roger 发表于 2021-3-26 15:28:10

跃跃欲试wp


# Securinets Quals CTF 2015: reverse

**Category:** Crack
**Points:** 250
**Solves:** TODO
**Description:**

> Hint : Find the serial (Trouvez le céréale)
>
> url : (rev.tar.gz)

## Write-up

by (https://github.com/Freddrickk)

That's my first write-up ever, so I apologize in advance if this is a bit clumsy.

What we have here is an ASPack packed binary. Usually, the proper way to solve a packed
binary is to put a breakpoint at the end of the unpacking process and
get a memory dump at that point. Then, we would only have to fix the import table
using tools like importREC and we'd be ready to begin reversing. However, I wasn't
able to achieve that quickly with this binary. I had problem stoping at `popad`, which
is a good sign that the binary is done unpacking. What I did is I used ollydbg and when the
GUI started, I pressed pause, start, pause, I clicked on the GUI app to bring focus
to it and somehow, ollydbg managed to stop at the entry point of the unpacked binary.
While I can't explan an exact step-by-step process to get to the unpacked entry point,
it was really easy for me to reproduce it by pausing and resuming ollydbd as I just
explained.

Let's assume you manage to do it as well, you'll get to that instruction:

``` nasm
01241020   . 55             PUSH EBP         ;Real entry point of SFX code
01241021   . 8BEC         MOV EBP,ESP
01241023   . 81EC 40030000SUB ESP,340
```

From here it's pretty straight forward. The binary uses a very basic validation
subroutine to make sure that you entered a valid e-mail address. If so, it runs
that code to validate the key you entered.

``` nasm
0124114E   > 66:0F6F05 70FD>MOVQ MM0,QWORD PTR DS:
01241156   . 8D8D C0FDFFFFLEA ECX,DWORD PTR SS:
0124115C   . F3:            PREFIX REP:                              ;Superfluous prefix
0124115D   . 0F7F45 E4      MOVQ QWORD PTR SS:,MM0
01241161   . 8D51 01      LEA EDX,DWORD PTR DS:
01241164   . C745 F4 6C7572>MOV DWORD PTR SS:,6572756C
0124116B   . 66:0F6F05 60FD>MOVQ MM0,QWORD PTR DS:
01241173   . F3:            PREFIX REP:                              ;Superfluous prefix
01241174   . 0F7F45 C0      MOVQ QWORD PTR SS:,MM0
01241178   . 66:C745 F8 2E0>MOV WORD PTR SS:,2E
0124117E   . 66:0F6F05 50FD>MOVQ MM0,QWORD PTR DS:
01241186   . F3:            PREFIX REP:                              ;Superfluous prefix
01241187   . 0F7F45 D0      MOVQ QWORD PTR SS:,MM0
0124118B   . C745 E0 69733A>MOV DWORD PTR SS:,3A7369
01241192   > 8A01         MOV AL,BYTE PTR DS:
01241194   . 41             INC ECX
01241195   . 84C0         TEST AL,AL
01241197   .^75 F9          JNZ SHORT rev.01241192
01241199   . 2BCA         SUB ECX,EDX
0124119B   . 83F9 10      CMP ECX,10
0124119E   . 0F85 FD000000JNZ rev.012412A1
012411A4   . 80BD C0FDFFFF >CMP BYTE PTR SS:,42
012411AB   . 0F85 F0000000JNZ rev.012412A1
012411B1   . 0FBE85 CFFDFFF>MOVSX EAX,BYTE PTR SS:
012411B8   . 83C0 42      ADD EAX,42
012411BB   . 3D 9B000000    CMP EAX,9B
012411C0   . 0F85 DB000000JNZ rev.012412A1
012411C6   . 0FBE8D C1FDFFF>MOVSX ECX,BYTE PTR SS:
012411CD   . 8D41 FD      LEA EAX,DWORD PTR DS:
012411D0   . 83F8 57      CMP EAX,57
012411D3   . 0F85 C8000000JNZ rev.012412A1
012411D9   . 0FBE85 CEFDFFF>MOVSX EAX,BYTE PTR SS:
012411E0   . 03C1         ADD EAX,ECX
012411E2   . 3D 9B000000    CMP EAX,9B
012411E7   . 0F85 B4000000JNZ rev.012412A1
012411ED   . 0FBE8D C2FDFFF>MOVSX ECX,BYTE PTR SS:
012411F4   . 8D41 01      LEA EAX,DWORD PTR DS:
012411F7   . 83F8 3A      CMP EAX,3A
012411FA   . 0F85 A1000000JNZ rev.012412A1
01241200   . 0FBE85 CDFDFFF>MOVSX EAX,BYTE PTR SS:
01241207   . 03C1         ADD EAX,ECX
01241209   . 3D 9B000000    CMP EAX,9B
0124120E   . 0F85 8D000000JNZ rev.012412A1
01241214   . 80BD C3FDFFFF >CMP BYTE PTR SS:,64
0124121B   . 0F85 80000000JNZ rev.012412A1
01241221   . 0FBE85 CCFDFFF>MOVSX EAX,BYTE PTR SS:
01241228   . 83C0 64      ADD EAX,64
0124122B   . 3D 9B000000    CMP EAX,9B
01241230   . 75 6F          JNZ SHORT rev.012412A1
01241232   . 80BD C4FDFFFF >CMP BYTE PTR SS:,6D
01241239   . 75 66          JNZ SHORT rev.012412A1
0124123B   . 0FBE85 CBFDFFF>MOVSX EAX,BYTE PTR SS:
01241242   . 05 81000000    ADD EAX,81
01241247   . 3D C8000000    CMP EAX,0C8
0124124C   . 75 53          JNZ SHORT rev.012412A1
0124124E   . 0FBE8D C5FDFFF>MOVSX ECX,BYTE PTR SS:
01241255   . 8D41 D3      LEA EAX,DWORD PTR DS:
01241258   . 83F8 44      CMP EAX,44
0124125B   . 75 44          JNZ SHORT rev.012412A1
0124125D   . 0FBE85 CAFDFFF>MOVSX EAX,BYTE PTR SS:
01241264   . 03C1         ADD EAX,ECX
01241266   . 3D AA000000    CMP EAX,0AA
0124126B   . 75 34          JNZ SHORT rev.012412A1
0124126D   . 80BD C6FDFFFF >CMP BYTE PTR SS:,34
01241274   . 75 2B          JNZ SHORT rev.012412A1
01241276   . 0FBE85 C9FDFFF>MOVSX EAX,BYTE PTR SS:
0124127D   . 83C0 34      ADD EAX,34
01241280   . 3D 9B000000    CMP EAX,9B
01241285   . 75 1A          JNZ SHORT rev.012412A1
01241287   . 80BD C7FDFFFF >CMP BYTE PTR SS:,63
0124128E   . 75 11          JNZ SHORT rev.012412A1
01241290   . 0FBE85 C8FDFFF>MOVSX EAX,BYTE PTR SS:
01241297   . 83C0 63      ADD EAX,63
0124129A   . 3D 9B000000    CMP EAX,9B
0124129F   . 74 1A          JE SHORT rev.012412BB

