Bugs Bunny 2k17 CTF - Rev75
Deskripsi Soal
i ran the binary but no password match but believe this is another simple reverse engineering challenge .
Diberikan file elf binary static bernama rev75 64 bit yang harus direversing agar bisa mendapatkan flag.
➜ rev75 file rev75
rev75: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.24, BuildID[sha1]=1bd9592380c83821bf975f46076118ecfd1964df, not stripped
Binary tersebut membutuhkan password sebagai argumentnya
➜ rev75 ./rev75
usage: ./rev75 password
➜ rev75 ./rev75 test123
bad password
Proof Of Concept
Disassembly fungsi main
gdb-peda$ pdisass main
Dump of assembler code for function main:
0x000000000040a08c <+0>: push rbp
0x000000000040a08d <+1>: mov rbp,rsp
0x000000000040a090 <+4>: push rbx
0x000000000040a091 <+5>: sub rsp,0x148
0x000000000040a098 <+12>: mov DWORD PTR [rbp-0x134],edi
0x000000000040a09e <+18>: mov QWORD PTR [rbp-0x140],rsi
0x000000000040a0a5 <+25>: mov QWORD PTR [rbp-0x148],rdx
0x000000000040a0ac <+32>: mov rax,QWORD PTR fs:0x28
0x000000000040a0b5 <+41>: mov QWORD PTR [rbp-0x18],rax
0x000000000040a0b9 <+45>: xor eax,eax
0x000000000040a0bb <+47>: movabs rax,0x6472307773733470
0x000000000040a0c5 <+57>: mov QWORD PTR [rbp-0x130],rax
0x000000000040a0cc <+64>: mov DWORD PTR [rbp-0x128],0x0
0x000000000040a0d6 <+74>: mov WORD PTR [rbp-0x124],0x0
0x000000000040a0df <+83>: mov BYTE PTR [rbp-0x122],0x0
0x000000000040a0e6 <+90>: movabs rax,0x74756220646f6f67
0x000000000040a0f0 <+100>: mov QWORD PTR [rbp-0xa0],rax
0x000000000040a0f7 <+107>: movabs rax,0x67616c66206f6e20
0x000000000040a101 <+117>: mov QWORD PTR [rbp-0x98],rax
0x000000000040a108 <+124>: movabs rax,0x756f7920726f6620
0x000000000040a112 <+134>: mov QWORD PTR [rbp-0x90],rax
0x000000000040a119 <+141>: movabs rax,0x2069686968696820
0x000000000040a123 <+151>: mov QWORD PTR [rbp-0x88],rax
0x000000000040a12a <+158>: mov QWORD PTR [rbp-0x80],0x4478
0x000000000040a132 <+166>: movabs rax,0x7373617020646162
0x000000000040a13c <+176>: mov QWORD PTR [rbp-0x100],rax
0x000000000040a143 <+183>: mov QWORD PTR [rbp-0xf8],0x64726f77
0x000000000040a14e <+194>: mov QWORD PTR [rbp-0xf0],0x0
0x000000000040a159 <+205>: mov BYTE PTR [rbp-0xe8],0x0
0x000000000040a160 <+212>: movabs rax,0x2e203a6567617375
0x000000000040a16a <+222>: mov QWORD PTR [rbp-0xe0],rax
0x000000000040a171 <+229>: movabs rax,0x702035377665722f
0x000000000040a17b <+239>: mov QWORD PTR [rbp-0xd8],rax
0x000000000040a182 <+246>: movabs rax,0x64726f77737361
0x000000000040a18c <+256>: mov QWORD PTR [rbp-0xd0],rax
0x000000000040a193 <+263>: mov DWORD PTR [rbp-0xc8],0x0
0x000000000040a19d <+273>: mov WORD PTR [rbp-0xc4],0x0
