Ebctf 2013 b200_writeup


Published on

EB CTF 2013 Binary 200

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Ebctf 2013 b200_writeup

  1. 1. EB CTF 2013 Writeup By Darkfloyd, VXRL (Valkyrie-X Security Research Group) Updated: August 2013 Binary 200 When we execute the binary, and debug it via step over and into the call eax at 0x40124B, we started to get a key (Sup3RSeCr3tStuFf) from its memory: Figure 1: A key in memory?! However, it is not the key EBCTF wants but another hint is about where can they hid the comment. [*] Yes, that is correct! However that was not the goal of this challenge. Did you know that compiled code does not contain any comments? By referring to the documents about reversing PERL2EXE (http://forum.tuts4you.com/topic/31340- decompile-perl2exe/ and http://fileoffset.com/re/tutorials/perl2exe.htm), it is said we could export other files other than DLL to the temporary directory. We simply execute with debug mode, it shows the key is probably stored in _main.pl: C:Documents and SettingsAdministratorDesktop>ebCTF_BIN200.exe -p2x_debug P2X: Debug mode enabled - V090508 P2X: Expanded module filename = C:Documents and
  2. 2. SettingsAdministratorDesktop ebCTF_BIN200.exe GetTempDir: returning C:DOCUME~1ADMINI~1LOCALS~1Temp/p2xtmp- 1160 ISEXT_Init: filename = p2x_stub.lib ISEXT_Init: filename = p2x_header.pm ISEXT_Init: filename = p2x_pre_exec_message ISEXT_Init: filename = p2x_trial_message ISEXT_Init: filename = p2x_exec_command ISEXT_Init: filename = p2x_info.pm ISEXT_Init: filename = _main.pl ISEXT_Init: filename = P2XDLL/p2x5123.dll P2X: ISEXT_Init done P2X: OpenScript: C:Documents and SettingsAdministratorDesktopebCTF_BIN200.ex e FOUND IN PERL2EXE_STORAGE [*] ebCTF BIN 200 No comment... [*] What is the secret? From the binary, we have figured out the loop to export DLL file only, if we would like to export all other files, we need to ensure all the JNZ (Jump if non-zero) will be patched to become unconditional jump (JMP), meanwhile, we need to set up a break point after the loop. We have identified the loop as below:
  3. 3. Figures 2a-d: Main loop to export the files, it will loop and jump back to 280AC4F9 Meanwhile, here are the breakpoints I have set up: Figure 3: Breakpoints Afterwards, we patch the JNZ as JMP at the following memory addresses:
  4. 4. Figures 4a-b: Patched the JNZ into JMP (unconditional jump)
  5. 5. Finally, we simply step over and run it, once hitting the breakpoint (at where the loop is complete) at: 280AC654 68 F4610C28 PUSH p2x5123.280C61F4 ; ASCII "P2X: ISEXT_Init done" Let us take a look over the folder and we have found the _main.pl file is exported and we got the key from its source code. The key is found as EBCTF{EDBDB03C7998FA751BE21D1364A58600} . Figures 5a-b: _main.pl and keys, Mission Complete :)