A reverse engineering challenge that includes some self-modifying code. Difficulty level is medium.
Info | Value |
---|---|
Difficulty | Medium |
Flag | ccsc{v3ry_e4sy_ch4ll} |
You can update the decryption key by changing the FLAG_CIPHERTEXT_KEY
macro in includes.h
. Make sure that
the value is at max 32bit only.
Compile using:
cmake
Note: Ignore error challenge.h
not found in your IDE, to generate it run the make process once (it's automatically
generated by flag_print.c
)
Note: FYI don't use this one, it's time consuming and not really the correct approach Brute-force the executable with values ranging from 0x0 - 0xFFFFFFFF
import os, subprocess
cmd = os.path.join(os.path.realpath('.'), "challenge")
for key in range(0x00, 0xffffffff):
if "ccsc" in subprocess.run(cmd, input="{:x}".format(key), capture_output=True):
print(f"Key = {hex(key)}")
TODO
In short:
- Identify BB
.text:0000000000000771 lea rdi, s ; "Invalid key"
- Trace back to where the decision is made:
.text:000000000000072B call sub_8A0 .text:0000000000000730 cmp cs:dword_201020, 0E5894855h .text:000000000000073A jnz short loc_771
- Function call looks like a XOR encryption
.text:00000000000008E0 loc_8E0: ; CODE XREF: sub_8A0+49↓j .text:00000000000008E0 xor [rbx], ebp .text:00000000000008E2 add rbx, 4 .text:00000000000008E6 cmp rax, rbx .text:00000000000008E9 jnz short loc_8E0
- Take the value
0E5894855h
and the encoded/encrypted ciphertext being compared at step #2 (dword_201020
) and find a value where*(unsigned long *)dword_201020 ^ K = 0E5894855h
. Now all you have to do is just a XOR operation to get the keyK = 0E5894855h ^ *(unsigned long *)dword_201020