Dragon CTF 2021 Rev - `Run of the Mill` write-up



Our Team Water Paddler got 7 th position in `DragonCTF 2021`.

Run of the Mill

Given a executable, seems to be constructed directly from the assembly (Only entry0 function).
Takes an input (flag), make operations on that input bytes and finally compare those input bytes with the stored 64 bytes, if equal -> prints "Well Done"

Goal is to recover the flag based on operations (encryption), and final bytes.
But manual analysis on those operations is very difficult (nearly 7.5k+ instructions for those operations)

Analyzing the problem

One of my teammate mentioned that, even though instructions are many, opcodes used are very less
`['ror', 'xor', 'mov', 'add', 'sub', 'movq', 'pxor', 'rol']`

Then got the idea of scripting : Writing a script for decrypting the encrypted flag bytes, automatically based on operations on Assembly
-> Dumped those assembly instructions (of encryption) into a text file, from IDA
-> Dumped the memory (0x000412000 - 0x00041209F) of runofmill into a python script

Part-1 : Script for simulating asm instructions
In order to reverse that encryption automatically, need a script to first (parse , execute) those instructions.

Main Challanges faced in this part :
  • Instruction parsing, Operand Parsing.
  • Memory (RAM) management for executing instructions (store, load ops), due to little endian concept.
  • Instruction Execution, based on opcode and operands

    • Part-2 : Script for Reversing the encryption
    By doing those operations (used for encryption) on the encrypted bytes in the reverse order, we can recover the flag.

    Main Challanges faced in this part :
  • Seprating the instructions into the blocks, to execute those blocks (operations) in reverse order.
  • Instruction Execution, based on opcode and operands

    • By Observing the assembly instructions i have noticed three patterns in the assembly instructions, which are used for encryption.
    Type - 1 :
ror|xor|add|sub     (byte/word/dword/qword) memory-address, direct-value

Type - 2 :
mov     register, direct-value
add     register, memory-address

Type - 3 : 
mov     register, direct-value
mov     qword_412090, register
movq    mm0, qword_412090
pxor    mm0, (qword) memory-address
movq    (qword) memory-address, mm0
    Python
    Type - 2 is dummy instructions , just for obfuscation, we need only Type-1, Type-3 instrucions.
    Implemented block separation, reverse logic for opcodes, placed the final encrypted bytes at input bytes address.

