Reverse Engineering — DarkCON CTF 2021
darkCON CTF is a CTF event organized by dark army. Yesterday I only worked on the reverse engineering and cryptography category because the other categories were done by my team and here is all reverse engineering write up.
Read
Given a pyc file then i just try to decompile it using uncompyle6.
The script looks obfuscated but it is still readable. There is one interesting function and here is the code
def lababa(lebula):
alalalalalalal = [
73, 13, 19, 88, 88, 2, 77, 26, 95, 85, 11, 23, 114, 2, 93, 54, 71, 67, 90, 8, 77, 26, 0, 3, 93, 68]
result = ''
for belu in range(len(alalalalalalal)):
if lebula[belu] != chr(alalalalalalal[belu] ^ ord(babababa[belu])):
return 'bbblalaabalaabbblala'
b2a = ''
a2b = [122, 86, 75, 75, 92, 90, 77, 24, 24, 24, 25, 106, 76, 91, 84, 80, 77, 25, 77, 81, 92, 25, 92, 87, 77, 80, 75, 92, 25, 74, 77, 75, 80, 87, 94, 25, 88, 74, 25, 95, 85, 88, 94]
for bbb in a2b:
b2a += chr(bbb ^ 57)
else:
return b2aIt seems like checking function and then return something whether the check function is true or false. So i try to reconstruct the code to showing the return value and checking value
Flag : darkCON{0bfu5c4710ns_v5_4n1m4710ns}
Too Much
Given ELF 64-bit executable and then i try to decompile it using IDA
It has many function but all functions are identical. The difference is the variables and constant value. So we can get all value and generate the code then get the flag.
Get value using gdb scripting
Generate the comparison algorithm and get the value using z3
Flag : darkCON{4r3_y0u_r34lly_th1nk1n9_th4t_y0u_c4n_try_th15_m4nu4lly???_Ok_I_th1nk_y0u_b3tt3r_us3_s0m3_aut0m4t3d_t00ls_l1k3_4n9r_0r_Z3_t0_m4k3_y0ur_l1f3_much_e4s13r.C0ngr4ts_f0r_s0lv1in9_th3_e4sy_ch4ll3ng3}
ezpz
Given apk file and then i try to decompile the apk.
Looking at MainActivity class we know that there is flag checking in YEET[0].equals(MainActivity.this.button.getText().toString()). So the idea is make the application showing flag instead of “Damn…500 times? are u kidding me” with patching the counter and change the string to be shown.
Original ( MainActivity$1.smali )
const/16 v3, 0x1f4Patched ( MainActivity$1.smali )
const/16 v3, 0x0Original ( MainActivity$1.smali )
.line 50
:cond_1iget-object v1, p0, Lcom/application/ezpz/MainActivity$1;->this$0:Lcom/application/ezpz/MainActivity;invoke-virtual {v1}, Lcom/application/ezpz/MainActivity;->getApplicationContext()Landroid/content/Context;move-result-object v1const-string v3, "Damn...500 times? are u kidding me"invoke-static {v1, v3, v2}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;move-result-object v1invoke-virtual {v1}, Landroid/widget/Toast;->show()Vgoto :goto_0Patched ( MainActivity$1.smali )
.line 50:cond_1iget-object v1, p0, Lcom/application/ezpz/MainActivity$1;->this$0:Lcom/application/ezpz/MainActivity;invoke-virtual {v1}, Lcom/application/ezpz/MainActivity;->getApplicationContext()Landroid/content/Context;move-result-object v1iget-object v3, p0, Lcom/application/ezpz/MainActivity$1;->val$YEET:[Ljava/lang/String;aget-object v3, v3, v2invoke-static {v1, v3, v2}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;move-result-object v1invoke-virtual {v1}, Landroid/widget/Toast;->show()Vgoto :goto_0
And then we will get the flag when click “CLICK ME” button
CyberDark0x01: ShitComp
Given ELF 64-bit and then i try to decompile it using IDA
At first the program will compress our file ( as shown image above )
And then encrypted the compressed data. So the idea is decrypt the data by brute force the algorithm then uncompress the data by reversing the algorithm.
And then by running original ELF we will get the flag
CyberDark_0x02: Installer
Now we need to work with the original ELF. So i try to decompile it using IDA
We can see there is function that the return value is compared by constant value and determine whether the result is correct key or wrong key.
At first the program check the input ( it must uppercase ) and store the input to variable ( except the “-” ).
After that it call function that generate values and our input will be the index of that value.
And the last is checking our input with comparison algorithm that using manipulation of index of array and array. So the idea is reversing the algorithm to generate the key then submit it to server. But i only got 8 correct key ( the other keys are incorrect because there is one character that are not uppercase ) . So for the 2 other keys i brute force one character and then got the correct uppercase character on that position and submit all keys.
( we can use tmp variable to store the index same as the original code in binary for simplicity )
(Not) Easy
Given PE file and then i try to open it using IDA
Looking at encryption function it seems like modified xxtea encryption so the idea is reconstruct decrypt function by reversing the encryption algorithm.
Flag : darkCON{4_L177l3_crYp70_4_d4y_m4K3S_R3v3rS3s_g0_4W4Y}
fire in the androiddd
Given apk file and then i try to decompile it.
Looking at MainActivity that we need internet connection to run this application and there are a method called from data_receiver class.
From getData method we know that class member ( data ) will store encrypted flag from firebase storage. data_receiver.data will be used in magic function which is called by doInBackground function from nested class ( loader class in MyReceiver class )
Magic method is called from native library so we need to decompile that library to know what is magic method do
From the code above we know that our input xored with looper(i) and compared with v4 which is encrypted_flag . Here is what looper function do
So the idea is getting the encrypted_flag using frida then run looper function and xor it with encrypted_flag and get the flag. Here is frida script that i used
After that implemented the looper function
Flag : darkCON{th3_w31rd_c0mb1nat10n_of_fr1da_4nd_c4t4l4n_ov3rf10w}
Overall the challenges are quite interesting and thank you for reading this writeup!
