Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

WriteUp 1年前 (2023) admin
730 0 0

Introduction

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Table of Content

· Introduction
· Table of Content
· Fishing
· Jumpit
· Epilogue

Fishing

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

data = open(“fishing.exe”, “rb”).read()
databyte = list(data)
for i in range(len(data)):
if(data[i:i+2] == “ebff”.decode(‘hex’)):
print(databyte[i:i+3])
for j in range(3):
databyte[i+j] = chr(0x90)
print(databyte[i:i+3])

newdata = ”.join(databyte)
open(‘fishing-patch.exe’, ‘wb’).write(newdata)

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

from subprocess import check_output as co
from os import system
from multiprocessing.dummy import Pool as ThreadPool

# read base frida script
hook = open(‘hook2.js’).read()
def execute_process(args):
# defined var
ch, j, pload = args

pload_copy = pload[:]
# append null byte as end string
pload_copy.append(“\x00”)
pload_copy[j] = chr(ch)

ploadconv = map(ord, list(pload_copy))
conv = (str(ploadconv))

# replace hex value with brute input
hook2 = hook.replace(“REPLACER”, conv)
hook2fp = open(‘tmp/hook_{}_{}p.js’.format(ch, j), ‘w’)
hook2fp.write(hook2)
hook2fp.close()

# fake input
hook2fp = open(‘tmp/test_{}_{}.txt’.format(ch, j), ‘w’)
hook2fp.write(“test”)
hook2fp.close()

# execute frida script
print(‘loop’)
print(“frida -f .\\fishing.exe -l .\\tmp\\hook_{}_{}p.js –no-pause < tmp\\test_{}_{}.txt > tmp\\a_{}_{}”.format(ch, j,ch, j,ch, j))
data = system(“frida -f .\\fishing.exe -l .\\tmp\\hook_{}_{}p.js –no-pause < tmp\\test_{}_{}.txt > tmp\\a_{}_{}”.format(ch, j,ch, j,ch, j))
print(data)

# parsing frida output
a = open(‘tmp\\a_{}_{}’.format(ch, j), ‘r’)
data = a.read()
a.close()
kotak = data.split(“So: fishing.exe Method: cmp: 0x3ff0”)[1].split(“0123456789ABCDEF”)[2].split(“\n”)[1 + (j / 16)].split(” “)[1].split(” “)[0]
print(j, 1 + (j % 16), kotak)
kotak = kotak.strip()
kotak = kotak.replace(” “, “”)
kotak = kotak.decode(‘hex’)
flag = “d0be9f5abdf034b5d06ffbe299baaed736d52dc22245b0039d636653c728cc2a2b14bb099be360463a”.decode(‘hex’)
print(flag[j].encode(‘hex’), kotak[j % 16].encode(‘hex’))

# if encrypted input == encrypted flag, return value
if(flag[j] == kotak[j % 16]):
return pload_copy, chr(ch)
return None, None

# init input bruteforce
pload = [“A” for i in range(41)]
flag = “”
for i in range(len(flag)):
pload[i] = flag[i]
import string

# brute space
flagchr = string.letters + “{_}” + string.digits

# loop flag character
for j in range(len(flag), 41):
pool = ThreadPool(8)

results = pool.map(execute_process, [(ord(chx), j, pload) for chx in flagchr])
pool.close()
pool.join()

for payload_result, chr_result in results:
# if brute found solution append to flag character
if payload_result and chr_result:
pload = payload_result
flag += chr_result
print(flag)
print(flag)
print(pload)
print(chr_result)
break

// init frida script
(function () {
// @ts-ignore
function print_arg(addr) {
try {
var module = Process.findRangeByAddress(addr);
if (module != null) return “\n”+hexdump(addr) + “\n”;
return ptr(addr) + “\n”;
} catch (e) {
return addr + “\n”;
}
}
// @ts-ignore
function hook_native_addr(funcPtr, paramsNum, method,mod=0) {
var module = Process.findModuleByAddress(funcPtr);
try {
Interceptor.attach(funcPtr, {
onEnter: function (args) {
this.logs = “”;
this.params = [];

// @ts-ignore
this.logs=this.logs.concat(“So: ” + module.name + ” Method: “+method+”: ” + ptr(funcPtr).sub(module.base) + “\n”);
for (let i = 0; i < paramsNum; i++) {
this.params.push(args[i]);
this.logs=this.logs.concat(“this.args” + i + ” onEnter: ” + print_arg(args[i]));
}
}, onLeave: function (retval) {
for (let i = 0; i < paramsNum; i++) {
this.logs=this.logs.concat(“this.args” + i + ” onLeave: ” + print_arg(this.params[i]));
}
this.logs=this.logs.concat(“retval onLeave: ” + print_arg(retval) + “\n”);
console.log(this.logs);

// if mod == 1, which means scanf called. Modify memory and to replace with brute input
if(mod == 1){
var point = this.params[4].readPointer()
console.log(point)
const newData = REPLACER;
Memory.writeByteArray(point, newData);
console.log(point.readByteArray(32))
}

}
});
} catch (e) {
console.log(e);
}
}
// @ts-ignore

// this hook used to modify memory after read data, I did not found any graceful way to input to frida 🙁
hook_native_addr(Module.findBaseAddress(“fishing.exe”).add(0x3f48), 0x5, “fscan after”, 1);

// this hook used to debug program
hook_native_addr(Module.findBaseAddress(“fishing.exe”).add(0x2310), 0x5, “encrypt”);

// our encrypted flag and encrypted input would compared on this address
hook_native_addr(Module.findBaseAddress(“fishing.exe”).add(0x3ff0), 3, “cmp”);

 

})();

 

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

import base64
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad,unpad

#AES ECB mode without IV

key = ‘Cia!fo2MPXZQvaVA39iuiokE6cvZUkqx’ #Must Be 16 char for AES128

def encrypt(raw):
raw = pad(raw.encode(),16)
cipher = AES.new(key.encode(‘utf-8’), AES.MODE_ECB)
return base64.b64encode(cipher.encrypt(raw))

def decrypt(enc):
enc = base64.b64decode(enc)
cipher = AES.new(key.encode(‘utf-8’), AES.MODE_ECB)
print(cipher.decrypt(enc))
# return unpad(cipher.decrypt(enc),16)

decrypted = decrypt(“cWGTmeDlFsYEFI9E5mH/eCnQ1SNlWJlXj+klPLbWS/c/1vI7UPrO4dp41u2tTGM2”)
print(‘data: ‘,decrypted)

Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

Epilogue

I learned a lot while doing this CTF. Automating debugging and brute-forcing on Windows is always challenging because the environment is not as robust as GDB scripts running on Linux. Unity reverse engineering is also something rare that I’ve encountered in CTFs.

 

 

原文始发于Maulvi AlfansuriWrite Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit

版权声明:admin 发表于 2023年4月1日 下午8:21。
转载请注明:Write Up Reverse Engingeering — LINE CTF 2023— Fishing and Jumpit | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...