One Article Review
| Source |  SkullSecurity |
|---|---|
| Identifiant | 8300185 |
| Date de publication | 2021-03-15 16:40:00 (vue: 2023-01-11 16:56:04) |
| Titre | BSidesSF CTF 2021 Author writeup: Reverseme and Reverseme2 – simpler reverse engineering challenges |
| Texte | This is going to be a writeup for the Reverseme challenges (reverseme and reverseme2 from BSides San Francisco 2021. Both parts are reasonably simple reverse engineering challenges. I provide the compiled binaries to the player (you can find those in the respective distfiles/ folders), and you have to figure out what to do with them. Both challenges use the same basic code as the runme challenges, where you send shellcode that is executed. Only in this case, the shellcode must be modified or “encoded” in some way first! Reverseme Since this can be solved with basic tools, I'm just going to use objdump disassemble the Reverseme binary. You can much more effectively use IDA or Ghidra, but to use those I might have to take screenshots, deal with file uploads, etc. :) Here's the output from objdump, focused on the important part (which I found by searching for main): $ objdump -D -M intel ./reverseme/distfiles/reverseme [...] ; Read the code from stdin (should be identical to Runme) 1220: e8 3b fe ff ff call 1060 1225: 48 89 45 e8 mov QWORD PTR [rbp-0x18],rax ; Perform error checking 1229: 48 83 7d e8 00 cmp QWORD PTR [rbp-0x18],0x0 ; Jump if no error 122e: 79 16 jns 1246 ; ; A for loop starts here, that loops over the full buffer. This is a small ; optimization - it jumps to the bottom where the for loop's exit condition ; is checked 124d: eb 28 jmp 1277 ; This loop is a super unoptimized way of doing: ; xor buffer[i], 0x41 ; inc i 124f: 8b 45 fc mov eax,DWORD PTR [rbp-0x4] 1252: 48 63 d0 movsxd rdx,eax 1255: 48 8b 45 f0 mov rax,QWORD PTR [rbp-0x10] 1259: 48 01 d0 add rax,rdx 125c: 0f b6 08 movzx ecx,BYTE PTR [rax] 125f: 8b 45 fc mov eax,DWORD PTR [rbp-0x4] 1262: 48 63 d0 movsxd rdx,eax 1265: 48 8b 45 f0 mov rax,QWORD PTR [rbp-0x10] 1269: 48 01 d0 add rax,rdx 126c: 83 f1 41 xor ecx,0x41 126f: 89 ca mov edx,ecx 1271: 88 10 mov BYTE PTR [rax],dl 1273: 83 45 fc 01 add DWORD PTR [rbp-0x4],0x1 ; Eax = the next loop iterator 1277: 8b 45 fc mov eax,DWORD PTR [rbp-0x4] 127a: 48 98 cdqe ; Are we at the end of the loop? 127c: 48 39 45 e8 cmp QWORD PTR [rbp-0x18],rax ; Jump to the top until the loop is done 1280: 7f cd jg 124f ; Get the buffer and jump to it (same as Runme) 1282: 48 8b 45 f0 mov rax,QWORD PTR [rbp-0x10] 1286: ff d0 call rax [...] When I was learning to reverse engineer, I got a ton of mileage out of compiling C code and looking at the resulting assembly to see what happens to loops and variables and stuff. So it might be illustrative to look at the source (which players wouldn't have had during the game): len = read(0, buffer, LENGTH); if(len < 0) { printf("Error reading!\n"); exit(1); } |
| Envoyé | Oui |
| Condensat | #include *argv /reverseme /reverseme/distfiles/reverseme /reverseme2 /reverseme2/distfiles/reverseme2 /solution 0x0 0x0ff; 0x1 0x10 0x13371337 0x18 0x3 0x4 0x41 0x41; 1060 1070 10a0 1220: 1223: 1225: 1228: 1229: 122e: 1246 124d: 124f 124f: 1252: 1255: 1259: 125c: 125f: 1262: 1265: 1269: 126c: 126f: 1271: 1273: 1277 1277: 1279 1279: 127a: 127c: 127e: 1280: 1281: 1282: 1284: 1286: 1287: 128a: 128e: 1291: 1294: 1296: 1298: 129a: 129c: 129f: 12a2: 12a6: 12a9: 12ab: 12ad: 12b1 12b1: 12b4: 12b6: 12ba: 12bc: 12c0: 2021 4096 add again all and answer any are argc asm assembly author basic basically bin binaries binary both bottom brief bsides bsidessf buffer but byte call can case cdqe challenge challenges char checked checking chr cmp code code: compare compiled compiling conclusion condition ctf current deal didn dig disassemble distfiles/ doing doing: done during dword each eax ecx edi edx effectively encode encoded encoder end engineer engineering error etc exact execute executed exit fake figure file find first flag focused folders for found francisco from full game get ghidra going got had happens happy have here i++ ida identical illustrative important inc inefficient int intel into iterator jmp jns jump jumps just know last learning len len; length let like look looking loop loop: loops main make might mileage modified more most mov movsxd movzx much must new next nil objdump objdump: once only optimization ord out output over part parts perform player players pretty print printf provide ptr questions quick qword rand rax rbp rdx read reading reasonably respective resulting return reverse reverseme reverseme2 reversing right ruby ruby: runme runme: same san sar screenshots searching see send shellcode shift should similar simple simpler since small solved some source source: srand ssize starts stdin stuff super take that the them this those though three: time too tools top unoptimized unsigned until uploads use using value variables very want was way what when where which with wouldn write writeup writeup: x64 xor xoring you “encoded” |
| Tags | |
| Stories | |
| Notes | ★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.