DEFCON CTF 2009 Binary 100
find a key
http://shallweplayaga.me/binary/f414376cc2322d4ad4c5cd364e89fd34
まず何のファイルか確認
$ file f414376cc2322d4ad4c5cd364e89fd34 f414376cc2322d4ad4c5cd364e89fd34: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
Linux上で実行
$ ./f414376cc2322d4ad4c5cd364e89fd34 What is the password? TEST I smack you down. Step off bitch.
hexdumpでバイナリの中を見る
$ hexdump -C f414376cc2322d4ad4c5cd364e89fd34 | more 00000000 7f 45 4c 46 01 01 01 03 00 00 00 00 00 00 00 00 |.ELF............| 00000010 02 00 03 00 01 00 00 00 e8 83 c0 00 34 00 00 00 |............4...| 00000020 00 00 00 00 00 00 00 00 34 00 20 00 02 00 28 00 |........4. ...(.| 00000030 00 00 00 00 01 00 00 00 00 00 00 00 00 10 c0 00 |................| 00000040 00 10 c0 00 d0 7b 00 00 d0 7b 00 00 05 00 00 00 |.....{...{......| 00000050 00 10 00 00 01 00 00 00 1c 0e 00 00 1c 0e 05 08 |................| 00000060 1c 0e 05 08 00 00 00 00 00 00 00 00 06 00 00 00 |................| 00000070 00 10 00 00 01 99 69 2e 55 50 58 21 e6 07 0d 0c |......i.UPX!....| 00000080 00 00 00 00 a6 03 01 00 a6 03 01 00 14 01 00 00 |................|
UPXで圧縮されている模様
$ ./upx -d ../f414376cc2322d4ad4c5cd364e89fd34 Ultimate Packer for eXecutables Copyright (C) 1996 - 2009 UPX 3.04 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 27th 2009 File size Ratio Format Name -------------------- ------ ----------- ----------- upx: ../f414376cc2322d4ad4c5cd364e89fd34: Exception: checksum error Unpacked 1 file: 0 ok, 1 error.
checksumが間違っており展開できない
$ gdb f414376cc2322d4ad4c5cd364e89fd34 GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. (gdb) r Starting program: /home/ubuntu/tmp/f414376cc2322d4ad4c5cd364e89fd34 (no debugging symbols found) What is the password? (Ctrl + C) Program received signal SIGINT, Interrupt. 0xb7ffd410 in __kernel_vsyscall () (gdb) gcore Saved corefile core.16229 (gdb) q The program is running. Exit anyway? (y or n) y $ ls core.* core.16229
実行時のcoreダンプを取得
core.16229をIDAProで解析
"What is the password?"文字列を頼りに重要コードを発見
load:080493EE mov dword ptr [esp], "What is the password? " load:080493F5 mov ebx, eax load:080493F7 call sub_8049074 load:080493FC mov eax, ds:off_804EEC8 load:08049401 mov dword ptr [esp+4], 3FFh load:08049409 mov [esp], ebx load:0804940C mov [esp+8], eax load:08049410 call sub_8048F24 load:08049415 mov ecx, 17h load:0804941A mov edi, eax load:0804941C repe cmpsb load:0804941E jz short loc_8049448 load:08049420 mov dword ptr [esp], "I smack you down. Step off bitch." load:08049427 call sub_8049154
もう一度gdbで解析
$ gdb f414376cc2322d4ad4c5cd364e89fd34 GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. (gdb) r Starting program: /home/ubuntu/tmp/f414376cc2322d4ad4c5cd364e89fd34 (no debugging symbols found) What is the password? Program received signal SIGINT, Interrupt. 0xb7f1b410 in __kernel_vsyscall () (gdb) b *0x0804941C Breakpoint 1 at 0x804941c (gdb) c Continuing. AAAA Breakpoint 1, 0x0804941c in ?? () (gdb) i r $esi $edi $ecx esi 0x804c757 134530903 edi 0x8051008 134549512 ecx 0x17 23 (gdb) x/1s $esi 0x804c757: "visilooksgoodinhotpants" (gdb) x/1s $edi 0x8051008: "AAAA\n" (gdb)
repe cmpsbで"visilooksgoodinhotpants"と入力文字が比較されている
$ ./f414376cc2322d4ad4c5cd364e89fd34 What is the password? visilooksgoodinhotpants You're my daddy! See you at the hacker swinger's club next week.
"visilooksgoodinhotpants"が答え