Thursday, September 26, 2013

CSAW CTF Quals: Reversing 150 - bikinibonanza

When you first run the program you are greeted by a GUI that has a picture of the sea and a saw, CSAW, so clever. When strings are submitted to the program it compares it to some value and then branches based on the comparison. If an incorrect string is submitted the program randomly selects a predefined, snarky response and displays. One of these responses just so happens to be a link to being "Reg Rolled," hilarious right?

                 "OMG, You're SOOO Freaking Close",
                "Try Harder - I can tell you want this",
                "Wow, What a great answer - but it's wrong",
                "You're about 10% right",
                "You almost got it, just add three!",
                "So close, maybe subtract three?",
                "YES! wait, no... try harder",
                "Wrong..",
                "Google \"do a barrel roll\"",
                "Did you see: https://www.youtube.com/watch?v=I6OXjnBIW-4"
                "Its a SAW... in the SEA.."


I used two programs to decompile this program. I started off with good ole' Ilspy to see if it was possible to get the source code, rather than have to work with assembly. Unfortunately, Ilspy was only able to decompile part of the program:

using System;
using System.ComponentModel;
using System.Drawing;
using System.Reflection;
using System.Resources;
using System.Runtime.ExceptionServices;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
using System.Text;
using System.Windows.Forms;
{
    public class Form1 : Form
    {
        private TextBox eval_ᜀ;
        private Button eval_ᜁ;
        private TextBox eval_ᜂ;
        private PictureBox eval_ᜃ;
        private Container eval_ᜄ;
        {
            try
            {
                this.eval_ᜂ();
            }

            catch
            {
                base.Dispose(true);
                throw;
            }
        }

This is just part of the code I was able to decompile but as you can see there are box characters Ilspy was unable to interpret. It would be a nightmare to change these so it actually compiles and runs when copying it into Visual Studio. However, along with decompiling the code, Ilspy provided the resources being used such as background pictures for the GUI. One picture is named "Sorry You Suck", but has the words "YOU DID IT" written.


Looking through the source code I saw a branch that compared the string we enter to another string but it looks like both are altered through some heavy functions including MD5.

private void eval_ᜀ(object obj, EventArgs eventArgs)
{
    string strB = null;
    Assembly executingAssembly = Assembly.GetExecutingAssembly();
    ResourceManager resourceManager = new ResourceManager
       (executingAssembly.GetName().Name + ".Resources", executingAssembly);
    DateTime now = DateTime.Now;
    string arg_65_0 = this.eval_ᜀ.Text;
    string value = string.Format("{0}", now.Hour + 1);
    string text = "NeEd_MoRe_Bawlz";
    this.eval_ᜀ(text, Convert.ToInt32(value), ref strB);
    if (string.Compare(arg_65_0.ToUpper(), strB) == 0)
    {
      this.eval_ᜂ.Text = "";
      this.eval_ᜀ(this.eval_ᜀ(107));
      this.eval_ᜁ();
      this.eval_ᜂ.Text = string.Format(this.eval_ᜂ.Text, this.eval_ᜀ(resourceManager));
      this.eval_ᜃ.Image = (Bitmap)resourceManager.GetObject("Sorry You Suck");
    }
    else
    {
      this.eval_ᜃ.Image = (Bitmap)resourceManager.GetObject("Almost There");
      this.eval_ᜀ();
    }

So this branch looks promising and I could easily just change it to always run since the key is not computed based on our input. However, getting the source code to work and run in visual studio is a harder path than necessary. So my next step was to use ildasm in visual studio command prompt to decompile the file and save the output to a text file.

The structure for this command is: ildasm /bytes [PEfilename] /out = filename



After creating the file, I opened it and searched for "Sorry You Suck" to find the area of the branch statement quickly.

There is a brtrue.s (branch if true, short) just above the sorry you suck we found. This brture.s jumps right over sorry you suck to the part that shows an incorrectly entered message. So I looked at the byte representation of the line which is 0x 2D 63. 2D is the opcode for btrue.s, and I want to change it to brfalse.s (2C) so that we always proceed to sorry you suck. To do this, I launched HexEditor and searched for the 2D 63 sequence. I then changed 2D to 2C, saved the file and ran it.


We are then presented with "YOU DID IT" and the key.



key: 0920303251BABE89911ECEAD17FEBF30

- m4d_D0g

No comments:

Post a Comment