    Finally

    The script : I have created for recovering flag, by putting all together.
    import re
    class RAM_Memory:
    bytes_arr = []
    dtypes = {'byte' : 1, 'word' : 2, 'dword' : 4, 'qword' : 8}
    def __init__(self, int64_arr) -> None:
    for num in int64_arr:
    for i in range(8):
    self.bytes_arr.append(num & 0xff)
    num = num >> 8
    def get(self, addr, dtype = 'byte'):
    if dtype not in self.dtypes:
    raise Exception("Invalid data type", dtype)
    count = self.dtypes[dtype]
    return self.read_data(addr, count)
    def set(self, addr, value, dtype = 'byte'):
    if dtype not in self.dtypes:
    raise Exception("Invalid data type", dtype)
    count = self.dtypes[dtype]
    value = value % (2**(count*8))
    return self.write_data(addr, value, count)
    def read_data(self, addr, count):
    num = 0
    for i in range(count):
    num = num | ( self.bytes_arr[addr + i] << 8*i)
    return num
    def write_data(self, addr, data, count):
    for i in range(count):
    self.bytes_arr[addr + i] = (data & 0xff)
    data = data >> 8
    class Instruction:
    def __init__(self, ins) -> None:
    temp = ins.split(' ')
    self.addr = temp.pop(0)
    # ['ror', 'xor', 'mov', 'add', 'sub', 'movq', 'pxor', 'rol']
    self.operation = temp.pop(0)
    op1, op2 = ' '.join(temp).strip().split(' ; ')[0].split(',')
    self.dst = Operand(op1)
    self.src = Operand(op2)
    if (self.dst.type == '' or self.src.type == ''):
    raise Exception("Invalid Intrsution : ", ins)
    def execute(self):
    if self.operation == 'add':
    res = self.dst.get() + self.src.get()
    self.dst.set(res)
    elif self.operation == 'sub':
    res = self.dst.get() - self.src.get()
    self.dst.set(res)
    elif self.operation == 'xor' or self.operation == 'pxor':
    res = self.dst.get() ^ self.src.get()
    self.dst.set(res)
    elif self.operation == 'mov' or self.operation == 'movq':
    res = self.src.get()
    self.dst.set(res)
    elif self.operation == 'ror':
    if self.dst.type != 'memory' or self.src.type != 'immediate':
    raise Exception("Invalid Operands : for ror operation ", self.dst.type, self.src.type)
    res = right_rotate(self.dst.get(), self.src.get(), self.dst.dtype )
    self.dst.set(res)
    elif self.operation == 'rol':
    if self.dst.type != 'memory' or self.src.type != 'immediate':
    raise Exception("Invalid Operands : for ror operation ", self.dst.type, self.src.type)
    res = left_rotate(self.dst.get(), self.src.get(), self.dst.dtype )
    self.dst.set(res)
    else:
    raise Exception("Invalid Opearation : ", self.operation)
    def reverse(self):
    if self.operation == 'add':
    res = self.dst.get() - self.src.get()
    self.dst.set(res)
    elif self.operation == 'sub':
    res = self.dst.get() + self.src.get()
    self.dst.set(res)
    elif self.operation == 'xor' or self.operation == 'pxor':
    res = self.dst.get() ^ self.src.get()
    self.dst.set(res)
    elif self.operation == 'mov' or self.operation == 'movq':
    res = self.src.get()
    self.dst.set(res)
    elif self.operation == 'ror':
    if self.dst.type != 'memory' or self.src.type != 'immediate':
    raise Exception("Invalid Operands : for ror operation ", self.dst.type, self.src.type)
    res = left_rotate(self.dst.get(), self.src.get(), self.dst.dtype )
    self.dst.set(res)
    elif self.operation == 'rol':
    if self.dst.type != 'memory' or self.src.type != 'immediate':
    raise Exception("Invalid Operands : for ror operation ", self.dst.type, self.src.type)
    res = right_rotate(self.dst.get(), self.src.get(), self.dst.dtype )
    self.dst.set(res)
    else:
    raise Exception("Invalid Opearation : ", self.operation)
    class Operand:
    type = ''
    def __init__(self, string) -> None:
    string = string.strip()
    temp = re.match(r'^([0-9A-Fa-f]+)h$', string)
    if temp:
    self.type = 'immediate'
    self.value = int(temp.groups()[0], 16)
    return None
    temp = re.match(r'^([0-9]+)$', string)
    if temp:
    self.type = 'immediate'
    self.value = int(temp.groups()[0])
    return None
    temp = re.match(r'^((dword|word|byte) ptr )?qword_4120([0-9a-fA-F]+)\+?([1-9])?$', string)
    if temp:
    temp = temp.groups()
    self.type = 'memory'
    self.addr = int(temp[2], 16) + int(temp[3] or '0')
    self.dtype = temp[1] or 'qword' # byte, word, dword, qword
    return None
    temp = string.lower()
    if temp in REGISTERS:
    self.type = 'register'
    self.reg = REGISTERS[temp]
    return None
    raise Exception("Invalid operand : (Add it) -> ", string)
    def get(self):
    if self.type == 'immediate':
    return self.value
    if self.type == 'register':
    return self.reg.get()
    if self.type == 'memory':
    return MEMORY.get(self.addr, self.dtype)
    def set(self, value):
    if self.type == 'register':
    return self.reg.set(value)
    if self.type == 'memory':
    return MEMORY.set(self.addr, value, self.dtype)
    if self.type == 'immediate':
    raise Exception("Invalid write : Not allowed on immediate val")
    def __str__(self) -> str:
    return "<Operand - ({})>".format(self.type)
    class Register:
    def __init__(self, name, value = 0) -> None:
    self.name = name
    self.value = value
    def get(self):
    return self.value
    def set(self, value):
    self.value = value & 0xffffffffffffffff
    def right_rotate(value, rotations, dtype):
    total_bits = MEMORY.dtypes[dtype]*8
    bits = []
    for i in range(total_bits):
    bits.insert(0, value & 1)
    value = value >> 1
    for i in range(rotations):
    bits.insert(0, bits.pop())
    res = 0
    for bit in bits:
    res = (res << 1) | bit
    return res
    def left_rotate(value, rotations, dtype):
    total_bits = MEMORY.dtypes[dtype]*8
    bits = []
    for i in range(total_bits):
    bits.insert(0, value & 1)
    value = value >> 1
    for i in range(rotations):
    bits.append(bits.pop(0))
    res = 0
    for bit in bits:
    res = (res << 1) | bit
    return res
    REGISTERS = {
    'rax' : Register('rax', 0),
    'rbx' : Register('rbx', 0),
    'rcx' : Register('rcx', 0),
    'rdx' : Register('rdx', 0),
    'rdi' : Register('rdi', 0),
    'rsi' : Register('rsi', 0),
    'rbp' : Register('rbp', 0),
    'r8' : Register('r8' , 0),
    'r9' : Register('r9' , 0),
    'r10' : Register('r10', 0),
    'r11' : Register('r11', 0),
    'r12' : Register('r12', 0),
    'r13' : Register('r13', 0),
    'r14' : Register('r14', 0),
    'r15' : Register('r15', 0),
    'mm0' : Register('mm0', 0),
    }
    '''
    Orginal Data while execution :
    0x000412000 - 0x00041203F (Input bytes)
    0x000412050 - 0x00041208F (Encrypted flag bytes)
    0x000412090 - 0x00041208F (Used as Temp variable)
    '''
    data_dump = [
    0x4141414141414141, # 0x000412000
    0x4141414141414141, # 0x000412008
    0x4141414141414141, # 0x000412010
    0x4141414141414141, # 0x000412018
    0x4141414141414141, # 0x000412020
    0x4141414141414141, # 0x000412028
    0x4141414141414141, # 0x000412030
    0x4141414141414141, # 0x000412038
    0, # 0x000412040
    0, # 0x000412048
    0x0F299168089A9CB5, # 0x000412050
    0x0DA5C93F471FB1EBD, # 0x000412058
    0x0E28D416C7710940D, # 0x000412060
    0x0DB14E1950AA5265E, # 0x000412068
    0x7107E77BE4090B25, # 0x000412070
    0x17B4B25CC1F2D34E, # 0x000412078
    0x92C4981E353DAA30, # 0x000412080
    0x0CCCEB011CC6933F4, # 0x000412088
    0 # 0x000412090
    ]
    '''
    Orginal Data while execution :
    0x000412000 - 0x00041203F (Encrypted target bytes)
    0x000412090 - 0x00041208F (Used as Temp variable)
    '''
    modified_mem = [
    0x0F299168089A9CB5, # 0x000412000
    0x0DA5C93F471FB1EBD, # 0x000412008
    0x0E28D416C7710940D, # 0x000412010
    0x0DB14E1950AA5265E, # 0x000412018
    0x7107E77BE4090B25, # 0x000412020
    0x17B4B25CC1F2D34E, # 0x000412028
    0x92C4981E353DAA30, # 0x000412030
    0x0CCCEB011CC6933F4, # 0x000412038
    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, # 0x000412040 to 0x000412088
    0 # 0x000412090
    ]
    def dump_mem():
    print("====> Memory DUMP : 0x000412000 - 0x00041209F")
    for i in range(19):
    print(".data:004120{:02x} -> 0x{:016x}\n".format(i*8, MEMORY.get(i*8, 'qword')))
    assembly = open("block-asm.txt").read()
    # Used for Simulation of Given Assembly instructions
    # MEMORY = RAM_Memory(data_dump)
    # for stat in assembly.split('\n'):
    # if not stat: continue
    # ins = Instruction(stat)
    # ins.execute()
    # dump_mem()
    MEMORY = RAM_Memory(modified_mem)
    code_blocks = [] # For finding operations from assembly
    block = [] # Each block stores one operation
    for stat in assembly.split('\n'):
    if not stat: continue
    ins = Instruction(stat)
    block.append(stat)
    if ins.dst.type == 'memory' and ins.dst.addr < 0x40:
    code_blocks.append(block)
    block = []
    continue
    if ins.src.type == 'memory' and ins.src.addr < 0x40 and ins.dst.reg.name != 'mm0':
    block = []
    continue
    # Execuating (Reverse of Operations) in reverse order (bottom to top) on Encrypted flag bytes [Decrypting].
    while code_blocks:
    block = code_blocks.pop()
    for stat in block:
    ins = Instruction(stat)
    ins.reverse()
    flag_bytes = []
    for i in range(0x40):
    temp = MEMORY.get(i)
    if temp == 0: break
    flag_bytes.append(temp)
    print("[+] Flag : ", bytes(flag_bytes).decode())
    view raw 0-script.py hosted with ❤ by GitHub
    Assembly Instructions, I have dumped from IDA are (input for the script) : link