0x000000000040a1a6 <+282>: lea rcx,[rbp-0xa0]
0x000000000040a1ad <+289>: lea rax,[rbp-0x40]
0x000000000040a1b1 <+293>: mov edx,0x23
0x000000000040a1b6 <+298>: mov rsi,rcx
0x000000000040a1b9 <+301>: mov rdi,rax
0x000000000040a1bc <+304>: call 0x42b470 <memcpy>
0x000000000040a1c1 <+309>: lea rcx,[rbp-0x100]
0x000000000040a1c8 <+316>: lea rax,[rbp-0x70]
0x000000000040a1cc <+320>: mov edx,0xd
0x000000000040a1d1 <+325>: mov rsi,rcx
0x000000000040a1d4 <+328>: mov rdi,rax
0x000000000040a1d7 <+331>: call 0x42b470 <memcpy>
0x000000000040a1dc <+336>: lea rcx,[rbp-0x130]
0x000000000040a1e3 <+343>: lea rax,[rbp-0x120]
0x000000000040a1ea <+350>: mov edx,0x9
0x000000000040a1ef <+355>: mov rsi,rcx
0x000000000040a1f2 <+358>: mov rdi,rax
0x000000000040a1f5 <+361>: call 0x42b470 <memcpy>
0x000000000040a1fa <+366>: lea rcx,[rbp-0xe0]
0x000000000040a201 <+373>: lea rax,[rbp-0xc0]
0x000000000040a208 <+380>: mov edx,0x18
0x000000000040a20d <+385>: mov rsi,rcx
0x000000000040a210 <+388>: mov rdi,rax
0x000000000040a213 <+391>: call 0x42b470 <memcpy>
0x000000000040a218 <+396>: cmp DWORD PTR [rbp-0x134],0x1
0x000000000040a21f <+403>: jle 0x40a261 <main+469>
0x000000000040a221 <+405>: mov rax,QWORD PTR [rbp-0x140]
0x000000000040a228 <+412>: add rax,0x8
0x000000000040a22c <+416>: mov rdx,QWORD PTR [rax]
0x000000000040a22f <+419>: lea rax,[rbp-0x120]
0x000000000040a236 <+426>: mov rsi,rdx
0x000000000040a239 <+429>: mov rdi,rax
0x000000000040a23c <+432>: call 0x400330
0x000000000040a241 <+437>: test eax,eax
0x000000000040a243 <+439>: jne 0x40a253 <main+455>
0x000000000040a245 <+441>: lea rax,[rbp-0x40]
0x000000000040a249 <+445>: mov rdi,rax
0x000000000040a24c <+448>: call 0x411900 <puts>
0x000000000040a251 <+453>: jmp 0x40a270 <main+484>
0x000000000040a253 <+455>: lea rax,[rbp-0x70]
0x000000000040a257 <+459>: mov rdi,rax
0x000000000040a25a <+462>: call 0x411900 <puts>
0x000000000040a25f <+467>: jmp 0x40a270 <main+484>
0x000000000040a261 <+469>: lea rax,[rbp-0xc0]
0x000000000040a268 <+476>: mov rdi,rax
0x000000000040a26b <+479>: call 0x411900 <puts>
0x000000000040a270 <+484>: mov eax,0x0
0x000000000040a275 <+489>: mov rbx,QWORD PTR [rbp-0x18]
0x000000000040a279 <+493>: xor rbx,QWORD PTR fs:0x28
0x000000000040a282 <+502>: je 0x40a289 <main+509>
0x000000000040a284 <+504>: call 0x4408f0 <__stack_chk_fail>
0x000000000040a289 <+509>: add rsp,0x148
0x000000000040a290 <+516>: pop rbx
0x000000000040a291 <+517>: pop rbp
0x000000000040a292 <+518>: ret
End of assembler dump.
Yang menarik perhatian saya adalah pemanggilan fungsi pada alamat 0x400330 yang nama nya tidak ketahui (karena binary static).
