CTF Sharif Writeup for ReverseMe 250pts

by mohamed ali MRABET

Today we are going to be talking about how to solve the reverse_me of Sharif CTF .Well , to begin with, I would like to give special thanks to whoever contributed to the CTF for their time devoted in creating such great tasks .\n\nSo, let's start with most common step which a reverse engineer is accustomed to begging with :\n\nLet's scan it with peid :\n\n\n\nAs one can see , the binary is packed with Aspack 2.12 .\n\n#Unpacking the target : \nBefore proceeding , we load the executable into olly , and the first instruction we are going to see is 'pushad' , just step over it (f8) , then follow ESP in dump and make a hardware breakpoint on the first 4 bytes :\n\nThen run it (F9) and you will see the following :\n\n\n\nWell , simply put , the packer obviously uses the PUSH followed by the RETN instruction to land at the OEP which is at adress 004016BB .\nOnce you are there , you will notice some obfuscated code that was deliberatley obfuscated by the packer in order to fool the cracker , that's where the plugin 'Analyze This!' comes handy .\nIt's purpose is to convert raw data into assembly instructions , so right click and and click on 'Analyze This!' : \n\n\nNow ,we have comprehensible machine instructions ,let's use "Dump debugged process" plugin which it's sole intention is to dump active debuggee process , so the very first thing you are going to need is to copy the value in 'modify' section into the clipboard and then click 'Dump' and save it as 'ReverseMe2' \n\n\n\nInevitably ,since the binary is packed, then it comes as no surprise that the IAT table is destroyed ,so in order to circumvent this ,we have to rebuild the IAT with 'IMPrec tool' .\n\nso , run ' IMPrec" and then select the process of "ReverseMe" from the running process list and past the value that we have copied previously into the 'OEP' of IMPrec and click on 'IAT AutoSearch' and then on'Get Imports ', finally click on 'Fix dump' and select the executable "ReversMe2.exe" and it will be saved as "ReversMe2_.exe"\n\n\nThe important thing is that during these steps you have to be very careful ,otherwise the entire thing does not work . \n#Finding the Flag \n\nAfter unpacking the binary ,now we are ready to reverse engineer it ,so load the "ReverseMe2_.exe"into olly and select "search for ->all intermodular calls" then right click on "getdigitemtextA" API and click on "set breakpoint on every call to getdigitemtextA" and run the program (F9) : \n\n\nhere , just put an email address and serial number and click on "OK",and you will hit the breakpoint on the first "getdigItextitem" api just step over them .\n\nLEA EAX,DWORD PTR SS:[EBP-340] ; loads eax with memory address of the email \nPUSH r_.0040FD0C ;push the memory address of '@' charchter \nPUSH EAX ;push memory address of the email \nCALL r_.004013A0 ; this routine checks to see whether email string contains '@'or not ,\nADD ESP,8 ; removes the addresses of email and '@' from the stack \nTEST EAX,EAX ; checks the return value of the previous routine \nJE SHORT r_.00401144 ; jumps if eax contains 0 \nLEA EAX,DWORD PTR SS:[EBP-340] ; loads eax with memory address of the email \nPUSH r_.0040FD34 ; push the memory address of '.' charchter \nPUSH EAX ; push memory address of the email \nCALL r_.004013A0 ; this routine checks to see whether '@blabla.tn 'string contains '.'or not \nADD ESP,8 ;removes the addresses of '@blabla.tn 'string and '.' from the stack \nTEST EAX,EAX ; checks the return value of the previous routine \nJE SHORT r_.00401144 ;jumps if eax contains 0 \nLEA EAX,DWORD PTR SS:[EBP-340];loads eax with memory address of the email \nPUSH r_.0040FD34 ;push the memory address of '.' charchter\nPUSH EAX ;push memory address of the email \nCALL r_.004013A0 ; the same routine previously called \nADD ESP,8 ;removes the addresses of '@blabla.tn 'string and '.' from the stack\nCMP BYTE PTR