Dragon CTF 2021 Rev - `Run of the Mill` write-up



Our Team Water Paddler got 7 th position in `DragonCTF 2021`.

Run of the Mill

Given a executable, seems to be constructed directly from the assembly (Only entry0 function).
Takes an input (flag), make operations on that input bytes and finally compare those input bytes with the stored 64 bytes, if equal -> prints "Well Done"

Goal is to recover the flag based on operations (encryption), and final bytes.
But manual analysis on those operations is very difficult (nearly 7.5k+ instructions for those operations)

Analyzing the problem

One of my teammate mentioned that, even though instructions are many, opcodes used are very less
`['ror', 'xor', 'mov', 'add', 'sub', 'movq', 'pxor', 'rol']`

Then got the idea of scripting : Writing a script for decrypting the encrypted flag bytes, automatically based on operations on Assembly
-> Dumped those assembly instructions (of encryption) into a text file, from IDA
-> Dumped the memory (0x000412000 - 0x00041209F) of runofmill into a python script

Part-1 : Script for simulating asm instructions
In order to reverse that encryption automatically, need a script to first (parse , execute) those instructions.

Main Challanges faced in this part :
  • Instruction parsing, Operand Parsing.
  • Memory (RAM) management for executing instructions (store, load ops), due to little endian concept.
  • Instruction Execution, based on opcode and operands

    • Part-2 : Script for Reversing the encryption
    By doing those operations (used for encryption) on the encrypted bytes in the reverse order, we can recover the flag.

    Main Challanges faced in this part :
  • Seprating the instructions into the blocks, to execute those blocks (operations) in reverse order.
  • Instruction Execution, based on opcode and operands

    • By Observing the assembly instructions i have noticed three patterns in the assembly instructions, which are used for encryption.
    Type - 1 :
ror|xor|add|sub     (byte/word/dword/qword) memory-address, direct-value

Type - 2 :
mov     register, direct-value
add     register, memory-address

Type - 3 : 
mov     register, direct-value
mov     qword_412090, register
movq    mm0, qword_412090
pxor    mm0, (qword) memory-address
movq    (qword) memory-address, mm0
    Type - 2 is dummy instructions , just for obfuscation, we need only Type-1, Type-3 instrucions.
    Implemented block separation, reverse logic for opcodes, placed the final encrypted bytes at input bytes address.

    Finally

    The script : I have created for recovering flag, by putting all together. Assembly Instructions, I have dumped from IDA are (input for the script) : link

    By running the script :
    Flag : DrgnS{SoManyInstructionsYetSoWeak}



    Thanks for reading !...

    Comments

    Post a Comment

    Popular posts from this blog

    Square CTF 2019 Writeup's

    Image
       [*]-challenges    [+] (one   - 100 pts) Talk to me    [+] (two   - 700 pts) Aesni    [+] (three - 150 pts) Decode me    [+] (five  - 200 pts) Inwasmble    [+] (seven - 600 pts) Lockbox    [+] (nine  - 700 pts) Sudo make me a flag Our Team Invaders ended up at 19th position With points 3450 points Talk to me A service running at `talk-to-me-dd00922915bfc3f1.squarectf.com:5678` $ nc talk-to-me-dd00922915bfc3f1.squarectf.com 5678 Hello! aaaaaaaaaaaa Sorry, I can't understand you. Saying Hello! and asking for input(aaaaaaaaaaaa) Then returning a message After some trails, Two errors meant a lot (for 1 and ') $ nc talk-to-me-dd00922915bfc3f1.squarectf.com 5678 Hello! 1 undefined method `match' for 1:Integer /talk_to_me.rb:16:in `receive_data' /var/lib/gems/2.5.0/gems/eventmachine-1.2.7/lib/eventmachine.rb:195:in `run_machine' /var/lib/gems/2.5.0/gems/eventmachine-1.2.7/lib/eventmachine.rb:195:in `run' /talk_to_me.rb:31:in ` '
    Read more

    K3RN3L CTF 2021 Rev - `Recurso & Rasm ` writeups

    Image
    This is a write-up for Reverse engineering challenges in K3RN3LCTF 2021 based on VM Concept using Recurso Language [*]-challenges     [+] (Rev - 500 pts) Recurso ( First Blood )     [+] (Rev - 500 pts) Rasm (After CTF) Our Team zh3ro ended up at 9 th position in `K3RN3LCTF - 2021`. These Reverse engineering challs are interesting -> Both are based on one vm only (Recurso), different compiled scripts . (leFlag.recc , rasm.recc) Recurso Given a Recurso Execuatable which can compile, run recurso sccrips. And a leFlag.recc (a recurso compiled file) containing a flag checking logic, can be run by given Recurso executable. The Goal of the challenge is to get the flag checking logic in leFlag.recc and steal flag Decompile and Analyse -> Recurso First we have to get to know about how the Recurso is running this byte code in order to get the logic of le
    Read more

    InCTF 2019 writeup's

    [+] (Rev - 100 pts) cliche_crackme [+] (Web - 856 pts) s3cur3-r3v Our Team Invaders end up at 9th position With points 4375 points cliche_crackme (Rev) By dissambling the exectuable; It is just encrypting our input Checking with data string It is doing simply data = b'\xd7\xcc\xdd\xcf\xe4\xbd\xd1\x9d\xdd\xdc\xc8\xd1\xce\x9a\x9a\xc8\xd5\x99\xdd\xc8\x99\xcf\xc8\xe0\x99\xdb\xd4\xc8\xe0\x9d\xdc\xc8\xd2\xdd\xa8\xe6\xd1\xe2\xd4\xe9\xc2\xd6\xa2\xe2\xe1\xcd\xd6\xd3\x9f\x9f\xcd\xda\x9e\xe2\xcd\x9e\xd4\xcd\xe5\x9e\xe0\xd9\xcd\xe5\xa2\xe1\xcd\xd7\xe2\xad\xeb\xd7\xc9\xde\xb7\xcb\x97\xd7\xd6\xc2\xcb\xc8\x94\x94\xc2\xcf\x93\xd7\xc2\x93\xc9\xc2\xda\x93\xd5\xce\xc2\xda\x97\xd6\xc2\xcc\xd7\xa2\xe0\xda\xef\xc8\xdc\xa8\xe8\xe7\xd3\xdc\xd9\xa5\xa5\xd3\xe0\xa4\xe8\xd3\xa4\xda\xd3\xeb\xa4\xe6\xdf\xd3\xeb\xa8\xe7\xd3\xdd\xe8\xb3\xf1\xe1\xba\xce\x9a\xda\xd9\xc5\xce\xcb\x97\x97\xc5\xd2\x96\xda\xc5\x96\xcc\xc5\xdd\x96\xd8\xd1\xc5\xdd\x9a\xd9\xc5\xcf\xda\xa5
    Read more