Challenge RE SharifCTF 2016 SCrack berupa file elf binnary 64bit yang akan melakukan validasi key

root@kali:~/Desktop/SU CTF/RE# file SCrack
SCrack: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), 
dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, 
for GNU/Linux 2.6.24, BuildID[sha1]=d011afc29443bbb3ea2c72ef5ac15f8dc278397a, 
not stripped

root@kali:~/Desktop/SU CTF/RE# ./SCrack
Enter the valid key!
asasasasasas
Invalid Key! :(

Saat mencoba menggunakan ltrace terdapat output Dont trace me! dan percobaan disassembly menggunakan gdb ditemukan ptrace yang digunakan sebagai anti-debugging technique

root@kali:~/Desktop/SU CTF/RE# gdb -q SCrack
Reading symbols from SCrack...(no debugging symbols found)...done.
(gdb) disass main
Dump of assembler code for function main:
--- snip ---
   0x0000000000400a79 <+44>:	mov    $0x0,%eax
   0x0000000000400a7e <+49>:	callq  0x400910 <ptrace@plt>
   0x0000000000400a83 <+54>:	cmp    $0xffffffffffffffff,%rax
   0x0000000000400a87 <+58>:	sete   %al
   0x0000000000400a8a <+61>:	test   %al,%al
--- snip ---

Proof Of Concept

Dikarenakan menggunakan ltrace tidak bisa, saya mencoba melakukan static analisys menggunakan objdump

Ditemukan instruksi yang akan memberikan “sesuatu” ke register esi

root@kali:~/Desktop/SU CTF/RE# objdump -M intel -d SCrack | grep esi | awk '{print $8}' | 
cut -f2 -d","  | tr "\n" ","

0x0,0x401064,0x401075,0x53,0x68,0x61,0x72,0x69,0x66,0x43,0x54,
0x46,0x7b,0x65,0x64,0x39,0x37,0x64,0x32,0x38,0x36,0x66,0x33,
0x35,0x36,0x64,0x61,0x64,0x62,0x35,0x63,0x64,0x65,0x30,0x39,
0x30,0x32,0x30,0x30,0x36,0x63,0x37,0x64,0x65,0x62,0x7d,0x400950,
0x49,0x6e,0x76,0x61,0x6c,0x69,0x64,0x20,0x4b,0x65,0x79,0x21,0x20,
0x3a,0x28,0x400950,esi,0x6022d1,0xffff,

Decode menggunakan python

root@kali:~/Desktop/SU CTF/RE# python
>>> x = [0x53,0x68,0x61,0x72,0x69,0x66,0x43,0x54,0x46,0x7b,0x65,
0x64,0x39,0x37,0x64,0x32,0x38,0x36,0x66,0x33,0x35,0x36,0x64,0x61,
0x64,0x62,0x35,0x63,0x64,0x65,0x30,0x39,0x30,0x32,0x30,0x30,0x36,
0x63,0x37,0x64,0x65,0x62,0x7d,0x49,0x6e,0x76,0x61,0x6c,0x69,0x64,
0x20,0x4b,0x65,0x79,0x21,0x20,0x3a,0x28]
>>> "".join([ chr(y) for y in x])
'SharifCTF{ed97d286f356dadb5cde0902006c7deb}Invalid Key! :('

Flag : SharifCTF{ed97d286f356dadb5cde0902006c7deb}

Proof Of Concept #2

Cara lain juga dapat digunakan untuk mendapatkan flag pada challenge ini, yang saya rasa ini memang cara yang diharapkan untuk mendapatkan flag yaitu dengan memasukan key yang valid

root@kali:~/Desktop/SU CTF/RE# objdump -M intel -d SCrack | grep cmp | awk '{print $5}' | 
cut -f2 -d","  | tr "\n" ","
0e,18,e8,ff,0x38,0x37,0x34,0x30,0x33,0x38,0x65,0x34,0x62,0x36,0x65,
0x32,0x39,0x62,0x66,0x30,0x38,0x39,0x38,0x62,0x67,0x34,0x66,0x30,0x32,
0x32,0x35,0x39,0x33,0x35,0x63,0x30,01,ff,cmp,

Decode menggunakan Python

root@kali:~/Desktop/SU CTF/RE# python
>>> x = [0x38,0x37,0x34,0x30,0x33,0x38,0x65,0x34,0x62,0x36,0x65,0x32,
0x39,0x62,0x66,0x30,0x38,0x39,0x38,0x62,0x67,0x34,0x66,0x30,0x32,0x32,
0x35,0x39,0x33,0x35,0x63,0x30]
>>> "".join([ chr(y) for y in x])
'874038e4b6e29bf0898bg4f0225935c0'
>>> exit()

root@kali:~/Desktop/SU CTF/RE# ./SCrack
Enter the valid key!
874038e4b6e29bf0898bg4f0225935c0
SharifCTF{ed97d286f356dadb5cde0902006c7deb}

SharifCTF 2016 - SCrack

Proof Of Concept

Proof Of Concept #2