How to execute ELF file compiled for MIPS architecture on x86_64 Windows?

In order to execute MIPS binary we will need to emulate architecture that it was compiled for. A good solution to accomplish this is using the QEMU emulator.

Crackmes [Reverse] - TRVCrackme v1.0 (MIPS) [Very easy level]

In this task we are given a binary compiled for MIPS architecture. Therefore to execute it you have to find workstation that have MIPS architecture or emulate its behavior. Of course you can produce keygen without even executing it, because the logic is quite straighforward. By the time I managed to execute it I have already understood what it does.

CSAW CTF Quals 2013 - Reverse 500 - Impossible

Task:

Impossible - 500 Points

Solved by 82 teams.

WTF, his hp is over 9000! Beat the game to get your key.
impossible.nds

In this task we are provided with an image of the Nintendo DS cartridge with a game. The task clearly says we have to win probably cheating. Firstly I installed IDA loader for .nds files (You can find it in the net) but this haven't helped me a lot: there were a lot of ARM code and no clues how to get to the flag.

CSAW CTF Quals 2013 - Reverse 400 - keygenme

Task:

keygenme - 400 Points

Solved by 100 teams.

nc 128.238.66.219 14549
keygenme32.elf

We are given a x86 ELF executable. It takes 3 arguments(username, token1, token2) and prints whether they are good(*<:-)) or not. ( :-( ). In this task we need to write a keygen that will communicate with judges server, which sends username to keygen, and then send them valid token pair for each username.

Crackmes [Reverse] - kaliba CrackMe [very easy level]

In this task we are provided with a binary that asks for a serial code.

After you provide some arbitrary serial number, application rejects it. You may be quite lucky to guess it.

Crackmes [Reverse] - second keygenme [Very Easy level]

In this task we are provided with a windows binary. We have to understand how it works and provide a valid registration name/serial number pair or write a keygen. This program simply asks for those two strings(name/serial) and if the serial code is wrong, it terminates.

Exploit exercises - Protostar - Net 3

Last network level is a bit more challenging. There are a couple of traps here. The idea of the program is like that: it reads length(16-bit) of the future input, then reads that amount of bytes. First byte of the input should have the value of 23 to proceed to login function. Buffer with input data is used as an argument to the login function.

Exploit exercises - Protostar - Net 2

Third network level requires to sum 4 integers and send result. They are provided by the server. Nothing special just use of pack and unpack methods.

Exploit exercises - Protostar - Net 1

Next level requires to convert binary integer to its string representation. All we have to do is read 4 bytes, convert bytes to int then convert it into string. Ruby have unpack method of String class to do required transformation.

Exploit exercises - Protostar - Net 0

In this task we have to work with byte ordering and ways to send/receive them. I wouldn't tell about endianness because there are a lot of good internet sources that cover it. (e.g. wiki ).

Task binary sends a number and waits when we will provide little endian version of it. Our task is to get number from incoming message, convert it into binary form and then send it backwards. To get numbet you will probably want to use regular expression which will cut out contiguous digit string between quotation marks. Then there is a fast solution in Ruby to use pack method of the Array class which allows to convert integer from string to binary. Then we will just send it and receive congratulation message.

Exploit exercises - Protostar - Heap 3

In the heap 3 task 3 portions of memory are allocated on the heap. Then 3 command-line arguments are copied without bounds checking and later the allocated memory is freed. We are supposed to exploit Doug Lea way of allocation and deallocation of memory. There is a nice online page with a description of the way how to exploit it.

Exploitation is based on the fact that while memory is being freed, if there is a free block next to the one that is being freed, free function merges two blocks and write some metadata at the calculated addresses. That means that we can make free function overwrite value at the user provided address after corrupting metadata of the allocated blocks. We should make free think that previous block is free and change metadata to influence address calculation. In the task blocks are allocated in a way that is pictured on the image:

Exploit exercises - Protostar - Heap 2

In this task we are able to control the sequence of malloc and free operations. Also the binary seems to be different from the source because binary allocates not enough memory for the auth struct. If you write auth 1, only 4 bytes are allocated for a whole 36 bytes auth structure. So if we are able to create another structure that has nonzero byte at 32-byte offset we will get a flag. Let's allocate service struct that has unlimited size and therefore can overwrite auth at offset 32 from auth pointer.

Exploit exercises - Protostar - Heap 1

In this task there is a bit more calls to malloc function. As we can see first strcpy is able to overwrite all other allocated data except first allocation. Data allocated in a way that is shown on the picture.

Next strcpy gets address from the allocated memory and write there second argument. So we can overwrite an arbitrary place in memory.
Since main function uses puts function to print something after second strcpy was finished and the fact that winner function doesn't use puts function, we can overwrite address in GOT for puts to move execution flow to the winner.

ASIS CTF 2013 - Reverse 200 - Masterpiece

Task:

file

ASIS CTF 2013 - Forensics 100 - pcap

Task:

Find the flag. file

You can download the missing parts of pcap forensic challenge from here:
053dc897d3e154dd5ed27c46b738850d
21eae902cf5b82c7b207e963a130856d