Menurut asumsi saya, fungsi tersebut adalah fungsi strcmp
0x000000000040a236 <+426>: mov rsi,rdx
0x000000000040a239 <+429>: mov rdi,rax
0x000000000040a23c <+432>: call 0x400330
0x000000000040a241 <+437>: test eax,eax
Saya memasang breakpoint pada 0x000000000040a23c agar bisa melihat isi dari argument nya.
gdb-peda$ b *0x000000000040a23c
Breakpoint 1 at 0x40a23c
Ternyata memang benar itu adalah fungsi strcmp yang akan membandingkan inputan kita yang berada pada rsi dan string password pada rdi.
gdb-peda$ x/s $rdi
0x7fffffffdd40: "p4ssw0rd"
gdb-peda$ x/s $rsi
0x7fffffffe2f3: "test123"
Karena passwordnya sudah diketahui, saya mencoba menjalankan lagi binary tersebut.
➜ rev75 ./rev75 p4ssw0rd
good but no flag for you hihihi xD
ternyata hanya troll.
Saya mencoba cara lain dengan melakukan checking terhadap fungsi2 yang ada di binary tersebut menggunakan nm.
Ditemukan banyak sekali fungsi dengan nama a0 sampai a814
...
00000000004002b0 T _init
0000000000400f4e T _start
000000000040105e T a0
000000000040108b T a1
00000000004010b8 T a2
00000000004010e5 T a3
0000000000401112 T a4
000000000040113f T a5
000000000040116c T a6
...
000000000040a005 T a812
000000000040a032 T a813
000000000040a05f T a814
000000000040a08c T main
...
Hasil disassembly fungsi a0
gdb-peda$ pdisass 0x000000000040105e
Dump of assembler code from 0x40105e to 0x40107e:: Dump of assembler code from 0x40105e to 0x40107e:
0x000000000040105e <a0+0>: push rbp
0x000000000040105f <a0+1>: mov rbp,rsp
0x0000000000401062 <a0+4>: sub rsp,0x10
0x0000000000401066 <a0+8>: mov QWORD PTR [rbp-0x8],rdi
0x000000000040106a <a0+12>: mov rax,QWORD PTR [rbp-0x8]
0x000000000040106e <a0+16>: mov esi,0x49cd48
0x0000000000401073 <a0+21>: mov rdi,rax
0x0000000000401076 <a0+24>: call 0x400330
0x000000000040107b <a0+29>: test eax,eax
0x000000000040107d <a0+31>: jne 0x401089 <a0+43>
End of assembler dump.
Fungsi tersebut akan membandingkan ‘sesuatu’ yang berada di 0x49cd48 dengan rdi.
gdb-peda$ x/s 0x49cd48
0x49cd48: "iVBORw0KGgoA"
Sesuatu tersebut ternyata adalah string base64, apabila iVBORw0KGgoA di decode akan menghasilkan file signature png
In [1]: "iVBORw0KGgoA".decode("base64")
Out[1]: '\x89PNG\r\n\x1a\n\x00'
In [2]: "iVBORw0KGgoA".decode("base64").encode("hex")
Out[2]: '89504e470d0a1a0a00'
Saya rasa fungsi-fungsi a1 dan seterus nya mengandung data2 gambar PNG.
Menggunakan command string didapatkan semua string base64 yang displit.
...
iVBORw0KGgoA
AAANSUhEUgAA
AoAAAAGQCAYA
AAA+89ElAAAA
BmJLR0QA/wD/
AP+gvaeTAAAA
CXBIWXMAAAsT
AAALEwEAmpwY
AAAAB3RJTUUH
4QcPFScXuHT4
+AAAABl0RVh0
Q29tbWVudABD
cmVhdGVkIHdp
dGggR0lNUFeB
...
Saya hanya mengambil bagian base64 untuk didecode
cat rev75_strings | tr -d "\n" | base64 -d > flag.png
Saat dibuka ternyata error, tapi dengan menggunakan GIMP kita bisa melihat tulisan pada gambar flag.png
Flag : Bugs_Bunny{Th1s_t0t4lly_Th3_fl4g}
Read other posts