Wednesday, October 17, 2012

hackyou CTF: Reversing 300

This challenge was significantly more complicated than the other two reversing challenges. The first thing we needed to do was unpack the executable, but UPX didn't recognize it. UPX didn't recognize it because somebody changed all references in the executable from UPX to LOL. Once I changed this back, I could run upx -d on the program and unpack it.

At this point I started to examine what the program was actually doing. When I ran it, I saw that it wanted a user and a key, so I needed to figure out how to generate a key for a user. So I fired up IDA and got cracking with the disassembly. There are several pieces of information of interest that are readily apparent, namely that the username can't be hackyou and that the key takes the form xxxx-xxxx-xxxx. After further examination, I found the spot where the program is comparing the characters that generate from my username and what I entered, so I put the address (there are actually 3 addresses, one for each part) as a breakpoint in gdb and ran the program. The three breakpoints are 0804842B, 080484EA, and 080485A9. A screenshot of the IDA disassembly is shown below.

When I set the breakpoint at the address in the above picture, all I had to run was 'info registers' in gdb and the expected value was in eax. So I built a key one character at a time until I had the user/key combination of h4ckyou/jzwd-f6x4-s0ao. Unfortunately at this point, it said "Great! Now submit the license key for 'hackyou.' The easiest way to do it is find all of the strings in the binary that are the string hackyou to something like hackyoo (I suggest using bvi which is like vi but for editing hex). After this, we repeat the process with the username hackyou and get the key kecc-hack-yo0u.

-- suntzu_II

No comments:

Post a Comment