DS:[EAX+1],0;compares the first char after the '.' with 0 \nJE SHORT r_.00401144 ;jumps if nothing after the point charachter \n LEA EAX,DWORD PTR SS:[EBP-340] ; loads eax with memory address of the email \n PUSH r_.0040FD0C; push the memory address of '@' charchter \n PUSH EAX ;push memory address of the email\nCALL r_.004013A0 ; this routine checks to see whether email string contains '@'or not\nADD ESP,8\n CMP BYTE PTR DS:[EAX+1],2E ; compares the char after '@' with the '.'char\n JNZ SHORT r_.0040114E ; else jump to serial checking routine \n PUSH r_.0040FD10 ; ASCII \"Your E-mail address in not valid.\"\nJMP r_.004012A5 ; jump to nag \nMOVQ MM0,QWORD PTR DS:[40FD70] ; loads MM0 with adress of \"registration fail\"\n LEA ECX,DWORD PTR SS:[EBP-240] : loads ECX with the our serial \nMOV AL,BYTE PTR DS:[ECX] ; moves the byte which ecx is pointing to , to AL\n INC ECX ; r_.0040FD0D increments the address that ECX contains\nTEST AL,AL ; checks whether AL contains 0 or not \n JNZ SHORT r_.00401192 ; if not jump back and increment ECX \nSUB ECX,EDX ; subtract ecx from edx \nCMP ECX,10 ;checks the length of the serial \nJNZ r_.004012A1 jump to nag if the length is not 16\nCMP BYTE PTR SS:[EBP-240],42 ; compare the first char with 'B'\nJNZ r_.004012A1 : if not equal jump to nag \n MOVSX EAX,BYTE PTR SS:[EBP-231] ; moves the last char of the entered serial to EAX\n \nADD EAX,42 ; adds eax with 42 \nCMP EAX,9B ; and cmp it with 9b ,so the last char should be 9B - 42 = 59 which is 'Y'\nJNZ r_.004012A1 else jump to nag \n \nMOVSX ECX,BYTE PTR SS:[EBP-23F] ; it loads the second char\nLEA EAX,DWORD PTR DS:[ECX-3] ; loads eax with ord(second char) - 3\n CMP EAX,57 ;cmp it 57 ,that means the second char should be 57 + 3 = 5A which is 'Z'\nJNZ r_.004012A1 else jump to nag \nMOVSX EAX,BYTE PTR SS:[EBP-232] ; loads the 15h to eax char\nADD EAX,ECX ; adds eax with 5A\nCMP EAX,9B ; the 15 element should be 9b - 5A = 41 the char is 'A'\nJNZ r_.004012A1 else jump to nag \nMOVSX ECX,BYTE PTR SS:[EBP-23E] ; load the 3rd char\n LEA EAX,DWORD PTR DS:[ECX+1] ; ord(3rd char)+1\nCMP EAX,3A ; 3 rd char is 39 = '9'\nJNZ r_.004012A1 else jump \nMOVSX EAX,BYTE PTR SS:[EBP-233] load the 14th char\nADD EAX,ECX ;\n CMP EAX,9B ; the 14th char is 62h = 'b'\nJNZ r_.004012A1 else jump to nag \nCMP BYTE PTR SS:[EBP-23D],64 ; the 4th char is 'd'\nJNZ r_.004012A1 else jump \n MOVSX EAX,BYTE PTR SS:[EBP-234] ; loads the 13 char\n ADD EAX,64\n CMP EAX,9B ; the 13 th char is 37h = '7'\nJNZ SHORT r_.004012A1 else jump to nag \nCMP BYTE PTR SS:[EBP-23C],6D ; the 5th char is 'm'\nJNZ SHORT r_.004012A1 else jump to nag \nMOVSX EAX,BYTE PTR SS:[EBP-235] ; loads eax with 12th char\nADD EAX,81\nCMP EAX,0C8 ; 12th char is c8 - 81 = 47h ..'G'\nJNZ SHORT r_.004012A1 ; nag \n MOVSX ECX,BYTE PTR SS:[EBP-23B] ; loads the 6th char\nLEA EAX,DWORD PTR DS:[ECX-2D] ; \nCMP EAX,44 ; the 6th char should be 44 + 2d = 71 = 'q'\n JNZ SHORT r_.004012A1 else jump nag \nMOVSX EAX,BYTE PTR SS:[EBP-236] ; the 11th char\n ADD EAX,ECX ; r_.0040FD0D\nCMP EAX,0AA ;the 11char is AA - 71 = 39h = '9'\nJNZ SHORT r_.004012A1 ; nag \nCMP BYTE PTR SS:[EBP-23A],34 ; the 7th char is '4'\nJNZ SHORT r_.004012A1 ;nag\nMOVSX EAX,BYTE PTR SS:[EBP-237] ; loads the 10th char\nADD EAX,34\nCMP EAX,9B ; 10th char is 9b - 34 = 67h = 'g'\nJNZ SHORT r_.004012A1 ;nag\nCMP BYTE PTR SS:[EBP-239],63 ;the 8th char is 'c'\n JNZ SHORT r_.004012A1 ;nag\nMOVSX EAX,BYTE PTR SS:[EBP-238] ; the \n ADD EAX,63\nCMP EAX,9B ; the 9th char is 9b - 63 = 38h = '8'\n \n JE SHORT r_.004012BB ; get past the nag screen \n\nWell , after putting the chararcters in order ,the serial should be like this : == = 'BZ9dmq4c8g9G7bAY' ==\n\n\n That's it basically , the reverseme is very simple , the serial checking routine ain't that complicated , it is something that is learnt with time as you practice with machine instructions .\n\nSo I am expecting your valuable feedback and suggestions for betterment . \n