    By running the script :
    Flag : DrgnS{SoManyInstructionsYetSoWeak}



    Thanks for reading !...

    Comments

    Post a Comment

    Popular posts from this blog

    Square CTF 2019 Writeup's

    Image
       [*]-challenges    [+] (one   - 100 pts) Talk to me    [+] (two   - 700 pts) Aesni    [+] (three - 150 pts) Decode me    [+] (five  - 200 pts) Inwasmble    [+] (seven - 600 pts) Lockbox    [+] (nine  - 700 pts) Sudo make me a flag Our Team Invaders ended up at 19th position With points 3450 points Talk to me A service running at `talk-to-me-dd00922915bfc3f1.squarectf.com:5678` $ nc talk-to-me-dd00922915bfc3f1.squarectf.com 5678 Hello! aaaaaaaaaaaa Sorry, I can't understand you. Saying Hello! and asking for input(aaaaaaaaaaaa) Then returning a message After some trails, Two errors meant a lot (for 1 and ') $ nc talk-to-me-dd00922915bfc3f1.squarectf.com 5678 Hello! 1 undefined method `match' for 1:Integer /talk_to_me.rb:16:in `receive_data' /var/lib/gems/2.5.0/gems/eventmachine-1.2.7/lib/eventmachine.rb:195:in `run_machine' /v...
    Read more

    K3RN3L CTF 2021 Rev - `Recurso & Rasm ` writeups

    Image
    This is a write-up for Reverse engineering challenges in K3RN3LCTF 2021 based on VM Concept using Recurso Language [*]-challenges     [+] (Rev - 500 pts) Recurso ( First Blood )     [+] (Rev - 500 pts) Rasm (After CTF) Our Team zh3ro ended up at 9 th position in `K3RN3LCTF - 2021`. These Reverse engineering challs are interesting -> Both are based on one vm only (Recurso), different compiled scripts . (leFlag.recc , rasm.recc) Recurso Given a Recurso Execuatable which can compile, run recurso sccrips. And a leFlag.recc (a recurso compiled file) containing a flag checking logic, can be run by given Recurso executable. The Goal of the challenge is to get the flag checking logic in leFlag.recc and steal flag Decompile and Analyse -> Recurso First we have to get to know about how the Recurso is running this byte cod...
    Read more

    Confidence CTF 2020 `Cat web` challenge writeup

    Image
    [*]-challenges     [+] (157 pts) Cat web Our Team Invaders ended up at 59th position in `CONFidence 2020 CTF` conducted by `p4 team`. The `Cat web challenge` was pretty interesting without any guess and chaining all together to achieve flag etc, which made me to write this Writeup. Cat Web A service running at `http://catweb.zajebistyc.tf/` <html> <head> <title>My cats</title> <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script> <script> function getNewCats(kind) { $.getJSON('http://catweb.zajebistyc.tf/cats?kind='+kind, function(data) { if(data.status != 'ok') { return; } $('#cats_container').empty(); cats = data.content; cats.forEach(function(cat) { var newDiv = document.createElement('div'); newDiv.innerHTML = '<img style="max-width: 200px; max-height: 200px" src=...
    Read more