English [EKOPARTY PRE-CTF 2015] [Rev100 – MOV] Write Up

Description

 

Description: Find the flag through the obscure code

Attachment: reversing100

Resolution

We first try to start it, and it responds

Processing…
Error

We then open it in gdb, and see what’s going on

gdb-peda$ r
[...]
Stopped reason: SIGILL
0x0804c2f9 in ?? ()

Hmm. Let’s put a breakpoint 2 instructions before (that’s where we got lucky, We should have placed it on 0x804c2f9, but we made a copy/paste mistake selecting the wrong line)

gdb-peda$ b *0x804c2f3
Breakpoint 1 at 0x804c2f3
gdb-peda$ r
        __                              __          
  ____ |  | ______ ___________ ________/  |_ ___.__.
_/ __ \|  |/ /  _ \\____ \__  \\_  __ \   __<   |  |
\  ___/|    <  <_> )  |_> > __ \|  | \/|  |  \___  |
 \___  >__|_ \____/|   __(____  /__|   |__|  / ____|
     \/     \/     |__|       \/             \/     

Processing...
Error

[----------------------------------registers-----------------------------------]
EAX: 0x83f6678 --> 0x0 
EBX: 0x8000 
ECX: 0x1 
EDX: 0x0 
ESI: 0xffffd0ec --> 0xffffd2e2 ("LC_PAPER=fr_FR.UTF-8")
EDI: 0x804827c (mov    DWORD PTR ds:0x83f6660,esp)
EBP: 0x0 
ESP: 0x85f6660 --> 0x804d3d0 ("Error\n\n")
EIP: 0x804c2f3 (mov    esp,DWORD PTR ds:0x83f6650)
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x804c2e1:	mov    eax,ds:0x83f6678
   0x804c2e6:	mov    eax,DWORD PTR [eax*4+0x83f6670]
   0x804c2ed:	mov    DWORD PTR [eax],0x0
=> 0x804c2f3:	mov    esp,DWORD PTR ds:0x83f6650
   0x804c2f9:	mov    cs,eax
   0x804c2fb:	add    BYTE PTR [ecx],al
   0x804c2fd:	add    BYTE PTR [eax],al
   0x804c2ff:	add    BYTE PTR [ecx],al
[------------------------------------stack-------------------------------------]
0000| 0x85f6660 --> 0x804d3d0 ("Error\n\n")
0004| 0x85f6664 ("All_You_Need_Is_m0v")
0008| 0x85f6668 ("You_Need_Is_m0v")
0012| 0x85f666c ("Need_Is_m0v")
0016| 0x85f6670 ("_Is_m0v")
0020| 0x85f6674 --> 0x76306d ('m0v')
0024| 0x85f6678 --> 0x0 
0028| 0x85f667c --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, 0x0804c2f3 in ?? ()
gdb-peda$

 

Woh, what a nice stack. We got lucky because next instruction changes ESP, therefor we wouldn’t be able to see this.

Because it really looks like a flag, we try to use the following flag

EKO{All_You_Need_Is_m0v}

And … It worked ! Yeah, bit lucky, I guess.

Since we had other challs to flag, we didn’t take much time to try to understand this deeper. We’ll leave it to you folks !

6 thoughts on “[EKOPARTY PRE-CTF 2015] [Rev100 – MOV] Write Up”

  1. Hello Team, Thank you for all time for Interesting Write Up.
    Could i ask question? In this task, how to open MOV file with gdb?
    i tried “(gdb) r MOV” and how to find breakpoint register? i have no experience with reverse engineering but i’m really want to learn about it.

    1. Hey there !
      Questions are welcome ! To answer yours, there are different possibilities to run a binary with gdb, but the easiest way is when you open gdb in your command line interface, you give it a parameter : your binary name. Once you are in gdb prompt, you can run your binary :

      $ gdb MOV
      (gdb) r

      Regarding your second question about “breakpoint register”, I’m not sure I fully understand what you meant. Could you be a bit more specific, or could you quote the part in this write up that isn’t clear for you ?

      If you have any other questions, please do not hesitate 🙂

      See ya !

  2. Thank you very much Hackndo, i did following. and stuck in last line. how to continue from this condition? what is wrong?

    unzip reversing100.zip
    file MOV
    chmod +x MOV
    ./MOV
    gdb MOV
    (gdb) r
    (gdb) b *0x0804c2f9
    (gdb) r
    The program being debugged has been started already.
    Start it from the beginning? (y or n) y
    Starting program: /root/Desktop/MOV 
            __                              __          
      ____ |  | ______ ___________ ________/  |_ ___.__.
    _/ __ \|  |/ /  _ \\____ \__  \\_  __ \   __<   |  |
    \  ___/|    <  <_> )  |_> > __ \|  | \/|  |  \___  |
     \___  >__|_ \____/|   __(____  /__|   |__|  / ____|
         \/     \/     |__|       \/             \/     
    
    Processing...
    Error
    
    
    Breakpoint 1, 0x0804c2f9 in ?? ()
    
    1. Hey, we have different outputs because I’m using peda (https://github.com/longld/peda).

      This is how it’s done without it :

      $ gdb -q MOV
      Reading symbols from MOV...(no debugging symbols found)...done.
      (gdb) r
      Starting program: /home/hackndo/MOV 
        
      [...]
      
      Processing...
      Error
      
      
      Program received signal SIGILL, Illegal instruction.
      0x0804c2f9 in ?? ()

      Ok, it stops at 0x0804c2f9. As I said in my write up, I placed a breakpoint right *before* this instruction, at 0x804c2f3 :

      (gdb) b *0x804c2f3
      Breakpoint 1 at 0x804c2f3
      (gdb) r
      The program being debugged has been started already.
      Start it from the beginning? (y or n) y
      Starting program: /home/hackndo/MOV 
      
      [...]
      
      Processing...
      Error
      
      
      Breakpoint 1, 0x0804c2f3 in ?? ()

      Ok, let’s take a look at the stack

      (gdb) x/16xw $esp
      0x85f6660:  0x0804d3d0  0x5f6c6c41  0x5f756f59  0x6465654e
      0x85f6670:  0x5f73495f  0x0076306d  0x00000000  0x00000000
      0x85f6680:  0x00000000  0x00000000  0x00000000  0x00000000
      0x85f6690:  0x085f66a0  0x88048563  0x00000001  0xffffd0b4

      First value looks like an address, next values look like ascii char. Let’s see this :

      (gdb) x/s 0x0804d3d0
      0x804d3d0:  "Error\n\n"
      (gdb) x/s $esp+0x4
      0x85f6664:  "All_You_Need_Is_m0v"
      (gdb)

      And here is the flag. But I’m going to say this again : This was a lucky guess, because we didn’t solve this as expected. We only got lucky. You should take a look at other reverse write up to see how it’s really done. 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *