[Reverse] Simple code deoptimization

In this post I would like to write about code deoptimization strategies and where it may be needed.

First of all there is quite a little use of deoptimization and that is why I haven't found anything about it in the Internet. Usually developer should write the fastest running code that is possible. Therefore if he/she writes very inefficient code that will cause program to delay on simple functions and that developer will be fired or noone will accept such performance.

CSCAMP CTF Quals 2013 - Reverse 150 write-up

In this task we are given a x86-64 binary that prints a string.

CSCAMP CTF Quals 2013 - Reverse 100 write-up

Unfortunately tasks currently are unavailable, so I cannot copy task and its name.

We are given a .NET application (You can verify this using file utility.) which checks password. You can try to guess it, but this won't help you anyhow.

Crackmes [Reverse write-up] - Trojaner's Patch/InjectMe write-up (DLL injection)

Task from crackmes:

Patch or Inject it with a DLL, so that it will show the goodboy message :)
Happy Hacking!

Hacklu CTF 2013 - Reverse 150 - RoboAuth

Task:

Oh boy, those crazy robots can't catch a break! Now they're even stealing our liquid gold from one of our beer tents! And on top of that they lock it behind some authentication system. Quick! Access it before they consume all of our precious beverage!

Download: https://ctf.fluxfingers.net/static/downloads/roboauth/RoboAuth.exe

Flag: password1_password2

Sharif CTF Quals 2013 - Exploiting 200 - sweet

Task:

nc ctf.sharif.edu 15478

Download

This service accepts our input and echoes it using variant of printf function. As you might have already understood there will be a format string vulnerability.

Sharif CTF Quals 2013 - Exploiting 100 - mellow

Task:

nc ctf.sharif.edu 61451

Download

We have a simple service that accepts our input and if it doesn't allow us to get a flag it shutdowns the connection.

Sharif CTF Quals 2013 - Reverse 300 - HelpMe

Task:

Download

We are provided with a Java archive (jar) that can be used to encrypt a file using an AES block cipher.

Sharif CTF Quals 2013 - Reverse 200 - Reverse200

Task:

Download

We are provided with an x86 ELF executable that crashes while trying to decrypt a key.

Sharif CTF Quals 2013 - Reverse 100 - Vault

Task:

Download

In this task we have to open a huge lock. We are provided with .NET binary and the task is the same as usual: get a flag!

Sharif CTF Quals 2013 - Steganography 200 - muse

Task:

Another hidden message!

Download

 We are provided with the mp3 "Knights of Cydonia" song by Muse. This container should have something hidden, therefore it is task on audio steganography topic, let's capture the flag.

How to execute ELF file compiled for MIPS architecture on x86_64 Windows?

In order to execute MIPS binary we will need to emulate architecture that it was compiled for. A good solution to accomplish this is using the QEMU emulator.

Crackmes [Reverse] - TRVCrackme v1.0 (MIPS) [Very easy level]

In this task we are given a binary compiled for MIPS architecture. Therefore to execute it you have to find workstation that have MIPS architecture or emulate its behavior. Of course you can produce keygen without even executing it, because the logic is quite straighforward. By the time I managed to execute it I have already understood what it does.

CSAW CTF Quals 2013 - Reverse 500 - Impossible

Task:

Impossible - 500 Points

Solved by 82 teams.

WTF, his hp is over 9000! Beat the game to get your key.
impossible.nds

In this task we are provided with an image of the Nintendo DS cartridge with a game. The task clearly says we have to win probably cheating. Firstly I installed IDA loader for .nds files (You can find it in the net) but this haven't helped me a lot: there were a lot of ARM code and no clues how to get to the flag.

CSAW CTF Quals 2013 - Reverse 400 - keygenme

Task:

keygenme - 400 Points

Solved by 100 teams.

nc 128.238.66.219 14549
keygenme32.elf

We are given a x86 ELF executable. It takes 3 arguments(username, token1, token2) and prints whether they are good(*<:-)) or not. ( :-( ). In this task we need to write a keygen that will communicate with judges server, which sends username to keygen, and then send them valid token pair for each username.

Crackmes [Reverse] - kaliba CrackMe [very easy level]

In this task we are provided with a binary that asks for a serial code.

After you provide some arbitrary serial number, application rejects it. You may be quite lucky to guess it.

Crackmes [Reverse] - second keygenme [Very Easy level]

In this task we are provided with a windows binary. We have to understand how it works and provide a valid registration name/serial number pair or write a keygen. This program simply asks for those two strings(name/serial) and if the serial code is wrong, it terminates.

Exploit exercises - Protostar - Net 3

Last network level is a bit more challenging. There are a couple of traps here. The idea of the program is like that: it reads length(16-bit) of the future input, then reads that amount of bytes. First byte of the input should have the value of 23 to proceed to login function. Buffer with input data is used as an argument to the login function.

Exploit exercises - Protostar - Net 2

Third network level requires to sum 4 integers and send result. They are provided by the server. Nothing special just use of pack and unpack methods.

Exploit exercises - Protostar - Net 1

Next level requires to convert binary integer to its string representation. All we have to do is read 4 bytes, convert bytes to int then convert it into string. Ruby have unpack method of String class to do required transformation.

Exploit exercises - Protostar - Net 0

In this task we have to work with byte ordering and ways to send/receive them. I wouldn't tell about endianness because there are a lot of good internet sources that cover it. (e.g. wiki ).

Task binary sends a number and waits when we will provide little endian version of it. Our task is to get number from incoming message, convert it into binary form and then send it backwards. To get numbet you will probably want to use regular expression which will cut out contiguous digit string between quotation marks. Then there is a fast solution in Ruby to use pack method of the Array class which allows to convert integer from string to binary. Then we will just send it and receive congratulation message.

Exploit exercises - Protostar - Heap 3

In the heap 3 task 3 portions of memory are allocated on the heap. Then 3 command-line arguments are copied without bounds checking and later the allocated memory is freed. We are supposed to exploit Doug Lea way of allocation and deallocation of memory. There is a nice online page with a description of the way how to exploit it.

Exploitation is based on the fact that while memory is being freed, if there is a free block next to the one that is being freed, free function merges two blocks and write some metadata at the calculated addresses. That means that we can make free function overwrite value at the user provided address after corrupting metadata of the allocated blocks. We should make free think that previous block is free and change metadata to influence address calculation. In the task blocks are allocated in a way that is pictured on the image:

Exploit exercises - Protostar - Heap 2

In this task we are able to control the sequence of malloc and free operations. Also the binary seems to be different from the source because binary allocates not enough memory for the auth struct. If you write auth 1, only 4 bytes are allocated for a whole 36 bytes auth structure. So if we are able to create another structure that has nonzero byte at 32-byte offset we will get a flag. Let's allocate service struct that has unlimited size and therefore can overwrite auth at offset 32 from auth pointer.

Exploit exercises - Protostar - Heap 1

In this task there is a bit more calls to malloc function. As we can see first strcpy is able to overwrite all other allocated data except first allocation. Data allocated in a way that is shown on the picture.

Next strcpy gets address from the allocated memory and write there second argument. So we can overwrite an arbitrary place in memory.
Since main function uses puts function to print something after second strcpy was finished and the fact that winner function doesn't use puts function, we can overwrite address in GOT for puts to move execution flow to the winner.

ASIS CTF 2013 - Reverse 200 - Masterpiece

Task:

file

ASIS CTF 2013 - Forensics 100 - pcap

Task:

Find the flag. file

You can download the missing parts of pcap forensic challenge from here:
053dc897d3e154dd5ed27c46b738850d
21eae902cf5b82c7b207e963a130856d

ASIS CTF 2013 - Forensics 75 - rm-rf

Task:

We have received a usb flash backup. Which file the flag is in?
file

ASIS CTF 2013 - Forensics 25 - spcap

Task:

spcap = simple pcap
Find the flag. flag

ASIS CTF 2013 - Reverse 150 - License Key

Task:

Find the flag. file

ASIS CTF 2013 - Reverse 100 - RPS

Task:

Play Rock-Paper-Scissors game with dice! file

ASIS CTF 2013 - Reverse 75 - Serial Number

Task:

Enter the correct serial number file.

ASIS CTF 2013 - Reverse 50 - Simple Binary

In "Simple binary" task teams were provided a MS-DOS binary that asked for 6 numbers.

ASIS CTF 2013 - Stego 50 - Fragmentation

In the first stegano task there was given a picture of a class board. As the task title says the flag is probably split into couple of fragments.

Task

Exploit exercises - Protostar - Heap 0

Heap 0 level teaches us that variables that are placed in a heap are referenced by different addresses in memory far from stack. Two sequential allocations have a high probability to be one after the other in memory. We can exploit this by overflowing buffer.

Format String vulnerability exploiting - General algorithm

I would like to sum up the format section tasks with some general algorithm that is probably will be good to solve easy tasks for this kind of vulnerability. You can try to apply this algorithm if you are sure that application has a format string vulnerability.

Exploit exercises - Protostar - Format 4

Last level of the format section was more interesting. It supposed you to change code execution sequence. Immediately after printf is called there is a call to exit() function. But in order to reuse code in memory there is a PLT(procedure linkage table) that redirects execution to the place according the address of the specified function in GOT (Global Offset Table). Since .plt section in or binary is read-only and jump is made after address dereference we have to change a value that this address references to our value. This article contains very detailed description of PLT, GOT, PIC(Position Independent Code).

Exploit exercises - Protostar - Format 3

Format 3 was quite easy after the way I've tried to solve Format 0 :) . Third task in format section required to write four bytes into specific location in memory.

Exploit exercises - Protostar - Format 2

Format 2 was quite easy, even easier than format 1 for me. All you need is to write appropriate byte to the target address.

Exploit exercises - Protostar - Format 1

Format1 task differs from format0 task in a way where target variable is located. In this case target is located in .bss segment.

Exploit exercises - Protostar - Format 0

This task was quite educating for me. It contained very simple buffer overflow vulnerability that should be done via format string in less than 10 bytes of input.

Exploit exercises - Protostar - Stack 5

After a lot of effort spend on trying to exploit this simple program (http://www.exploit-exercises.com/protostar/stack5) I've finally executed root shell.

Here are some difficulties that I have encountered: