# Reverse Engineering — BSides Delhi CTF 2020

Here i will share writeup for Reverse Engineering challenges ( Advanced Encryption, A Log of Work, and Bit level h4xx04r ).

# Advanced Encryption

Given an ELF 64 bit binary and then i try to open it using IDA.

From the code above we know that our input will be in xor with byte_4060 value , because the type of byte_4060 is an byte array so the maximum value we can input is 0xff . The idea is i try to automatically input from 0 to 0xff to the binary , if the binary run successfully ( exit code 0 ) our input is probably correct.

Running script above will give us more than 1 correct value ( exit code 0 ) so the next step i do is try to debug it on gdb to make sure which is the real correct value. Finally after trial and error we found the correct value which is 171.

rdi is our argument , so BYTE PTR [rdi] == arg[0] BYTE PTR ,[rdi+1]==arg[1] , etc . So the final step is convert the code above to python to get the flag.

Flag : BSDCTF{sup3r_sh0rt_fl4g}

# A Log of Work

Given two files ( basicchall.exe and basicchall.dll ) , after doing analysis we know that basicchall.exe is dotnet application which is used to run the basicchall.dll .

The next step i do is try to open basicchall.dll using dnSpy and here is the result

From here we know that our input must match with **right **value . Here is the algorithm of code above

`- Getting input`

- Convert it to hex

- Encode it using base64

- Encode it using rot13

- Final step is doing some calculation ( shift left,add, and multiplication )

After doing some research i know that the **right** value can be reversed , here is the calculation

Here we assume that our enc length is 3

val=2**21

bigInteger=0

(bigInteger*val)+enc[i])*val+enc[i+1])*val+enc[i+2]==right

(bigInteger*val)+enc[i])*val+enc[i+1])*val+enc[i+2]-enc[i+2]==right-enc[i+2]

(bigInteger*val)+enc[i])*val+enc[i+1])*val==right-enc[i+2]

Because of we know value of val here we can do gcd (bigInteger*val)+enc[i])*val+enc[i+1])*val with val , if the result is val so our guess input is correct

After getting the encoded value the next step we do is rot13 decode it then base64 decode it then hex decode it and finally got the flag. Here is the script i used to get the flag.

Flag : BSDCTF{1m_50_50rry}

# Bit level h4xx04r

Given an ELF 64 bit binary which is using rust programming language. Here i try to open it using IDA.

After doing research on it ( static and dynamic analysis ) finally i understand what this binary do.

First there is value which is look like base64 encoded value in initial code

And there is rand function too which the value will be used next.

v10.pieces.length will save the result of each character in aQvzesv9fddvmnm variable and by 0xf .

After that v10.pieces.length value will be rotated with random value which is initiated at the beginning of program.

&v10.args.data_ptr->value will save value of each character aQvzesv9fddvmnm shift right by 4.

The last step is multiply each value of &v10.args.data_ptr->value with 16 and sum it with each v10.pieces.length value.

So the idea is getting all possible rotations and then sum it with 16*&v10.args.data_ptr->value .

But it doesn’t produce flag, i tried to bruteforce it then base64 decode and fail , but finally i have another idea that is base64 decode the value first then bruteforce all possibility and gotcha got the flag! Here is my script to get the flag

Flag : BSDCTF{5h1fty_5tuff}