Easy-ELF! Reversing.kr Walkthrough

 

Let’s begin with the main function.

So firstly, the string “Reversing.Kr Easy ELF\n\n” defined in the .data section is printed to stdout.

Further, we can see two function calls – sub_8048434 and sub_8048451. Finally, the return value of function sub_8048451 is checked. If the return value is false, string “Wrong\n” is printed to stdout.

Let’s now proceed to check function sub_8048434. This function reads an input of type string and stores it at address starting from 0x804A020 using “scanf”. As a test scenario let’s consider our input is “xxxxxxx”.

Moving ahead to function sub_8048451. Here we have a series of checks in place. If all the checks are passed, the function returns true or else false. So now let’s analyze each check individually.

In the first case, the 2nd byte of the input is checked to verify weather it is “1”. So now we know, the correct key should be something like “x1xxx..”

 

Then, in the second case, its checks if the 5th byte of the input is “X”. Moving ahead, The third byte of the input is loaded into eax using movzx instruction.

Looking up the description of movzx, it says “Copies the contents of the source operand (register or memory location) to the destination operand (register) and zero extends the value.” So the lower 8-bits of eax will contain the 3rd byte of the input and the remaining 24 bits will be filled with 0’s. In the next step, eax is XORed with “0110010” and the lower 8-bits of eax (al) is stored at  location 0x804A022. Further this value is compared to “1111100”. So here, a xor b = c. The values b and c are known to us we need to perform a reverse xor to get the value of "a".

01111100

00110010

---------

01001110 -> N

We could also conclude that the key is 5 byte long. The 6th byte will be “\n” which will be appended to the string by scanf function.

So know the correct key should be something like “x1NxX”

Performing similar reverse XOR operation, we can find that first byte is “L”. For the 4th byte, the input is XORed with 32-bits but since we are only going to  consider the lower 8 bits, we can ignore the later bits. Performing reverse XOR, gives us the 4th byte as “U”.

So now we have the entire key, which is “L1NUX”.

Thank you!!

Comments

Post a Comment

Popular posts from this blog

An Overview of SRUM Forensics

Image
Often there comes a scenario where a malware has run on the host system and there is suspicion of data exfiltration. One forensic technique that comes in handy in such situations is SRUM forensics. Introduction to System Resource Usage Monitor SRUM was first introduced in Windows 8 operating system for keeping a track of system resource usage. In particular, information such as process owner, CPU cycles used by the process, data bytes read/written, network data sent/received, Windows push notifications and energy usage is continuously recorded. SRUM is part of diagnostic policy service and it monitors desktop applications, programs, services, windows applications and network connections. The data that is visualized when one open’s the task manager is part of SRUM data feed. The SRUM data collection happens once in every hour and at shut down. SRUM uses the below extensions for monitoring and data collection. Source: Windows 8 SRUM Forensics - SANS DFIR Summit 2015(Slides) b
Read more

Persistant Ways of PlugX RAT

Image
    PlugX a Remote Access Trojan (RAT) was first identified in 2012. PlugX is known to be used against high profile government institutions and other organizations and has evolved since then. PlugX has also been seen as Korplug, SOGU and DestroyRAT. The primary functionality of this malware is to:      Provide persistence access for adversaries.    Perform surveillance of the infected machines.      Reach out to a command and control server.      Hijack legitimate executable and inject malicious code. Since the identification of PlugX in 2012, it has mutated in complexity and exploitation techniques. PlugX is commonly seen to be used in advanced targeted attacks, with capabilities to impersonate authentic processes and perform extensive recon on infected machines. The malware sample analyzed in this blog, has been downloaded from the internet. Basic Static Analysis The malware sample analyzed in this blog is a 32-bit Executable, having a compiler timestamp of Feb 10, 2010.
Read more

Sparta - 100 (EASY)

Image
After participating in Zh3r0 CTF last year(2020), I thought the CTF had some really cool challenges and so thought of looking at few of the challenges this year too. So, lets just jump straight  into the technical write-up. In this blog, I would be describing my methodology for sparta - 100, which was an easy challenge in web category. The challenge provided with source code along with a Dockerfile for hosting the web application locally. Looking at the source file, it was clear that express/node js was used at the back-end. Looking at the server code, one could see that there is a check to see if "guest" token is passed in cookie. If so, the value of guest token is passed to unserialize() of node-serialize module. That's it! we are talking about a node de-serialization vulnerability here. If the guest token is not part of the cookie, the application would take username, country and city values from the request body and will create a base64 encoded json object. This is
Read more