aaron/htb-santa-ctf
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
0a1557034032ce8e8f6d957e873ed15e893c7b55
htb-santa-ctf/reversing/giftwrapping/README.md
aaron d47867b47e add giftwrap writeup
2021-12-06 02:08:57 +01:00

54 lines
2.1 KiB
Markdown
Raw Blame History

# giftwrapping
## Flag
HTB{upx_41nt_50_h4rd!!}
## How to solve
- The binary is packed using the upx packer
- It first needs to be unpacked in order to reverse engineer its contents
- Fortunately `upx` is open source and rather well documented
- unpack using: `upx -d gitfwrap`
- Fire up radare2/cutter and disassemble the binary
![programm logic](images/passwordcheck.png "Disassembly")
- The program logic is a bit confusing due to the unpacker doing weird stuff
- After the call to `scanf` the programm enters a loop where some data from `rbp+rax-0x110` gets loaded into `eax`
- Then the data gets xored bytewise with `0xffffff3`
- Once this is done for all bytes the program moves to a check section
- There a function call to `fcn.00401080` is made.
- Don't bother, this is no password check, it's just an implementation of memcompare `memcmp` from the c++ lib
- If the data matches the welcome message is shown
- So the flag needs to be somewhere in the data that gets xored.
![ghidra decompilation](images/ghidra.png "Ghidras decompilation")
- Once I was able to install the ghidra decompilation plugin for radare2 the process gets clearer.
- Ghidra does a great job decompiling the xor mechanism
- Don't be confused about the loop condition `i < 0x100`
- Yes, the code should loop over `0xff bytes`.
- But since there is a `<` it's all okay ;)
- Time to grab the data using `gdb` and convert it to a string
1. don't forget to set you disassembly flavor to intel
2. load the program `gdb ./giftwrap`
3. set a breakpoint at the desired movzx instruction `break *0x004019bb`
4. run until break `r`
5. get the start address which is being loaded using `print $rbp + $rax - 0x110` which is `0x004cc0f0`
6. print the bytes at this address or simply navigate to it using the hexdump tool
![ghidra decompilation](images/hexdump.png "hexdump of the memory section containing the flag")
- Now copy all this data and convert it to ascii using some python
```buf =
b'\xbb\xa7\xb1\x88\x86\x83\x8b\xac\xc7\xc2\x9d\x87\xac\xc6\xc3\xac\x9b\xc7\x81\x97\xd2\xd2\x8e'
out = []
for i in range(len(buf)):
out.append(chr(buf[i] ^ 0xf3))
print(''.join(out))
```
Reference in New Issue View Git Blame Copy Permalink