./Reverse Engineering

This write up is for RE challenge on UrchinSec CTF 2024. I manage to solve 3 over 4 challenge for RE.

The challenge give a file called "bond". For RE challenge i'm using Windows Flare VM to reverse the file.

Initial step

Identify file type. In windows flare vm, there is a tool called Detect it Easy (DIE). This tools can help to detect file type.

Figure 1.0 above shows information for file "bond." The language used for that file is C/C++, and it uses the clang tool to compile the file. Another important information is that this file is from MacOS. So, to decompile it, you need to use suitable tools that support the MacOS file type.

Decompile the binanry

Ghidra supports decompiling macOS file types when compiling files. However, there is an online compiler called "decompiler explorer."

Link: https://dogbolt.org/

Based on Figure 2.0, this is what will happend if using decompiler explore. it gives many types of readable C code from various decompiler tools.

uint64_t _xor_string(char* arg1, char* arg2, char arg3)
{
    uint64_t result = _strlen(arg1);
    
    for (int64_t i = 0; i < result; i += 1)
        arg2[i] = (arg1[i] ^ arg3);
    
    arg2[result] = 0;
    return result;
}

int64_t _main()
{
    int64_t x8 = *___stack_chk_guard;
    int32_t var_22c = 0;
    _printf("Enter A Key To Bond : ");
    void var_128;
    void* __s = &var_128;
    _fgets(&var_128, 0x100, *___stdinp);
    *(__s + _strcspn(__s, &data_100003f6f)) = 0;
    char var_239 = 0x4b;
    void __s1;
    _xor_string(__s, &__s1, 0x4b);
    
    if (_strcmp(&__s1, "gu\{yn\zont\v3j0f0j\n3g") != 0)
        _printf("NO NO! BEGONE!!!!\n");
    else
        _printf("Looks like a match to me!\n");
    
    if (*___stack_chk_guard == x8)
        return 0;
    
    ___stack_chk_fail();
    /* no return */
}

void ___stack_chk_fail() __noreturn
{
    /* tailcall */
    return ___stack_chk_fail();
}

char* _fgets(char* arg1, int32_t arg2, FILE* arg3)
{
    /* tailcall */
    return _fgets(arg1, arg2, arg3);
}

int32_t _printf(char const* arg1)
{
    /* tailcall */
    return _printf(arg1);
}

int32_t _strcmp(char const* __s1, char const* __s2)
{
    /* tailcall */
    return _strcmp(__s1, __s2);
}

uint64_t _strcspn(char const* __s, char const* __charset)
{
    /* tailcall */
    return _strcspn(__s, __charset);
}

uint64_t _strlen(char const* __s)
{
    /* tailcall */
    return _strlen(__s);
}

Analyzing the code.

if analyze the code, the interesting part is main() and there is "xor_string" function. Based on the code snippet above, it is initializing the string and decrypt it with some key. These parameter are pass to the xor_string function. to decrypt the encrypted string, we can try to brute force the xor key.

gu\{yn\zont\v3j0f0j\n3g

Decrypt the string

For decrypt the string, we can use cyberchef and xor brute force as a recipe.

Based on Figure 3.0, this is what it look, when brute force the xor key using cyberchef. Look on "key 03" that string look more readable then the other string. It looks like we need to decyper it again.

dv_xzm_ylmw_u0i3e3i_m0d

Since, we have no clue about the encryption use to decyper that string, we can find cipher identifier.

Link: https://www.dcode.fr/cipher-identifier

Based on figure 4.0, this is what it looks like when using cipher identifier. It will give a few suggestion to decyper it.

After trying a few suggestions suggested by the tools, the encrypted string was using "Atbash Cipher" to encrypt the strings. After decrypt it, we get the flag.

urchinsec{we_can_bond_f0r3v3r_n0w}

Given a file name called "vibe".

initial step.

Use DIE to gather information about the file.

Based on Figure 3.0, this is the only information that we have on vibe file. "binary"

This information doesnt give us so much insight about the file. After trying a few tools and researching another tool. Found an online tools to identify the file.

Link: https://www.aconvert.com/analyze.html

Based on Figure 2.2, the file description is VBscript encoded. After a few research to find tools to decode the encoded vb file, there is a python script that can decode the vb script.

Link: https://github.com/JohnHammond/vbe-decoder

Based on Figure 2.3 above, the flag obtain right away after decode the vb script using the python script. And the funny things is the challenge author for this challenge is the one who develop the vbe decoder script. Nice one !!! Learn a new thing during do this challenge.

urchinsec{v1bing_w1th_VBS_d8e3ca}

For the drift challenge, it gives a .pcap file to analyse the network. Figure 3.0 shows that, there is http packet and there is GET method that get drift file.

