[EKOPARTY PRE-CTF 2015] [Rev100 – MOV] Write UpDescription
Description: Find the flag through the obscure code
Attachment: reversing100
Resolution
We first try to start it, and it responds
Processing…
Error
We then open it in gdb, and see what’s going on
1 2 3 4 | gdb-peda$ r[...]Stopped reason: SIGILL0x0804c2f9 in ?? () |
Hmm. Let’s put a breakpoint 2 instructions before (that’s where we got lucky, We should have placed it on 0x804c2f9, but we made a copy/paste mistake selecting the wrong line)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 | gdb-peda$ b *0x804c2f3Breakpoint 1 at 0x804c2f3gdb-peda$ r __ __ ____ | | ______ ___________ ________/ |_ ___.__._/ __ \| |/ / _ \\____ \__ \\_ __ \ __< | |\ ___/| < <_> ) |_> > __ \| | \/| | \___ | \___ >__|_ \____/| __(____ /__| |__| / ____| \/ \/ |__| \/ \/ Processing...Error[----------------------------------registers-----------------------------------]EAX: 0x83f6678 --> 0x0 EBX: 0x8000 ECX: 0x1 EDX: 0x0 ESI: 0xffffd0ec --> 0xffffd2e2 ("LC_PAPER=fr_FR.UTF-8")EDI: 0x804827c (mov DWORD PTR ds:0x83f6660,esp)EBP: 0x0 ESP: 0x85f6660 --> 0x804d3d0 ("Error\n\n")EIP: 0x804c2f3 (mov esp,DWORD PTR ds:0x83f6650)EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)[-------------------------------------code-------------------------------------] 0x804c2e1: mov eax,ds:0x83f6678 0x804c2e6: mov eax,DWORD PTR [eax*4+0x83f6670] 0x804c2ed: mov DWORD PTR [eax],0x0=> 0x804c2f3: mov esp,DWORD PTR ds:0x83f6650 0x804c2f9: mov cs,eax 0x804c2fb: add BYTE PTR [ecx],al 0x804c2fd: add BYTE PTR [eax],al 0x804c2ff: add BYTE PTR [ecx],al[------------------------------------stack-------------------------------------]0000| 0x85f6660 --> 0x804d3d0 ("Error\n\n")0004| 0x85f6664 ("All_You_Need_Is_m0v")0008| 0x85f6668 ("You_Need_Is_m0v")0012| 0x85f666c ("Need_Is_m0v")0016| 0x85f6670 ("_Is_m0v")0020| 0x85f6674 --> 0x76306d ('m0v')0024| 0x85f6678 --> 0x0 0028| 0x85f667c --> 0x0 [------------------------------------------------------------------------------]Legend: code, data, rodata, valueBreakpoint 1, 0x0804c2f3 in ?? ()gdb-peda$ |
Woh, what a nice stack. We got lucky because next instruction changes ESP, therefor we wouldn’t be able to see this.
Because it really looks like a flag, we try to use the following flag
EKO{All_You_Need_Is_m0v}
And … It worked ! Yeah, bit lucky, I guess.
Since we had other challs to flag, we didn’t take much time to try to understand this deeper. We’ll leave it to you folks !
Hello Team, Thank you for all time for Interesting Write Up.
Could i ask question? In this task, how to open MOV file with gdb?
i tried “(gdb) r MOV” and how to find breakpoint register? i have no experience with reverse engineering but i’m really want to learn about it.
Hey there !
Questions are welcome ! To answer yours, there are different possibilities to run a binary with gdb, but the easiest way is when you open gdb in your command line interface, you give it a parameter : your binary name. Once you are in gdb prompt, you can run your binary :
$gdbMOV(gdb) rRegarding your second question about “breakpoint register”, I’m not sure I fully understand what you meant. Could you be a bit more specific, or could you quote the part in this write up that isn’t clear for you ?
If you have any other questions, please do not hesitate
See ya !
Thank you very much Hackndo, i did following. and stuck in last line. how to continue from this condition? what is wrong?
unzip reversing100.zipfileMOVchmod+x MOV./MOVgdbMOV(gdb) r(gdb) b *0x0804c2f9(gdb) rThe program being debugged has been started already.Start it from the beginning? (y or n) yStarting program:/root/Desktop/MOV__ ______ | | ______ ___________ ________/ |_ ___.__._/ __ \| |/ / _ \\____ \__ \\_ __ \ __< | |\ ___/| < <_> ) |_> > __ \| | \/| | \___ |\___ >__|_ \____/| __(____/__| |__| / ____|\/ \/ |__| \/ \/Processing...ErrorBreakpoint 1, 0x0804c2f9in?? ()Hey, we have different outputs because I’m using peda (https://github.com/longld/peda).
This is how it’s done without it :
$gdb-q MOVReading symbols from MOV...(no debugging symbols found)...done.(gdb) rStarting program:/home/hackndo/MOV[...]Processing...ErrorProgram received signal SIGILL, Illegal instruction.0x0804c2f9in?? ()Ok, it stops at 0x0804c2f9. As I said in my write up, I placed a breakpoint right *before* this instruction, at 0x804c2f3 :
(gdb) b *0x804c2f3Breakpoint 1 at 0x804c2f3(gdb) rThe program being debugged has been started already.Start it from the beginning? (y or n) yStarting program:/home/hackndo/MOV[...]Processing...ErrorBreakpoint 1, 0x0804c2f3in?? ()Ok, let’s take a look at the stack
(gdb) x/16xw$esp0x85f6660: 0x0804d3d0 0x5f6c6c41 0x5f756f59 0x6465654e0x85f6670: 0x5f73495f 0x0076306d 0x00000000 0x000000000x85f6680: 0x00000000 0x00000000 0x00000000 0x000000000x85f6690: 0x085f66a0 0x88048563 0x00000001 0xffffd0b4First value looks like an address, next values look like ascii char. Let’s see this :
(gdb) x/s0x0804d3d00x804d3d0:"Error\n\n"(gdb) x/s$esp+0x40x85f6664:"All_You_Need_Is_m0v"(gdb)And here is the flag. But I’m going to say this again : This was a lucky guess, because we didn’t solve this as expected. We only got lucky. You should take a look at other reverse write up to see how it’s really done.
Thank you very much
You’re most welcome !