Monday, May 29, 2023

NcN 2015 CTF - theAnswer Writeup


1. Overview

Is an elf32 static and stripped binary, but the good news is that it was compiled with gcc and it will not have shitty runtimes and libs to fingerprint, just the libc ... and libprhrhead
This binary is writed by Ricardo J Rodrigez

When it's executed, it seems that is computing the flag:


But this process never ends .... let's see what strace say:


There is a thread deadlock, maybe the start point can be looking in IDA the xrefs of 0x403a85
Maybe we can think about an encrypted flag that is not decrypting because of the lock.

This can be solved in two ways:

  • static: understanding the cryptosystem and programming our own decryptor
  • dynamic: fixing the the binary and running it (hard: antidebug, futex, rands ...)


At first sight I thought that dynamic approach were quicker, but it turned more complex than the static approach.


2. Static approach

Crawling the xrefs to the futex, it is possible to locate the main:



With libc/libpthread function fingerprinting or a bit of manual work, we have the symbols, here is the main, where 255 threads are created and joined, when the threads end, the xor key is calculated and it calls the print_flag:



The code of the thread is passed to the libc_pthread_create, IDA recognize this area as data but can be selected as code and function.

This is the thread code decompiled, where we can observe two infinite loops for ptrace detection and preload (although is static) this antidebug/antihook are easy to detect at this point.


we have to observe the important thing, is the key random?? well, with the same seed the random sequence will be the same, then the key is "hidden" in the predictability of the random.

If the threads are not executed on the creation order, the key will be wrong because is xored with the th_id which is the identify of current thread.

The print_key function, do the xor between the key and the flag_cyphertext byte by byte.


And here we have the seed and the first bytes of the cypher-text:



With radare we can convert this to a c variable quickly:


And here is the flag cyphertext:


And with some radare magics, we have the c initialized array:


radare, is full featured :)

With a bit of rand() calibration here is the solution ...



The code:
https://github.com/NocONName/CTF_NcN2k15/blob/master/theAnswer/solution.c





3. The Dynamic Approach

First we have to patch the anti-debugs, on beginning of the thread there is two evident anti-debugs (well anti preload hook and anti ptrace debugging) the infinite loop also makes the anti-debug more evident:



There are also a third anti-debug, a bit more silent, if detects a debugger trough the first available descriptor, and here comes the fucking part, don't crash the execution, the execution continues but the seed is modified a bit, then the decryption key will not be ok.





Ok, the seed is incremented by one, this could be a normal program feature, but this is only triggered if the fileno(open("/","r")) > 3 this is a well known anti-debug, that also can be seen from a traced execution.

Ok, just one byte patch,  seed+=1  to  seed+=0,   (add eax, 1   to add eax, 0)

before:


after:



To patch the two infinite loops, just nop the two bytes of each jmp $-0



Ok, but repairing this binary is harder than building a decryptor, we need to fix more things:

  •  The sleep(randInt(1,3)) of the beginning of the thread to execute the threads in the correct order
  •  Modify the pthread_cond_wait to avoid the futex()
  • We also need to calibrate de rand() to get the key (just patch the sleep and add other rand() before the pthread_create loop
Adding the extra rand() can be done with a patch because from gdb is not possible to make a call rand() in this binary.

With this modifications, the binary will print the key by itself. 

