[ReverseMe] Bit Banging

challenge
reverseengineering
linux

#1

Hello folks! I hope you’re doing great! This is my first time I ever create a reversing engineering challenge so I’m hoping there won’t be any issue such as unintended solutions/bugs.


###Difficulty

A big part of Reverse Engineering has to do with observation. That being said, depending on how sharp you are it can be really easy but it can also be tedious.


###Objective

Find the key(s).


###Rules
No patching.


###Hints

~ The name of the challenge is a hint by itself.

~ You’ll need dynamic analysis.

~ Once you figure out the 2nd digit, you’re almost there.

~ Read the above hints.


###Binary

Use the following command to recover the binary:

cat binary | base64 -d | gunzip > bin && chmod +x bin
H4sICC/5TFkAA2JpdADtWW9sHEcVn73z+U/snC+pUxzbIhsaCzfUl3OwjdOqzZ3/xOvIsY1jNyrF
WZ99a98198fc7gXbIiHgOurJJDUCpCBRCYGAoIIaQKoCH+oLgYR8QY7URkggYRCpnCalKU2DBamP
mdk3e7tzeyR84VPmdPf2/ea9N2/evJmbmf1yV+8+hyAgVhzoGUQ5l5/yfsAXawwRjLWhMvy7DdWh
YiJqkvMjv4WugWlGS0HOib9F+Nvm0Pk2h99C60COUcFEXchc/BZ6qwxZKEKioUd89bh11OMetVA/
+BF2WPUcoNcAeg0gz+gyOLbM9a8IvkNgbwj6xWgnyHWa5EkZuK6FyHMGDGVK/RbaDHLNnN5nsV4x
evDiAToI7RWKy23oF6NsHHZFI2OtzbuiocZoJJ6abpxua21sbfaqCe9u6pMHZLv7hqk8i6MIPlch
PQdI/ddnT0y8tv69pzMXZ4UrqP/0v/p66wXQz2Xmg/drsw1eVwDfUgB/rADeglhmWEt5AXmE4zRO
wtKKlOmIhqZSmoqmkpG4NoFULRlV4kiWiYysasGkJseCEYJMxhJxQGTU3dvT3iHv9u72ktYd8NFj
KtBPbjxTNZEyUsPyaq1ylFI2T1mp9uh4CbLGWDThDhPeYMKdJtxnwotMeJsJN+elNHerVFpwHSsX
kTSf0VyrRyj4m9KLen22JYmrsvUa/q3c5sdPhA+TqhsrWVzqXyA8cfnGMuXHCE9cvZGh/OcIT1y8
cY7yg4Qnrt34LuUdmJ9YZP40vduTvnpYSv9Vmvvb7YGhnssZP55p0uULyyWEXL6L18HVH2G9OxOV
23BQzx/CHRuWGgcwkebW3FL6+tHa87RnuDubRpZIRXYFC79I7Y9cJL2Y8DL+jQGq/5W/UwMX1p3Y
gJS+LV1Y3SsJl6Sr69oWw1o5s1a5DdvR2z/x9Lc3iHiYNw1jxdU4dmzkkuskhoQPaEtLops4thel
XDe/gfUMY+8ThezyyI1ZrEOe8UiI6WO3pHRqZe7YLYf2mLTQtSItICl9aWkIx4Bqrn5nPZtdItFe
/Tl+oiJzmVIqdnk1QaC5tSKtaknBGqv9hvA8frrcdY+YuPlETsuz0HVPOiMJy5Wvo8o3MqcGlimQ
rpofxR2d67onzB275zz+e6a6h1YvFNHq+cz0JjM/t1Z2vGpJJQ1f+4g1XIEbNuxcWHB9qUzEgq7K
+Su4dsH1Bcz+8w/pXy+4JklFRti+PLdSNJ+pfPFbtH6YihdrRxdc+3VN7ciCa6+h1ZLTcuCg9i+4
PknFSjXfgqvOENucEyvFYlVLLxMvfcRLGtUJ8vQKweoMzwfJ06sEKzWwZwzszj2G7TSwFQN7FGN6
fgQOBZ4NpLOB4cBQ76l6b7GIk+1UI6EHe9J3e9Jv9T5+nc7BCx85VxPYgDT/riY2/ZHlZ2/6nd70
3U5sIVv1J2nuoiDtuZl6h0zQ50cCnw+MBA4H5IuLuXz+4CLMaZjCAl41htXgpPKkWK+Kzx9RZkY2
oEPJRHxSxGvdpBbejobCiohxMRxURS0hjiliUIynYmNKcjvqwILJoKaKsWB8OwpEYwlVE7WwklS2
o76EJqoJUQmqM7hawwhpr9b5FPkvJGvb8r+z2ROY+nG3BjBtxVE5i6kHZ/zvMD2BqQcWuyqY/8Ls
IBKmPUJtRUnpolDiITj5r1jFtnaa1i17eYR2gLyE5emK5/bsc1fvryz/YukJtLfmqZ2f3vEJBDJk
TT6JfXuT+BBwe046OjaytZHUhYjvOH8VArS7PS872t3Vp51dbvFUUbu74Wsuye07WSy52+ZKDrj9
SXdbwO0LuBva3SKWw/Lt7lLq50/wN4ztmNfvh+VheVgelvuVZTj3nQPKisDRCqBTRbrcRuA74Zyy
FXh2jqgFnp2P2HGyGurruPoP17MJQs84dHts7zrq1Hm2bp6H+g3ADwAtZ/aBbkHWYuxhYZ/K1spp
oGy9LwH6MaBr0D7DV4BnfrP2yjgeL8e0PxmQzwLP4nkb+HNQ//8q7BzLlx/CuL4O9BLQa0DfBsqX
7o6OJ8WG4bFUXEuJLd5mr6+xNUW5puNNrV5fs7f5cR0Xd/uaWn2tvj339dGJo8TuBay4wzhPW3En
0mzxIiOfrLjLyCMrXmzkmxUvsR0nJ86CjC1eZuSJFd9g5JMVLzfmlRWvQIu2+EZ02xZ3G/c4VrzS
mKdW3IMGbPFNxv2DFd+M1mzxR4x5b8WrjPluxbcg0RZ/1DY/nXg2snOtFa825rMV34r8tngNGrDF
a/MwMk+L0PtZHq+gdfn+k/XPgePv4+JfC/gUh3sB59fdTmo/5ydbLw7S5/x4zoKdZc7OSSqfPy4/
KNCvQv19ldZtRqtlVvu/RPZxQAXs/Jb+PpLn/zVqJ3/c/wzyvP//oL/5+ekSiJ38fKgVyD2NG/lB
nq37nxLs73Veo3h+/nQL9vc9zwnEmxo0CvLsf0QWyB3N1rx8q6d28ufjRAH7swXw0wXwn0K7vP+/
KtDfK8R/x1YkcfLXaL9y6wO767kO8STXJaQogF9FpN0aNM3Z+QXIs3WJnbE+FHR5Pj6CQ5e/C/Jv
wgQodtj7X+Owj8MTDr1fvP22Anbeo37arMPjSU3VUhMT3nEky/s7BuXenoNDsoxC+Iw6GVE1JSlr
MXk8mogrKpYIJeTJaGIsGJVDWiKpysHUNBpPxKaiiqaEvJ9paWuxF5InIvGIHEwmgzOyEteSM2gi
GYwpcigVi81gFRMnY0nNIjoW0ah7+wYDB7rkrr5O7J/uLHu2qISQ3PlcX+BAT4e1ht4/Yqi7b1ju
ksCa1DmI5O7e/vZAr9y/b9/BriF5KNDe2yWze8xxNUWdR3LP0AE5F5ahAx0kKEPBsahCr0H9fvPF
Jm0SyUooqAXhZtQqoF+aWrG8q1O+mlgz+mG5VMV1akIOB+Mh7I7c048rQpG4nFKVkLknJByYH1NV
MKNf0O4/Kg9CvzqiQVXFY02ud/nmcZ9ZyEkwbEOBvOpMTAuOYaoldRpmT7jHSnIKeeMJTfEG2nsa
teAkcJPxlHcsFYmGGiMhRLlwUA0jb2gmju3pVEvqNUeVpBpJxC2MjOuSSjRIBOFpKqqRJnGHyaN3
MoEfNGUa/9Lx9CYTdHC8ShjSLxxK5jhdVU8dXYM9vzCepP4EY5FxRMzqLenGcGSRF8+IGE5dm3n4
vxby/0qWCLau594r6XwdJ8+/XyD3/ua779x7G50XOfkijm/i9Nk+VANgx330yf/9XXwWYPpsv3qG
85+dh0qRtfQh/ezD9Nm+9jwAZwEn5ycB5Z9bnkX62Yjps/3vKByY2PmKFT5+h5F+tmH6bJ98DvTd
nP8OjpLXAesmfbafzoC+WMB/Vsj+p8hkj+27V0Cf9ZOPH8NfBP124Nn+fA302fnQBTq8/mmUe9dI
Cvv/mIKBNr1GpYUf/zSnz/b7iyA4ysl7OPpNTp+dC26DPh8vnn+F0zfODxCwdqdV3mNl0fc5fbav
6YSGyjh5vv8/Rtb5y/YbA6Afu4/+zzj93PtTnW/m5Hn9JU6fnW/WQP8OJ8/Hj7xmIDnOwpR7n2ov
z/Nv4W+lSZ/tj6sfUP8v4D/TZ/tx8QH130b62DH93PtunWfvudn4Mn2WB2e49tk5ba3yv7fP6Huc
vrF/hwb899Ff4/TZvtfvsfrJ67OyDhjTZ/vFAVBs4OR5e05Bb9/H4Uyfzz/+Xm2TqW1z+SpcqFVw
Cy6//ppz11xegvbPwsB9HH93Ift7K7v2fXABNsgZ59/P/wdIDBaGUCIAAA==

