Posts for: #Reverse-Engineering

Shc 2024 - Office program

#SHC-2024  #pwn  #reverse-engineering 

This was the easiest pwn challenge of the ctf. It didn’t require any overflow or anything.

Here’s the most interesting part of the program :

puts("\nSelect an action:");
puts("0 - Exit (like leaving the offic…");
puts("1 - Print favourite excel column");
puts("2 - Call Rebecca from front desk");
puts("3 - Get secret sauce (only for f…");
printf("Enter your choice: ");
int32_t input; // Lost a lot of time trying to figure out if this was overflowable
__isoc99_scanf("%d", &input);
important_work_or_attend_a_meeting();
if (input == 3)
{
    break;
}
if (input < 0)
{
    puts("\nInput out of range. You confus…");
    input = -(input);
}
input = (input + 5);
if (input < 0)
{
    puts("\nInput out of range. You confus…");
    print_flag();
}

The goal is to reach the print_flag function. To do so, we have to send the program a value that will be transformed in its negative value. After, 5 will be added to that value, and after this that number has to be less than zero to call the function. At first I thought that sending any negative number less than 5 would make the cut, but it did not, simply because the scanf function expects a %d, thus an integer.

Read more

SHC 2024 Printer Destroyer Format

#SHC-2024  #reverse-engineering  #CVE-2018-9958 

I received a todo list from IT which I really need to complete.
Clippy is telling lies and says it is not safe to open this PDF :(
Stupid Clippy

This one of my favourites challenges of this year’s SHC. We got an apparently simple PDF file in which we can expect some sort of macro if we believe what we’re told in the intro.

The tool pdfextract from the origami repository is incredibly helpful, as it extracts everything we might be interested in for a ctf challenge : images, streams, scripts and attachments, and creates a directory in which it puts everything.

Read more

Hackappatoi 23 - The first horseman

#ctf  #reverse-engineering 

For this reverse engineering challenge, we’re given a pyc file. I had never encountered this filetype before, but after some research, it appears to be a compiled python file. We can decompile it with https://www.toolnb.com/tools-lang-en/pyc.html. Here’s what the decompiled code looks like :

# uncompyle6 version 3.5.0
# Python bytecode 3.8 (3413)
# Decompiled from: Python 3.7.2 (default, Dec 29 2018, 06:19:36) 
# [GCC 7.3.0]
# Embedded file name: ../thefirsthorseman.py
# Size of source mod 2**32: 2794 bytes
from time import sleep
import codecs
print("You've inserted the key you found on the mysterious Laptop and you've been teleported to a place you don't know.")
print('All you can see is an enormous door keeping a castle safe. You approach it and with a bit of fear proceed to open it.')
print('In the middle of the hall you see a funny man, it seems the court jester, but still he scares you.')
print("'SHISH, SHISH' is the only thing he says, and now you realize he is the first horseman, ready to stop you from reaching further in your mission.")
print('The man walks towards you and tries to hit you multiple times! Avoid his punches!\n')

def shish():
    exit("The funny man manages to hit you. You fall on the ground.\nYou don't remember anything. All you know now is a word...\nSHISH\n")


f = ['r3st', '4s_a', 'b3_c', 'm4tt', 'l3t_']
l = ['4ll0', '30_1', '7t3_', 'jkin', 'p1ck']
a = ['5_th', '3_4n', '1t_1', '00p5', '1n_1']
g = ['p1_7', '3_w0', 't0g3', '00_k', 'n0th']
s = ['ear5', 'k!1!', '1n6!', '33p5', 'rd_!']
counter = 0
indexes = []


def print_flag():
    flag = ''
    flag += f[indexes[0]]
    flag += l[indexes[1]]
    flag += a[indexes[2]]
    flag += g[indexes[3]]
    flag += s[indexes[4]]
    flag = 'upgs{' + flag + '}'
    flag = codecs.encode(flag, 'rot13')
    print(flag)


try:
    for t in range(1, 6):
        print(f"{t}...")
        counter = t
        sleep(1)

    shish()
except KeyboardInterrupt:
    if counter == 4:
        print('\nYou dodged it\n')
        indexes.append(counter - 1)
    else:
        shish()

try:
    for t in range(1, 6):
        print(f"{t}...")
        counter = t
        sleep(1)

    shish()
except KeyboardInterrupt:
    if counter == 2:
        print('\nYou dodged it\n')
        indexes.append(counter - 1)
    else:
        shish()

try:
    for t in range(1, 6):
        print(f"{t}...")
        counter = t
        sleep(1)

    shish()
except KeyboardInterrupt:
    if counter == 1:
        print('\nYou dodged it\n')
        indexes.append(counter - 1)
    else:
        shish()

try:
    for t in range(1, 6):
        print(f"{t}...")
        counter = t
        sleep(1)

    shish()
except KeyboardInterrupt:
    if counter == 2:
        print('\nYou dodged it\n')
        indexes.append(counter - 1)
    else:
        shish()
else:
    try:
        for t in range(1, 6):
            print(f"{t}...")
            counter = t
            sleep(1)

        shish()
    except KeyboardInterrupt:
        if counter == 5:
            print('\nYou dodged it\n')
            indexes.append(counter - 1)
        else:
            shish()
    else:
        print('The man is tired, he just hands you a slip of paper, to open the next door.\nThis is what you read')
        print_flag()
        print("The man then says his last words...\n 'https://youtu.be/XH0CSzdHwg0?si=DOwRhOnorrc-WWIx'")

Get the index from the print_flag function, ROT13 cipher and can easily find the index passed to the array and there we are !

Read more

ROP : ret2win (x86)

#pwn  #reverse-engineering 

For the x86 version of the challenge, we can see that the program contains the following functions :

gef  info functions
All defined functions:

Non-debugging symbols:
0x08048374  _init
0x080483b0  read@plt
0x080483c0  printf@plt
0x080483d0  puts@plt
0x080483e0  system@plt
0x080483f0  __libc_start_main@plt
0x08048400  setvbuf@plt
0x08048410  memset@plt
0x08048420  __gmon_start__@plt
0x08048430  _start
0x08048470  _dl_relocate_static_pie
0x08048480  __x86.get_pc_thunk.bx
0x08048490  deregister_tm_clones
0x080484d0  register_tm_clones
0x08048510  __do_global_dtors_aux
0x08048540  frame_dummy
0x08048546  main
0x080485ad  pwnme
0x0804862c  ret2win
0x08048660  __libc_csu_init
0x080486c0  __libc_csu_fini
0x080486c4  _fini

We get a bunch of not-so-interesting functions, as well as a main, pwnme and ret2win function. They are used for the following :

Read more