One Article Review
| Source |  SkullSecurity |
|---|---|
| Identifiant | 8300183 |
| Date de publication | 2021-03-17 15:59:18 (vue: 2023-01-11 16:56:04) |
| Titre | BSidesSF CTF 2021 Author writeup: secure-asset-manager, a reversing challenge similar to Battle.net bot dev |
| Texte | Hi Everybody! This is going to be a challenge-author writeup for the Secure Asset Manager challenge from BSides San Francisco 2021. It's designed to be a sort of “server management software”. I sort of chose that theme to play off the Solarwinds thing, the theme wasn't super linked to the challenge. The challenge was to analyze and reverse engineer a piece of client-side software that “checks in” with a server. For the check-in, the client is required to “validate” itself. The server sends a random “challenge” - which is actually a block of randomized x86 code - and that code used to checksum active memory to prevent tampering. If anybody reading this worked on bots for the original Starcraft (and other Battle.net games), this might seem familiar! It's based on Battle.net's CheckRevision code. Server The players don't normally get to see it, but this is my server code. I'd like to draw your attention to assembly-generator.rb in particular, which is what creates the challenge. It just does a whole bunch of random, and really bad checksumming with a few instructions and also randomized NOPs: 0.upto(rand(1..5)) do 0.upto(rand(2..5)) do # Do something to the value a few times s.push([ "xor eax, #{ random_int }", "add eax, #{ random_int }", "sub eax, #{ random_int }", "ror eax, #{ rand(1..30) }", "rol eax, #{ rand(1..30) }", ].sample) end # Mix in the previous value (or seed) s.push("xor ecx, eax") s.push('') s.push(nop()) end The server dumps all those random instructions into a file, assembles it with nasm, and sends over the resulting code. To generate a checksum on the server side, I actually used what I'd consider a solution: dumping client memory. First solution: dump memory To validate the client, the server wraps gdb (the GNU Debugger) and sends commands to dump process memory. Here's the code: def dump_binary(binary, target) L.info("Dumping memory from #{ binary } using gdb...") begin Timeout.timeout(3) do Open3.popen2("gdb -q #{ binary }") do |i, o, t| # Don't confirm things i.puts("set no-confirm") # Breakpoint @ malloc - we just need to stop anywhere i.puts("break malloc") # Run the executable i.puts("run") # Remove the breakpoint - this is VE |
| Envoyé | Oui |
| Condensat | *binary *code *rwx +rwx /maps /proc/# /secure 0x# 2021 2022 >data >length above accidental active actually add again all allocate also alternative analyze and anonymous any anybody anything anywhere assembles assembly asset attention author bad based battle begin big binary bit block block: bot bots break breakpoint bsides bsidessf bunch but bypass called can causes challenge change check checkrevision checksum checksummed checksumming chose client client: code code: command commands concept conclusion confirm connect connection consider containers could crazy creates ctf data david debug debugger def delete designed dev did disconnect does don draw dump dumped dumping dumps each easy eax ecx edit end engineer established even ever everybody everything exec executable execute exit familiar fatal few file find first flag for found francisco freely from function game games gdb generate generator get getpid gets gnu going guy happy harder have headaches here idea implements important inefficient info infrastructure instead instructions int into in” itself just keep least less like linked literally loop love made make malloc management manager manager$/ map mappings memcpy memory memset mess might mix mmap munmap nasm need net nop nops: normally not off once one only open3 opportunity original other our out output over pain particular performing performs pid pid: piece play players popen2 populate portion prevent previous print process prot proud proxy push puts quit rand random randomized read reading real really reconnect redirected remove repackage required rescue result result; resulting retrospect return reverse reversing rol ror run rwx same sample san say script secondary section secure see seed seem sends server set shared side similar software software” solarwinds solution solution: solved somebody something sort split starcraft stay stop strip sub super tampering target team that the theme then there thing things this those through time timeout timeout::error times tooling tuned turns uint32 uint8 unmap upto use used uses using validate value very wanted was wasn way went what where which whole will wipe with worked works wraps write writeup writeup: written wrong x86 xor years you your |m| “challenge” “checks “server “validate” |
| Tags | |
| Stories | |
| Notes | ★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.