htb-santa-ctf/reversing/giftwrapping/README.md

giftwrapping

Flag

HTB{upx_41nt_50_h4rd!!}

How to solve

• The binary is packed using the upx packer
• It first needs to be unpacked in order to reverse engineer its contents
• Fortunately upx is open source and rather well documented
  • unpack using: upx -d gitfwrap
• Fire up radare2/cutter and disassemble the binary

• The program logic is a bit confusing due to the unpacker doing weird stuff
• After the call to scanf the programm enters a loop where some data from rbp+rax-0x110 gets loaded into eax
• Then the data gets xored bytewise with 0xffffff3
• Once this is done for all bytes the program moves to a check section
• There a function call to fcn.00401080 is made.
• Don't bother, this is no password check, it's just an implementation of memcompare memcmp from the c++ lib
• If the data matches the welcome message is shown
• So the flag needs to be somewhere in the data that gets xored.

• Once I was able to install the ghidra decompilation plugin for radare2 the process gets clearer.

• Ghidra does a great job decompiling the xor mechanism

• Don't be confused about the loop condition i < 0x100

  • Yes, the code should loop over 0xff bytes.
  • But since there is a < it's all okay ;)

• Time to grab the data using gdb and convert it to a string

1. don't forget to set you disassembly flavor to intel
2. load the program gdb ./giftwrap
3. set a breakpoint at the desired movzx instruction break *0x004019bb
4. run until break r
5. get the start address which is being loaded using print $rbp + $rax - 0x110 which is 0x004cc0f0
6. print the bytes at this address or simply navigate to it using the hexdump tool

• Now copy all this data and convert it to ascii using some python

b'\xbb\xa7\xb1\x88\x86\x83\x8b\xac\xc7\xc2\x9d\x87\xac\xc6\xc3\xac\x9b\xc7\x81\x97\xd2\xd2\x8e'
out = []
for i in range(len(buf)):
  out.append(chr(buf[i] ^ 0xf3))

  print(''.join(out))