Reverse Engineering

packer

This Challenge Elf is reduced the size of a binary.
Reverse it with 'upx -d'

$ upx -d out

Check assembly.
I often use Cutter when I want to check assembly.

Then set the breakpoint at before call comp function : 0x4010d0
Run with gdb and check the value of RSI Register.

It's a flag in hex.

FactCheck

This Challenge Elf looks operate strings.
It's tiresome to analyze flow of that so set the breakpoint after operate strings.

Debug it with Cutter.

I got the flag in the stack.

Classic CrackMe 0x100

It's simple auth program.
Decompile it by Ghidra and check main function.

It's makes my input encrypted.
First check the correct encrypted value.
Check the assembly and set breakpoint before memcpy.

Then run and check RSI register.

Now I have all the value I need to break the encryption.
It's not demanding computation, so I solve it by brute force.

#include<stdio.h>
#include<string.h>
#include<stdlib.h>
int main(void){
    char pass[] = "kgxmwpbpuqtorzapjhfmebmccvwycyvewpxiheifvnuqsrgexl";
    size_t Passlen = strlen(pass);
    int Length = (int)Passlen;
    int local_18 = 85;
    int local_1c = 51;
    int local_20 = 15;
    char local_21 = 'a';
    for (int j = 0; j < Length; j = j + 1) {
        for(int f = 20;f < 127;f++){
            int tmp = f;
            for (int i = 0; i < 3; i = i + 1) {
                int local_28 = (j % 255 >> 1 & local_18) + (j % 255 & local_18);
                int local_2c = ((int)local_28 >> 2 & local_1c) + (local_1c & local_28);
                int iVar1 = ((int)local_2c >> 4 & local_20) + (tmp - (int)local_21) + (local_20 & local_2c);
                tmp = local_21 + (char)iVar1 + (char)(iVar1 / 0x1a) * -0x1a;   
                
                
            }
            if (tmp == pass[j]){
                    pass[j] = f;
                    break;
            }
        }
    }

    printf("%s\n",pass);
    return 0;
}

$ gcc exploit.c 
$ ./a.out 
kdugtj(grknflq$dgb`d+%d#)mnm&mj"tjr`b(`&pelejf'"rc
$ ./crackme100 
Enter the secret password: kdugtj(grknflq$dgb`d+%d#)mnm&mj"tjr`b(`&pelejf'"rc
SUCCESS! Here is your flag: picoCTF{sample_flag}

WinAntiDebug 0x100

This challenge needs bypassing Windows Anti Debug.
The challenge file detect if debugger is present or not by calling kernel32.dll::IsDebuggerPresent.

To bypass the debugger presenting, just change return address that exists after detect debugger.

Debug with x32dbg

WinAntiDebug 0x200

This challenge is similar to WinAntiDebug 0x100.

Change the condition of the result of kernel32.dll::IsDebuggerPresent

Debug with x32dbg (required administer)

Last modified: 20 January 2025