John Pierce

. SLAE, Security+

PANW CTF Labyrenth Unix Track Challenge 7

I worked on this one up until close to the time the competition closed.  I learned so much new stuff - new programming environment, new debuggers and tools, new languages that were compiled and such that my brain was mush.  I did get to a little bit of valuable info, and will revisit to complete, I hope.  Here's the only really relevant data I managed to obtain:

Took a look at strings and theres a bunch that goes on with sub_100001ee0 involving the base64 string, abracadabra and such.

100002b90 is an important procedure where the first test is done.  It takes two arguments

I did a test with the string 0123456789ABCDEF, figured out some logic and broke at 100002c7d and 100002d00 to catch the values in eax.  Here's what I got:

Looking at C-strings in Hopper:


which decodes as:




Running the code in Hopper, found a bit of interesting stuff:

procedure sub_100002b90:
arg0 (stored in r14 for this procedure) is my entered string, base64 encoded
>>> '4d4445794d7a51314e6a63344f5546435130524652673d3d'.decode('hex')
>>> 'MDEyMzQ1Njc4OUFCQ0RFRg=='.decode('base64')

arg1 (stored in r12 for this procedure) looks like it will be a mask
>>> '61763276657838706f63733469643261763976657838706f'.decode('hex')
'av2vex8pocs4id2av9vex8po'  av9vex8pocs4id2

Another round occurs, and here's the result. 

>>> '4c444a384479674361554568435241414a6a46304969634a4a434d7158303153'.decode('hex')
>>> 'LDJ8DygCaUEhCRAAJjF0IicJJCMqX01S'.decode('base64')
>>> '6162726263616462637261616272626361646162726161627261636164616272'.decode('hex')
'abrbcadbcraabrbcadabraabracadabr'  abrbcadbcra


So, it looks likely that there's going to be an XOR against abracadabra and the av2vex8pocs4id2 keys.   Trouble is, I kept trying to run code in the debugger instead of experimenting with the data I already had.  I worked way too hard trying to get to 

0000000100002ca9         call       sub_1000045c0 or

0000000100002cbb         call       sub_1000045c0

Brain fries here :(  Cried uncle, only 1 hour left.

What I should have done was realize that I was beating my head against a wall, stop doing that and try another method.  I knew I had a base64 string and two keys.  I knew I couldn't see a way of getting to those lines:  I figured out the conditions required and it didn't look possible, but I kept trying.  Yet I persisted on the failing path until I couldn't think any more.



I was so close!  I knew it was going to be a couple of xors, had the keys and the string to work on.  10 minutes with a clear head:


def xorstrings(sIn,sXor):
    # This expects two strings and xors each of the longer string (sIn) with a rotating key (sXor)
    sOut = ''
    for i in range(0,len(sIn)):
        sOut += (chr(ord(sIn[i])^ord(sXor[i%len(sXor)])))
    return sOut

a = 'LyY8TiwwJighJzRSNycvJyU3LzQ1GTc0JlA2ACcGBTcuUSc3JBkZLSoaS1EzUwotBwsDDTQbEiY3Mw0SNDcZVjcLKywjCTpKPApWTw=='.decode('base64')
k1 = 'abracadabra'
k2 = 'av9vex8pocs4id2'
b = xorstrings(a,k1)
c = xorstrings(b.decode('base64'),k2)
print c.decode('base64')


Most Recent Articles

First bit::

This is a writeup of the format string vulnerability in level 4 of the 64bitprimer VM from vulnhu

First bit::

Installation of the software to make a yubikey 4 work in FIDO U2F mode on Debian Jessie i386

First bit::

Lesson(s) learned

First bit::

This one stumped me. Overall, it was a great competition for me as I got to learn a whole lot of new things. I had never worked on a Mac, other than as a user, had never used Hopper, lldb or any of the other tools for reversing on a Mac, and haven't got any experience in the Objective C/Swift framework.

First bit::

4 rounds, lots of debugging