CSCG 2015 reversing binary

reverseengineering

(Gert) #1

Hi guys,

I’ve been here for a long time, but now it’s my first post. I hope that you can help with it. If it’s in the wrong category, let me know.

I have this challenge from CSCG 2015 where I need to find the password for the following binary. Could anyone of you please help me understand that? I tried different inputs, looked at the contained ASCII strings and decomposed the binary file. Assembly is not my strength, so it was barren. The string
;@}1"(.7-kf7Hy<[l5ZitD’c_Ae{h+)

caught my attention, but I don’t know if it’s useful.

EDIT: I tried include base64, but here is a link…

EDIT2: Without lines:
Binary in base64

Many thanks


(fxbg) #2

Could you post a link to the challenge, the only thing I could find is some malware analysis link associated with the base64 you provided, https://www.hybrid-analysis.com/sample/93c543c1f76b16d445a7fcb0df6b07add1d31135f72ba2915d87b19d5c5f8fcc?environmentId=100


#3

Ok, so I’ve solved it but I’m not too sure how much information you actually want so I guess I will just split it into two spoiler tags :smiley:

  1. What does the binary want from me?

A quick look into the binary tells you that it reads in 33 characters (32 actual characters and the last one as a terminator) from standard input within the main function and continues with some sort of mini virtual machine to process it.
The mini virtual machine reads in “instructions” that have an operation code that determines what the operation does and up to two parameters that determine how the operation is done (add 1,2 or 3 etc.)

main:
push binary.1382120                 ;"The VunMachine needs a password, begin with V:"
call dword ptr ds:[<&printf>]
call dword ptr ds:[<&_iob_func>]
push eax
push 21
push binary.138339C                 ;a buffer for the input
call dword ptr ds:[<&fgets>]
add esp,10
call binary.1381110                 ;function handling the main VM loop
xor eax,eax
ret

The mini virtual machines then executes “instructions” following a hard coded scheme and exits if a compare “instruction” returns false.

  1. What does the VM do?

The following “instructions” are executed within the mini VM:

Set first memory value to 31
start of loop:
Read input string character at the position of the first memory value to the second memory position
Compare if first memory value is 0: exit if they equal and says flag was right
Decrease content at first memory position by 1
Read input string character at the position of the first memory value to the third memory position
Xor the second memory value with the third memory value and save the result to the second memory position
Compare the second memory value to the character within the compare string (the string you found) at the position of the first memory value: exit if they are not equal
The code then jumps back to the loop start

Building the flag/password out of that and the hint that it has to start with V is really easy now. I guess I will leave the rest to you as you don’t need any assembly from now on.

Was fun to look into it, I hope this helps some how.


(Gert) #4

Sorry, I have no link to challenge since it’s local…


(Gert) #5

That was fast and impressive, Leeky. Many thanks! I found the password after reading your description. I will have to investigate disassembly more to understand better. But with your description I may understand the instructions!