In the wireshark go to File > Export Object > HTTP. Then click save. Let's analyze drift file.

Figure 3.2 shows information about the drift file. The file is in C/C++ language and is compiled on the Linux Operating System.

void _init()
{
    if (__gmon_start__ != 0)
        __gmon_start__();
}

int64_t sub_1020()
{
    int64_t var_8 = data_3ff0;
    /* jump -> data_3ff8 */
}

int32_t printf(char const* format, ...)
{
    /* tailcall */
    return printf();
}

int64_t sub_1036()
{
    int64_t var_8 = 0;
    /* tailcall */
    return sub_1020();
}

uint64_t strcspn(char const* arg1, char const* arg2)
{
    /* tailcall */
    return strcspn(arg1, arg2);
}

int64_t sub_1046()
{
    int64_t var_8 = 1;
    /* tailcall */
    return sub_1020();
}

uint64_t strlen(char const* arg1)
{
    /* tailcall */
    return strlen(arg1);
}

int64_t sub_1056()
{
    int64_t var_8 = 2;
    /* tailcall */
    return sub_1020();
}

int32_t memcmp(void const* arg1, void const* arg2, uint64_t arg3)
{
    /* tailcall */
    return memcmp(arg1, arg2, arg3);
}

int64_t sub_1066()
{
    int64_t var_8 = 3;
    /* tailcall */
    return sub_1020();
}

int64_t MD5()
{
    /* tailcall */
    return MD5();
}

int64_t sub_1076()
{
    int64_t var_8 = 4;
    /* tailcall */
    return sub_1020();
}

char* fgets(char* buf, int32_t n, FILE* fp)
{
    /* tailcall */
    return fgets(buf, n, fp);
}

int64_t sub_1086()
{
    int64_t var_8 = 5;
    /* tailcall */
    return sub_1020();
}

char* strcat(char* arg1, char const* arg2)
{
    /* tailcall */
    return strcat(arg1, arg2);
}

int64_t sub_1096()
{
    int64_t var_8 = 6;
    /* tailcall */
    return sub_1020();
}

void __cxa_finalize(void* d)
{
    /* tailcall */
    return __cxa_finalize(d);
}

void _start(int64_t arg1, int64_t arg2, void (* arg3)()) __noreturn
{
    int64_t stack_end_1;
    int64_t stack_end = stack_end_1;
    __libc_start_main(main, __return_addr, &ubp_av, nullptr, nullptr, arg3, &stack_end);
    /* no return */
}

void deregister_tm_clones()
{
    return;
}

void register_tm_clones()
{
    return;
}

void __do_global_dtors_aux()
{
    if (completed.0 != 0)
        return;
    
    if (__cxa_finalize != 0)
        __cxa_finalize(__dso_handle);
    
    deregister_tm_clones();
    completed.0 = 1;
}

void frame_dummy()
{
    /* tailcall */
    return register_tm_clones();
}

int64_t hash_password(char* arg1, int64_t arg2)
{
    return MD5(arg1, strlen(arg1), arg2);
}

uint64_t compare_hashes(int64_t arg1, int64_t arg2)
{
    int32_t rax_1;
    rax_1 = memcmp(arg1, arg2, 0x10) == 0;
    return rax_1;
}

int32_t main(int32_t argc, char** argv, char** envp)
{
    printf("Enter username: ");
    void buf_1;
    fgets(&buf_1, 0x32, __bss_start);
    *(&buf_1 + strcspn(&buf_1, &data_2031)) = 0;
    printf("Enter password: ");
    void buf;
    fgets(&buf, 0x32, __bss_start);
    *(&buf + strcspn(&buf, &data_2031)) = 0;
    void var_98;
    hash_password(&buf, &var_98);
    int64_t var_a3;
    __builtin_strcpy(&var_a3, "urchinsec{");
    strcat(&var_a3, &buf_1);
    *(&var_a3 + strlen(&var_a3)) = 0x5f;
    strcat(&var_a3, &buf);
    
    if (compare_hashes(&var_98, &predefined_hash) == 0)
        printf("Access denied for user: %s\n", &buf_1);
    else
        printf("Welcome, Please Use This To Acce…", &var_a3);
    
    return 0;
}

int64_t _fini() __pure
{
    return;
}