English [EKOPARTY PRE-CTF 2015] [Rev50 – Decode it] Write up

Description

Decode it.

Description: A not so known decoding algorithm.

Hints: Do not trust symbols! they are lying. Check the algorithm.

Attachment: reversing50.zip

Resolution

At first, it should be a crackme but  it peculiarity was it is compiled to run on a 32 bit architecture arm.

ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0c1ab16b5f128e614308d2f8c1776d46080a6597, not stripped

Using the “string” tool we saw some interesting system calls:

memcmp
malloc
[...]
MD5@@OPENSSL_1.0.0
[...]
Base64decode_len

Memcmp ? Well, well. It is useful to compare (among others) character strings : md5 to hash and base64 to encode/decode.

We played with LD_PRELOAD to hook the memcmp call:

#define _GNU_SOURCE
#include <dlfcn.h>
#include <string.h>
#include <stdio.h>

typedef int (*omemcmp)(const void *s1, const void *s2, size_t n);

int memcmp(const void *s1, const void *s2, size_t n) {
    omemcmp omem;
    omem = (int)dlsym(RTLD_NEXT, "memcmp");
    printf("s1:%s\ns2:%s\ns:%d\n", s1, s2, n);
    return omem(s1, s2, n);
}

We launched it:

$ echo 'a' | LD_PRELOAD=./preload.so ./decoder
Please, enter your encoded password: s1:
s2:PASS_QIV1qyLR0hFEQU5KCbfm3Hok5V0VmpinCWseVd2X
s:4
Access denied

We saw here the string passed as argument should be egal to “PASS_QIV1qyLR0hFEQU5KCbfm3Hok5V0VmpinCWseVd2X” once reached the point of comparison, but passing this string did’t worked.

After further analysis, it turned out that we should send the same character string, but base64 encoded.

$ LD_PRELOAD=./preload.so ./decoder
Please, enter your encoded password: UEFTU19RSVYxcXlMUjBpRkVRVTVLQ2JnbTNIb2s1VjBWbXBobkNXc2VWZDJY
s1:PASS_QIV1qyLR0hFEQU5KCbfm3Hok5V0VmpinCWseVd2X
s2:PASS_QIV1qyLR0hFEQU5KCbfm3Hok5V0VmpinCWseVd2X
s:46
Great! the flag is EKO{4fa8c8eac431266a25f56a297a73c334}

Flag was : EKO{4fa8c8eac431266a25f56a297a73c334}

Leave a Reply

Your email address will not be published.