picoCTF2019 Reverse Engineering Asm

Hello, here’s my take on the picoCTF2019 reverse engineering asm challenges. If you don’t know assembly, please watch a few tutorials on it: asm1 – Points: 200 CMP: Compares the first source operand with the second source operand and sets the status flags in the EFLAGS register according to the results. The comparison is performed by subtracting the second operand from the first operand and then setting the status flags in the same manner as the SUB instruction. When an immediate value is used as an operand, it is sign-extended to the length of the first operand. ...

February 23, 2020 · 3 min · Denis Nuțiu

picoCTF 2019 Reverse Engineering Vault Doors

I’m always late to the party but here’s my solutions to the PicoCTF2019 Vault Doors challenges from the reverse engineering section. I did it this mainly to improve my skills and hopefully to learn some new things. vault-door-training – Points: 50 Your mission is to enter Dr. Evil’s laboratory and retrieve the blueprints for his Doomsday Project. The laboratory is protected by a series of locked vault doors. Each door is controlled by a computer and requires a password to open. Unfortunately, our undercover agents have not been able to obtain the secret passwords for the vault doors, but one of our junior agents obtained the source code for each vault’s computer! You will need to read the source code for each level to figure out what the password is for that vault door. As a warmup, we have created a replica vault in our training facility. The source code for the training vault is here: VaultDoorTraining.java ...

February 1, 2020 · 4 min · Denis Nuțiu

Bypassing ptrace calls with LD_PRELOAD on Linux

Hello, Here’s a quick article on how to bypass calls to ptrace when debugging a Linux executable. By calling ptrace with the PTRACE_TRACEME option, a process can detect if it’s being debugged and execute different instructions. This an effective anti-debugging technique. For example, take the following C program: 1 2 3 4 5 6 7 8 int main() { if (ptrace(PTRACE_TRACEME, 0, 0, 0) < 0) { printf("I'm being debugged!n"); } else { printf("Normal flown"); } return 0; } If we execute the program from above we get Normal flow on our screen but if we debug it with gdb we get Err: I'm being debugged! ...

January 2, 2020 · 2 min · Denis Nuțiu

Root-Me: GB &#8211; Basic GameBoy crackme walkthrough

Hello, In this article I will describe how I solved the GB – Basic GameBoy crackme challenge from Root-Me. Before reading this article you should attempt to solve the challenge on your own. Start by reading/skimming through the GameBoy CPU manual then download an emulator such as mGba and play with the ROM. To disassemble the ROM I’ve used Ghidra and mgbdis. After reading through the GameBoy CPU manual, I’ve opened the file in Ghidra and found these interesting strings: ...

October 27, 2019 · 3 min · Denis Nuțiu

Ghidra Scripting: Annotating Linux system calls

I had some fun this weekend messing around with Ghidra. Having such a powerful tool for free is truly a game changer. To start scripting in Ghidra, I downloaded the latest Eclipse for Java Developers Version: 2019-09 R (4.13.0), Ghidra and Open JDK, I believe any JDK version 11+ will work. After downloading the JDK, extract the zip, put it somewhere and modify your PATH and JAVA_HOME environment variables to point to it: ...

October 13, 2019 · 9 min · Denis Nuțiu

Root Me &#8211; Xor Madness &#8211; Walkthrough

Hello, In this article I will describe how I solved the PE x86 – Xor Madness challenge from Root-Me This challenge will ask you for a password and the password is also used to validate the flag. What makes this challenge interesting is that it only uses xor, sub, call and ret. Here’s how I approached the challenge: Since the binary had a few function and some strings were in plain text, I tried to figure out the big picture and labeled all the function accordingly: win, lose, check and so on. I’ve figured out that there are 6 stages, each stage tries to process a part of the password. The start function is also a stage and other stages are similar. Next, I’ve spend a few hours debugging this challenge and documenting everything it does in order to see what it wants. To solve this challenge you need to know how the XOR operation works, please check that you know this before moving forward. ...

October 6, 2019 · 5 min · Denis Nuțiu

Practical Binary Analysis – CTF Walkthrough – Level 3, 4

Hello, In this article I’ll present you my solution on the Chapter 5 CTF from the book Practical Binary Analysis. For this binary, the hint is to fix four broken things. Running file gives us the following response: 1 2 binary@binary-VirtualBox:~/ctf$ file ./lvl3 ./lvl3: ERROR: ELF 64-bit LSB executable, Motorola Coldfire, version 1 (Novell Modesto) error reading (Invalid argument) And the readelf command gives us: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 binary@binary-VirtualBox:~/ctf$ readelf -h ./lvl3 ELF Header: Magic: 7f 45 4c 46 02 01 01 0b 00 00 00 00 00 00 00 00 Class: ELF64 Data: 2's complement, little endian Version: 1 (current) OS/ABI: Novell - Modesto ABI Version: 0 Type: EXEC (Executable file) Machine: Motorola Coldfire Version: 0x1 Entry point address: 0x4005d0 Start of program headers: 4022250974 (bytes into file) Start of section headers: 4480 (bytes into file) Flags: 0x0 Size of this header: 64 (bytes) Size of program headers: 56 (bytes) Number of program headers: 9 Size of section headers: 64 (bytes) Number of section headers: 29 Section header string table index: 28 readelf: Error: Reading 0x1f8 bytes extends past end of file for program headers At this moment, it was clear that the ELF header is broken, in order to fix it I opened up Wikipedia and the elf specification. ...

September 19, 2019 · 3 min · Denis Nuțiu

Introduction to Angr

I always wanted to play around with a binary analysis framework but most of the time I was turned off by how difficult it was to install and use it. Just recently I’ve thought to give angr a try and now I want to share my experience with you! I will present you a two scripts that solve two challenges, if you wish to dig deeper and learn Angr then you should visit it’s official documentation. ...

August 21, 2019 · 5 min · Denis Nuțiu

Root-Me Reversing: crackme_wtf hints

It’s been some time since I’ve done some Reverse Engineering and today I’ve completed a simple challenge on . The filename of the challenge is crackme_wtf and here are some hints to get you started: Determine type of FILEs. Don’t be afraid to patch and use a debugger. Try to eliminate the randomness. Maybe some functions that have to do with time, random numbers or the current process’s id. If the last hint doesn’t yield any results… Is the required password really needed to get to the flag? Thanks for reading and good luck! ...

August 4, 2019 · 1 min · Denis Nuțiu

Root-Me: ExploitMe &#8211; Basic Buffer Overflow

Hello, In this article I present you the solution to nice and short cracking challenge from Root-Me. After opening it up in Ghidra, I saw that the challenge is easy to solve, all you need is to find the password, which is in plain text. Basically just copy paste and you get the flag, but wait, there’s a twist! I should have learned my lesson from the other challenge from Root-Me, which also had a twist. ...

March 31, 2019 · 3 min · Denis Nuțiu