add giftwrap writeup
This commit is contained in:
aaron
BIN
forensics/hohoho/ho_ho_ho.pcap
Normal file
BIN
forensics/hohoho/ho_ho_ho.pcap
Normal file
Binary file not shown.
53
reversing/giftwrapping/README.md
Normal file
53
reversing/giftwrapping/README.md
Normal file
@@ -0,0 +1,53 @@
|
|||||||
|
# giftwrapping
|
||||||
|
|
||||||
|
## Flag
|
||||||
|
|
||||||
|
HTB{upx_41nt_50_h4rd!!}
|
||||||
|
|
||||||
|
## How to solve
|
||||||
|
|
||||||
|
- The binary is packed using the upx packer
|
||||||
|
- It first needs to be unpacked in order to reverse engineer its contents
|
||||||
|
- Fortunately `upx` is open source and rather well documented
|
||||||
|
- unpack using: `upx -d gitfwrap`
|
||||||
|
- Fire up radare2/cutter and disassemble the binary
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
- The program logic is a bit confusing due to the unpacker doing weird stuff
|
||||||
|
- After the call to `scanf` the programm enters a loop where some data from `rbp+rax-0x110` gets loaded into `eax`
|
||||||
|
- Then the data gets xored bytewise with `0xffffff3`
|
||||||
|
- Once this is done for all bytes the program moves to a check section
|
||||||
|
- There a function call to `fcn.00401080` is made.
|
||||||
|
- Don't bother, this is no password check, it's just an implementation of memcompare `memcmp` from the c++ lib
|
||||||
|
- If the data matches the welcome message is shown
|
||||||
|
- So the flag needs to be somewhere in the data that gets xored.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
- Once I was able to install the ghidra decompilation plugin for radare2 the process gets clearer.
|
||||||
|
- Ghidra does a great job decompiling the xor mechanism
|
||||||
|
- Don't be confused about the loop condition `i < 0x100`
|
||||||
|
- Yes, the code should loop over `0xff bytes`.
|
||||||
|
- But since there is a `<` it's all okay ;)
|
||||||
|
|
||||||
|
- Time to grab the data using `gdb` and convert it to a string
|
||||||
|
1. don't forget to set you disassembly flavor to intel
|
||||||
|
2. load the program `gdb ./giftwrap`
|
||||||
|
3. set a breakpoint at the desired movzx instruction `break *0x004019bb`
|
||||||
|
4. run until break `r`
|
||||||
|
5. get the start address which is being loaded using `print $rbp + $rax - 0x110` which is `0x004cc0f0`
|
||||||
|
6. print the bytes at this address or simply navigate to it using the hexdump tool
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
- Now copy all this data and convert it to ascii using some python
|
||||||
|
|
||||||
|
```buf =
|
||||||
|
b'\xbb\xa7\xb1\x88\x86\x83\x8b\xac\xc7\xc2\x9d\x87\xac\xc6\xc3\xac\x9b\xc7\x81\x97\xd2\xd2\x8e'
|
||||||
|
out = []
|
||||||
|
for i in range(len(buf)):
|
||||||
|
out.append(chr(buf[i] ^ 0xf3))
|
||||||
|
|
||||||
|
print(''.join(out))
|
||||||
|
```
|
||||||
File diff suppressed because one or more lines are too long
BIN
reversing/giftwrapping/images/ghidra.png
Normal file
BIN
reversing/giftwrapping/images/ghidra.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 93 KiB |
BIN
reversing/giftwrapping/images/hexdump.png
Normal file
BIN
reversing/giftwrapping/images/hexdump.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 78 KiB |
BIN
reversing/giftwrapping/images/passwordcheck.png
Normal file
BIN
reversing/giftwrapping/images/passwordcheck.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 110 KiB |
Reference in New Issue
Block a user