff,x=0;for (int i=0;i<=15;i++)//triple for Loop will list the possibilities of V10 for (int j=i+1;j&l            t;=15;j++) for (int m=j+1;m<=15;m++) {x2==0xffff;              X1= (__int16) (Pow (2,i) +pow (2,j) +pow (2,m));                    x=x2-x1;                These three lines are for V10 to get an understanding of the for (int n=0;n<=5;n++) {d[n]=c[n]^x;                a[2*n]=d[n]>>8;            a[2*n+1]= (__int8) d[n];                } if (b[4]-a[4]== ' {')//if ' {') outputs possible flag {printf ("%x", X); for (int i=0;i<22;i++) printf ("%c ", B[i]-a[i]);            printf ("\ n"); }        }

Hack encryption software

Description: We intercepted an enemy encryption program and a cipher, trying to decrypt the ciphertext by analyzing the program, and the decrypted plaintext 32-bit lowercase MD5 value is submitted as flag.

Idea: A cryptographic decryption system contained in the program is deducted to get the key decryption

I love crack for this topic also have more detailed problem-solving process link

Through the Od loading and then search the inside of the string can be found that the program has two functions, one is the original question of the input string is encrypted, in fact, there is a program is to be able to encrypt and decrypt the key

By modifying the jump, or modifying the contents of the call, and so on other methods can let the program run to that section is good to do. But I don't know what the key is.
The idea is that the key will definitely be referenced in the initial cryptographic program

Single-Step tracking of the program. When the step-by-step operation arrives at a certain place, the following unfortunate eight-digit number appears in the stack, and this does not change the number as you enter, guessing it as the key

Sure enough, it came out in a sudden.

Here's a place where the value that comes out directly with OD will have a space to come out and don't know why.

Rookie of the counter attack

Description: "Xiao Ming is a novice game, one day he was bored to find the base of friends dozen L4D2, the base friend too much food, reluctant to take him, helpless Xiao Ming entanglement, gave him a program, and told him:" If you can get the right answer, I will give you my life unique knowledge. "Smart can you help xiaoming get the right answer?"
Test environment: Clean winxp SP3 "

The software for dynamic debugging could not be found. can only be static analysis, open with Ida.

It can be inferred from a hint that there are two words, dead and beef, respectively.
Exactly belongs to the A-f because the range that a-f belongs to 0-f conforms to the 16 binary value. So the V9 above is 0xdeadbeef or 0xDEADBEEF.

by Dword_10f80-dword_10f90 and V9, you can get a string that looks like a flag but depends on the program's next analysis to convert the string.

Orph0fh!:hlghnocgalf

This transformation is coming out, is not very simple,,, but to think it is difficult.

Contradiction

Description: To was or not to be, which is the question.

Ideas to remove TLS, violence

Reference http://www.2cto.com/Article/201303/197705.html

Ida Onboarding

Find Tlscallback in 010 open it with 00 Fill this section to save the file will be able to enter the main function part of the program, but still can not get flag a little depressed

By looking at the string to find there is no pop-up window, lucky to find a pop-up window.
And there is the word flag on it.

There are several sub_4385ff on the function that assume that he is using memset to zero the address segment value of the target. So this place will make the final flag

The last process is to directly open the OD jump to the relevant section of the language run out.

Anti

Description: Every technique have its anti.

This topic is anti-debugging, bypassing the debugger and the emulator in the DLL file detection.

Operation method, specifically does not introduce, is in the Od step by step, for some call directly to NOP off some obviously to launch the function to force jump or also NOP
After entering the main program, the difficulty will be significantly reduced

It is easy to find the main comparison of the address, and finally a look at a very complex encryption method,,, analysis of a half-day did not analyze out, and then a look on the 32-bit, and thought may be using the MD5 encryption method, and finally in XMD5 suddenly came out of the flag.

GoGoGo

Description: Mission is a go.

This topic uses the Go language. Asked a lot of people, are said to use dynamic analysis made out, but I finally through the static analysis, it is easy to make.

Ida's analysis is non-routine. Only by guessing.

 v38 = "Please input:";  v39 = off_4dc4c0[1];  V40 = 0LL;  v41 = 0LL;  if (&v30 = = -88) Lodword (V40) = 0;  v42 = &v40;  v43 = 1;  V44 = 1;  V30 = &unk_4A10A0;  V31 = &v38;  SUB_41FA10 (&v42, A2, A3, V3);  V4 = v42;  v5 = v42;  *v42 = v32;  ++V5;  *V5 = v33;  ++V5;  V30 = v4;  v31 = v43;  V32 = v44;  sub_42c510 (V5, &V34, V6, V7, V8, v9);  SUB_400C00 (V5, &v34);  v36 = V30;  v37 = v31;  V32 = &unk_4D73F0;  V33 = * (&off_4d73e0 + 1);  V10 = &off_4d73e0 + 2;  Sub_446a70 (&v34, (&off_4d73e0 + 2), V11, V30, V12, V13);  V16 = v34;  v36 = v34;  v37 = V35; if (v35! = 38 | |  (V30 = v34, v31 = $, sub_400cb0 (&v34, V10, V14, V34, v15), v32! = 1))    {v38 = "wrong!!!";    v39 = off_4dcce0[1];    V40 = 0LL;    v41 = 0LL;    if (&v30 = = -88) Lodword (V40) = 0;    v42 = &v40;    v43 = 1;    V44 = 1;    V30 = &unk_4A10A0;    V31 = &v38;    SUB_41FA10 (&v42, V10, V14, V16);    V24 = v42;    V25 = v42;    *v42 = v32; ++V25;    *V25 = v33;    V30 = v24;    v31 = v43;    V32 = v44;  result = sub_42c510 ((v25 + 1), &v34, V26, V27, v28, v29);    } else {v38 = "congratz!!";    v39 = off_4db7a0[1];    V40 = 0LL;    v41 = 0LL;    if (&v30 = = -88) Lodword (V40) = 0;    v42 = &v40;    v43 = 1;    V44 = 1;    V30 = &unk_4A10A0;    V31 = &v38;    SUB_41FA10 (&v42, V10, V14, V16);    V17 = v42;    V18 = v42;    *v42 = v32;    ++V18;    *V18 = v33;    V30 = v17;    v31 = v43;    V32 = v44;  result = sub_42c510 ((v18 + 1), &v34, v19, V20, v21, v22); }

Too tired to copy the code directly, through the comparison can be seen that the ' sub_42c510 ' is the output of the concluding sentence
Input is also required to read a character statement on the guess is ' sub_446a70 ' this paragraph is the output segment.

The main thing that works is, of course, the sub_400cb0 in the IF statement.

Here is a character conversion and an in-memory data is very suspicious, and just beginning to think is the input of the statement processed into this, but in fact I was wrong. It's the data in this memory. This processing will result in a base64 of encrypted data.

附上代码int b[52]={0xA5,0xD6,0x87,0x86,0xA5,0x33,0x37,0x03,0xE4,0x75,0xE4,0xB6,0x95,0xA7,0xC6,0xD6,0xE4,0x44,0x94,0x53,0xE4,0xA6,0xB6,0x53,0xD4,0x23,0xD4,0x77,0xD4,0xA7,0x46,0xB6,0xA5,0x74,0x55,0x13,0xD4,0xA6,0x36,0x87,0x95,0x75,0x55,0x43,0x95,0xA6,0x15,0x03,0x95,0x33,0x03,0xD3}; for(int j=0;j<52;j++){    printf("%c",(16*b[j]|b[j]>>4));}

It's that simple, and then I'm going to base64 this into the decryption and I'm surprised.

ISCC 2016 Reverse Part writeup