Reverse Engineering — Deep CTF 2020

Nested Rev

import angr
import monkeyhex
import sys
base=0x400000
main=base+0x0000000000001155
project = angr.Project('binary/Cr4ckm3')
initial_state=project.factory.entry_state(addr=main)
simulation=project.factory.simgr(initial_state)
load_good_address=base+0x0000000000001295
simulation.explore(find=load_good_address)
if simulation.found:
solution_state = simulation.found[0]
print(solution_state.posix.dumps(sys.stdin.fileno()))
else:
raise Exception('Could not find the solution')

SkipMe

0xKEY

main function
break after generateMyFlag and then run the program
examine the value of secret as string and got the flag

Down

before patched
after patched

Wacha Wachin

ADD     R2, R2, R1    // R2=R2+R1
MOV R3, R2,LSL#6 // R3=R2<<6
SUB R3, R3, R2 // R3=R3-R2
EOR R3, R3, R2 // R3=R3^R2
AND R3, R3, #0xFF // R3=R3&0XFF
ORR R3, R0, R3 // R3=R0|R3
check_flag:
STMFD SP!, {R11,LR}
ADD R11, SP, #4
SUB SP, SP, #0x18
STR R0, [R11,#var_18] // R11,#var_18 is the flag
LDR R3, =aAqlbn; "AQLbN"
STR R3, [R11,#var_C] // Store "AQLbN" to R11,#var_C
LDR R3, =asc_1D250; "-="
STR R3, [R11,#var_10] // Store "-=" to R11,#var_10
LDR R3, [R11,#var_18]
LDRB R3, [R3] // Load first byte from flag / flag[0]
MOV R1, R3
MOV R2, R1 // R2 = first byte from flag
MOV R2, R2,LSL#1
ADD R2, R2, R1
MOV R3, R2,LSL#6
SUB R3, R3, R2
MOV R3, R3,LSL#1
ADD R3, R3, R1
MOV R3, R3,LSL#1
MOV R2, R3
LDR R3, [R11,#var_18]
ADD R3, R3, #9
LDRB R3, [R3] // R3 = flag[9]
ADD R3, R2, R3
LDR R2, =0x1225C
CMP R3, R2 // compare R3 with 0x1255c
BNE loc_83F0 // if same jump to second section , if
not same jump to fail section
LDR     R3, [R11,#var_18]
ADD R3, R3, #1
LDRB R2, [R3] // R2 = flag[1]
LDR R3, [R11,#var_18]
ADD R3, R3, #8
LDRB R3, [R3] // R3 = flag[8]
EOR R3, R3, R2
AND R3, R3, #0xFF
MOV R3, R3,LSL#1
CMP R3, #0xE // compare R3 with 0xE
BNE loc_83EC // if same jump to third section , if
not same jump to fail section
LDR     R3, [R11,#var_18]
ADD R3, R3, #8
LDRB R3, [R3] // R3 = flag[8]
LDR R2, =0x4EC4EC4F
UMULL R1, R3, R2, R3 // Multiply R2 and R3,store the most
significat 32 digit on R3
MOV R3, R3,LSR#2
AND R3, R3, #0xFF
MOV R2, R3
LDR R3, [R11,#var_18]
LDRB R3, [R3] // R3 = flag[0]
ADD R3, R2, R3
CMP R3, #0x66 ; 'f' // compare R3 with 'f'
BNE loc_83E8 // if same jump to fourth section , if
not same jump to fail section
LDR     R3, [R11,#var_18]
ADD R3, R3, #1
LDRB R3, [R3] // R3 = flag[1]
MOV R0, R3
LDR R3, [R11,#var_18]
ADD R3, R3, #9
LDRB R3, [R3] // R3 = flag[9]
MOV R1, R3
MOV R3, R1
MOV R3, R3,LSL#1
ADD R3, R3, R1
MOV R2, R3,LSL#3
SUB R2, R2, R3
MOV R2, R2,LSL#1
ADD R3, R2, R1
ORR R3, R0, R3
LDR R2, =0x833
CMP R3, R2 // compare R3 and R2
BNE loc_83E4 // if same jump to fifth section , if
not same jump to fail section
LDR     R3, [R11,#var_18]
ADD R3, R3, #7
LDRB R3, [R3] // R3 = flag[7]
CMP R3, #0x69 ; 'i' // compare R3 with 'i'
BNE loc_83E0 // if same jump to loop section , if
not same jump to fail section
MOV     R3, #0                   // set initiate value for looping, R3=0
STR R3, [R11,#var_8] // save R3=0 to R11,#var_8
B loc_83D0 // jump to next instruction
LDR R3, [R11,#var_8] // Load value from R11,#var_8 and save
to R3
CMP R3, #4 // compare r3 with 4
BLE loc_8368 // if r3<=4 jump to next instruction,if
not jump to win
LDR R3, [R11,#var_8]
ADD R3, R3, #2 // R3=R3+2
MOV R2, R3 // R2=R3
LDR R3, [R11,#var_18]
ADD R3, R3, R2
LDRB R2, [R3] // R3=flag[R2] , R2 will be 2,3,4,5,6
LDR R3, [R11,#var_8]
CMP R3, #0
AND R3, R3, #1 // check odd or even ,if odd result = 1
even result = 0
RSBLT R3, R3, #0 // if r3<0 set r3=0-r3 ( absolute )
MOV R1, R3
LDR R3, [R11,#var_10]
ADD R3, R3, R1
LDRB R3, [R3] // R3=var_10[R1] , R1 will be 0,1,0,1,0
EOR R3, R3, R2
AND R2, R3, #0xFF
LDR R3, [R11,#var_8]
LDR R1, [R11,#var_C]
ADD R3, R1, R3
LDRB R3, [R3] // R3=var_C[R3] , R3 will be 0,1,2,3,4
CMP R2, R3 // compare R2 with R3
BEQ loc_83C4 // if same jump to next instruction,
if not same jump to fail section
LDR R3, [R11,#var_8]
ADD R3, R3, #1
STR R3, [R11,#var_8] // var_8=var_8+1

Thank you for reading my write up !

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
kosong

kosong

38 Followers

CTF Player | Currently learning about Reverse Engineering and Cryptography