```

So let's take a quick look at it.

First of all, we find out that the key will be 0x10 bytes long, so 16 bytes.

``` nasm
01241199   . 2BCA         SUB ECX,EDX
0124119B   . 83F9 10      CMP ECX,10
0124119E   . 0F85 FD000000JNZ rev.012412A1
```

Accessing our key input was done using `EBP-240` so we know that the key
will be from `EBP-240` to `EBP-231`. From here, it's only arithmetic. It's
pretty straight forward.

``` nasm
012411A4   . 80BD C0FDFFFF >CMP BYTE PTR SS:,42
```
Ok, so the first char is 0x42 : 'B'

``` nasm
012411B1   . 0FBE85 CFFDFFF>MOVSX EAX,BYTE PTR SS:
012411B8   . 83C0 42      ADD EAX,42
012411BB   . 3D 9B000000    CMP EAX,9B
012411C0   . 0F85 DB000000JNZ rev.012412A1
```
Here, we know that our letter + 0x42 = 0x9b, so 0x9b - 0x42 is our char : 'Y'
This char is the last char of the key as it must be at the 16th position
(`EBP-231`)

Math are pretty much that simple for the remainder of the code. The most
"tricky" part is when one value is computed based on another key value like this :

``` nasm
012411ED   . 0FBE8D C2FDFFF>MOVSX ECX,BYTE PTR SS:
012411F4   . 8D41 01      LEA EAX,DWORD PTR DS:
012411F7   . 83F8 3A      CMP EAX,3A
012411FA   . 0F85 A1000000JNZ rev.012412A1
01241200   . 0FBE85 CDFDFFF>MOVSX EAX,BYTE PTR SS:
01241207   . 03C1         ADD EAX,ECX
01241209   . 3D 9B000000    CMP EAX,9B
0124120E   . 0F85 8D000000JNZ rev.012412A1
```

So, on line `012411ED`, the 3rd char (`EBP-23E`) is moved into ECX register.
What we're looking at right now, is at address `01241200` and the followings.
The 14th char (`EBP-233`) must be: our char + ECX = 0x9b.
So we have to take our 3rd char computed just before and substract it from 0x9b
and we get our char. That's pretty much the trickiest arithmetic we have to do.

I did all the math by hand and wrote that python script to print the key from the hex values :

``` py
#!/usr/bin/env python3

key =

for c in key:
    print(chr(c), end='')

```

The key is : BZ9dmq4c8g9G7bAY

## Other write-ups and resources

* <http://maroueneboubakri.ctf.tn/securinets-ctf-2015-quals-re250-task-writeup/>
页: [1]
查看完整版本: 跃跃欲试wp