During this competition, I focused on the Reverse Engineering category of challenges. The following writeup is for the 200 point category Reverse Engineering challenge. The file can be downloaded here:
https://www.dropbox.com/s/5p2v89z0mlvae2i/csaw2013reversing2.exe?dl=0
I start by running the strings command on the executable file. The motive here is to see if I am able to find any clues or even the flag itself. Using this command can also give a pretty good indication of whether or not the file is actually an executable or has another type of file embedded within it. The results of this command do not yield any valuable clues leading to the discovery of the challenge flag.
The string 'Flag' is present within the output but submitting "RSDS" does not result in success:
One point of interest that I notice is that there are some strings that are related to date information so it's possible this could be a clue:
Maybe the flag can only be obtained when the operating system clock is a certain time, however, more investigation is still needed.
All other human-readable strings appear to be standard Windows API function calls so further analysis is required. I will try to run the file so that I can get a good idea of what it is actually doing and possibly find additional clues. Execution of the file results in a text box pop-up with what appears to be ciphertext.
Pressing any of the three buttons results in the pop-up closing as well as the program.
It would appear that using some basic techniques to analyze this file aren't likely to yield a flag for this challenge. That being the case, it looks like it's time to break out the disassembler and debugger. I prefer to use IDA Pro and OllyDbg but other alternatives are available as well.
Disassembling the program in IDA Pro shows a number of functions, many of which are standard Microsoft DLL functions. The functions names were also present as a result of the strings program output. IDA assigns the function name 'Sub_401000' to the function starting at location 0x401000. This appears to show some promise in regards to finding a solution for this challenge.
Sub_401000 Graphical ViewThe instructions in the graph indicate that there are two "for loops" in this particular function. There is a notable 'XOR' instruction within the second loop that looks like it could be used for some sort of encryption or decryption. Values are then popped off of the stack and returned.
Looking at these instructions can be a bit of a struggle so utilzing OllyDbg could be helpful in order to see what values are being modified and returned after these loops have concluded. Let's start by running the program using the debugger.
In order to see what occurs at the end of the second "for loop" a breakpoint should be set within OllyDbg at the 'POP EDI' instruction. So I run the program with the breakpoint set and hit the jackpot:
Note: It can take some searching to find the location since the program may
load at a different memory offset in IDA and OllyDbg.
Once the EDI register is popped off the stack, the following ASCII string is found:
"flag{reversing_is_not_that_hard!}"
Submission of this string results in a "Congratulations" message.
The entire challenge required using both basic and advanced techniques of file analysis. This appears to have been a pretty straightforward reversing challenge but knowing where to look is vital to successful completion.
No comments:
Post a Comment