Tuesday, October 2, 2012

CSAW CTF Quals: Reversing 400

Right from the start, we popped the ELF into a VM and decided to run it. Doing this, we see that it pops out with an encrypted key.

Assuming this is like reversing 100, we decided to pop it into IDA and see if we could spot a Decrypt function.

When you first open the ELF in IDA, it looks something like this:

Scrolling down, we see where it encrypts and kicks out. Directly after, there’s a decryption function that never gets touched…

Looks like another NOP patch to me…

Note: To get this menu to show up in IDA, edit idagui.cfg to include the line:
Patch over 4006BE with some nops and commit the changes.

And viola:

-- d1r3w0lf

No comments:

Post a Comment