Just a file check with no description. Who gives a description of reverse challenges anyways?
that being said let’s dive into writeup.
This was a fairly easy challenge.
Solving
First, we just did strings but found nothing and will see why that’s the case with this challenge later.
Running for the first time
ok that being done let’s move to the next part.
IDA Static Analysis
Just searching for the strings checking machine... we got our main function.
here we can see lots of strings being stored in the stack. okay, let’s trace more…
So now we see some new data being loaded to the stack and then passing at arguments to some function…
The XOR function
So the above function is just a xor function which XORs the passed data with a preset key, in our case
87h which can be seen here :
yes, I have renamed the variables to make it easy to understand…
then the function returns back to main… so let’s follow…
XOR minefield
The whole main function is then followed by the same scheme,
- Load data
- XOR with preset key
and all the functions are also simple like above.
so let’s keep this in mind and move on…
_getenv
this name is enough to understand what this is trying to do…
So now you see what it does?
Lemme explain…
- Take DATA
- XOR with key
- GET SYSTEM ENVIRONMENT VARIABLE with same decoded name
- then XOR one more value
- Check this value with the obtained value from envvar
- Do this for 2 different env. vars and if they match then show the flag.
the flag is loaded as a chunk of data at the start, and yes it’s also XORed with 92h as key.
Get the flag.
so there are now three ways to get the flag.
- Decode the env. var and values and then run the binary
- Decode flag directly from the stack
- JUST DO BINARY PATCHING AND CHANGE LAST 2
if statementto change the program flow
Decode everythin’ XORmayhem
Here is a small python script to do what program is doing
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
env1a=[0xd3,0xd4,0xc8,0xcf]
env1a.reverse()
env1b=[0xc2,0xca,0xc6,0xc9]
env1b.reverse()
env1=env1a+env1b
env2=[0xc3,0xd4,0xc2,0xc4]
env2.reverse()
envvar1valueA=[0xfe,0xf5,0xf7,0xdb]
envvar1valueA.reverse()
envvar1valueB=[0xf3,0xf8,0xff]
envvar1valueB.reverse()
envvar1value=envvar1valueA+envvar1valueB
envvar2valueA=[0xf7,0xfc,0xfc,0xeb]
envvar2valueA.reverse()
envvar2valueB=[0xfc,0xf7,0xfe,0xf0]
envvar2valueB.reverse()
envvar2value=envvar2valueA+envvar2valueB
flagA=[0xd6,0xdc,0xc4,0xc3]
flagB=[0xa5,0xf6,0xa2,0xc4]
flagC=[0xa0,0xa7,0xa0,0xdf]
flagD=[0xa2,0xcb,0xa1,0xca]
flagE=[0xf4,0xc4,0xf8,0xf1]
flagF=[0xe8,0xdb,0xda,0xdc]
flagG=[0xa3,0xc7,0xa1,0xca]
flagH=[0xa3,0xc8,0xa0,0xdf]
flagI=[0xaf,0xa2,0xda,0xf0]
flagA.reverse()
flagB.reverse()
flagC.reverse()
flagD.reverse()
flagE.reverse()
flagF.reverse()
flagG.reverse()
flagH.reverse()
flagI.reverse()
flag=flagA+flagB+flagC+flagD+flagE+flagF+flagG+flagH+flagI
print("envVar1 = ",end=' ')
for i in env1:
print(chr(int(i)^int('87',base=16)),end="")
print()
print("envVar1 Value = ",end=' ')
for i in envvar1value:
print(chr(int(i)^int('96',base=16)),end="")
print()
print("envVar2 = ",end=' ')
for i in env2:
print(chr(int(i)^int('91',base=16)),end="")
print()
print("envVar2 Value = ",end=' ')
for i in envvar2value:
print(chr(int(i)^int('99',base=16)),end="")
print()
print("flag = ",end=' ')
for i in flag:
print(chr(int(i)^int('92',base=16)),end="")
print()
The above script will give you all the environment variables and the flag too as it is also XORed lol…
and then just export these values in the env. vars to get the flag.
My FAV binary patching ! (solve in 5 min)
Just see this …
74 -> 75 i.e. JZ -> JNZ just do this in two places and the program will give you all its secrets without any pain…
Binary patching can be intimidating for some… check these articles out for some idea and how to do it at a basic level as you should be good to go for this one. :)
Use VIM as HEX editor like a boss
Taking over the software by Instruction Rewriting.
Conclusion
So we have the flag in base64 format, by any of the above methods.
we just need to decode it and it’s pretty easy with is neat pipe trick:
echo "QVNDV0d7M252X3Y0cjVfNHIzX3U1M2Z1bH0=" | base64 -d -
This will give the flag
ASCWG{3nv_v4r5_4r3_u53ful}