Have fun!


Challenge Collection: Reverse Engineering and CrackMe
#2

You want a key?
How about 6 of them

5317
5327
5397
5417
5427
5497


#3

I thought of adding it as a hint if someone didn’t find out about that within 24 hours.

Congrats!


(0x00Jinx) #4

The keys I got:

5317
5327
5397
5417
5427
5497

Thanks for this challenge! This was the first one I solved without help, hints or waiting for a write-up!
Can’t wait to see more!


(Silur) #5

the keys I got:

5317
5327
5397
5417
5427
5497


#6

Was fun! :open_mouth:


5317
5327
5397
5417
5427
5497


(Siz Zin) #8

[details=Summary]5317
5327
5397
5417
5427
5497
[/details]


#9

Congrats to all of you folks! :ok_hand:


#10

Solved it now as well. Wasn’t the smartest approach that I took but dynamic analysis solved it easily in the end. :smiley:

Below the summary of the made observations after looking at the binary:

  • key has to be provided on call
  • input has to have a length of 4
  • input bytes are getting stored in an array
  • input has to consists of just numbers
  • 1st input byte has to be 5
  • 2nd input byte has to be 3 or 4
  • 3rd input byte has to be 1,2 or 9
  • 4th input byte has to be 7

So any combination of the above mentioned input bytes is a valid key.


#11

The static analysis was showcasing a bit arithmetic trick. The dynamic analysis approach was the lazy way.

Congrats either way @ricksanchez!


#12

I tried static analysis first…
It went well until the part where the magic happened with the
neg something add something and something and something cmp something jmp something
I had to write stuff down and/or look in GDB what actually happens.

So in the end I couldn’t fully solve it just with with the static analysis approach


#13

I understand. The whole “magic” you mentioned had to do with turning on the right-most 0 bit and turning off the rest. You can notice that in GDB having in mind what I just said.


#14

I did see that happening, and I understood what’s happening there after using GDB.
Then finding the rest of the input “manually by hand” wasn’t an issue anymore


#15

This is history, all the same it helped me sharpen my RE skills


#16