Related posts

  1. Easy Hack Tools
  2. Nsa Hacker Tools
  3. Pentest Tools For Windows
  4. Hacking Tools For Kali Linux
  5. Hack Tool Apk
  6. Hacking Tools Free Download
  7. Tools 4 Hack
  8. Hack Tools
  9. Free Pentest Tools For Windows
  10. Hack Tools For Mac
  11. Hak5 Tools
  12. Hackrf Tools
  13. Pentest Tools Url Fuzzer
  14. Hack Tool Apk No Root
  15. Hack Tool Apk No Root
  16. What Are Hacking Tools
  17. Pentest Tools Windows
  18. Android Hack Tools Github
  19. Pentest Tools For Windows
  20. Pentest Box Tools Download
  21. Hacking Tools Windows 10
  22. Pentest Tools Subdomain
  23. Pentest Automation Tools
  24. Hackers Toolbox
  25. Hacker Tools For Ios
  26. Hack Tools Download
  27. Pentest Tools Review
  28. Hacker Tools For Mac
  29. Hacker Tools Free
  30. Pentest Tools Free
  31. Hacking Tools Usb
  32. Wifi Hacker Tools For Windows
  33. Tools Used For Hacking
  34. Hacking Tools Windows 10
  35. Hack Website Online Tool
  36. Hacking Tools Name
  37. Hacking Tools Github
  38. Hack Tools
  39. Pentest Tools Alternative
  40. New Hacker Tools
  41. Pentest Tools Kali Linux
  42. Hacker Security Tools
  43. Hack Tools Online
  44. Hacker Tools List
  45. Pentest Tools Linux
  46. Pentest Tools For Windows
  47. Hacker Tools Free Download
  48. Pentest Tools For Ubuntu
  49. Hacking Apps
  50. Hacking Tools For Beginners
  51. Hacker Tools Apk Download
  52. Best Hacking Tools 2020
  53. Hacking Tools Name
  54. Hacking Tools Windows 10
  55. What Are Hacking Tools
  56. Hacking Tools For Windows 7
  57. Pentest Tools Alternative
  58. Pentest Tools List
  59. Hacker Tools 2020
  60. Pentest Tools Website Vulnerability
  61. Nsa Hacker Tools
  62. Hacker Tools 2019
  63. Pentest Tools Port Scanner
  64. Hacking Tools Windows
  65. Hacks And Tools
  66. Game Hacking
  67. Hacker Security Tools
  68. Hacker Tools Mac
  69. Hacking Tools For Mac
  70. Hacking Tools For Kali Linux
  71. Hacker Tools Free Download
  72. How To Make Hacking Tools
  73. How To Hack
  74. Pentest Tools Kali Linux
  75. Pentest Tools Windows
  76. Beginner Hacker Tools
  77. Pentest Tools Apk
  78. Hack Tool Apk No Root
  79. Hacker Search Tools
  80. Hacking Tools For Pc
  81. Pentest Tools Linux
  82. New Hack Tools
  83. Hacking Tools Name
  84. Hacking Tools Windows 10
  85. Hacking App
  86. Hacker Tools 2020
  87. Pentest Tools For Ubuntu
  88. Hack And Tools
  89. Black Hat Hacker Tools
  90. Bluetooth Hacking Tools Kali
  91. Pentest Tools For Mac
  92. Hacker Tool Kit
  93. Hackrf Tools
  94. Hak5 Tools
  95. Hacking Tools Software
  96. Bluetooth Hacking Tools Kali
  97. Hacking Tools Free Download
  98. Hacking Tools For Windows
  99. Pentest Tools Website Vulnerability
  100. Hacking Tools Hardware
  101. Hack Tools Mac
  102. Game Hacking
  103. Hack Tools
  104. Pentest Box Tools Download
  105. Pentest Tools Free
  106. Hack Tool Apk
  107. Hacking Tools Windows 10
  108. Pentest Tools Alternative
  109. Hacking Tools Online
  110. Nsa Hack Tools
  111. Nsa Hack Tools
  112. Hacking Tools Software
  113. Black Hat Hacker Tools
  114. Hacker Tools List
  115. How To Make Hacking Tools
  116. Pentest Tools Download
  117. Pentest Tools Online
  118. Hack Tools Download
  119. Hacking Tools For Beginners
  120. Easy Hack Tools
  121. Hacking Apps
  122. Hacker Tools Apk
  123. Hacking Tools Hardware
  124. Pentest Tools Review
  125. Hacking Tools For Pc
  126. Best Hacking Tools 2020
  127. Hacker Tools Software
  128. Pentest Tools Online
  129. Hacking Tools For Windows Free Download
  130. Bluetooth Hacking Tools Kali
  131. Hacking Tools For Kali Linux
Posted by wear your heart out at 9:30 PM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)