picoCTF[Reverse Me — 300] & a little explanation about linux executable

b33f_k4r4g3#kazuya
7 min readNov 6, 2019

--

hello guys so today i am just wanted to make some write about CTF, so today i want to create write about how to solve reverse Me with 300 point so in this reverse category all you need to do is knowing what the program actually do for processing some string or some logic, in this problem you will be given 2 files there is .txt file that you need to reverse the string(make a decryptor for the cipher text) so in this reverse me problem, you will be given .txt and the binary, first let’s see about .txt when you open it it will show:

the string that you need to encrypt

so to get the flag all you need to do is analyse the problem how can they change this string how will this program process it and how can they make something like that, how can they manage the output like that, and don’t forget the second file is the program to make this string basically is an ELF (or to make it simple linux executable), let’s start the reversing things first you can check what is this file using file command in linux.

file

in this command file we can find the true information about the file, from this command we can know if this file is an elf with 64 bit version, x86–64 version 1 (SYSV), not stripped, what is this today i just want to explain some about linux binary so we can see in this picture let me explain for you partially:

Header File

so in here we can see if the header file is ELF but if you are ever hear something about magic number ELF have it too you can use one tools in linux it’s called readelf

you can use it just by typing readelf -h filename, but in here you need to focus for the header 7F 45 4C 46 02 01 01 00 00 00

this is the header of the ELF file each one of them have their definition, 45=E, 4c=L, 46=f and prefixed with 7F, after that 02 it’s mean the class if 02 then it’s 64-bit but if it’s 01 it will be 32-bit, next is the first 01 it will explain something about the byte order is it LSB(Least Significant Byte) or MSB(Most Significant Byte) if 02 then it’s MSB, after this it’s 01 again but it’s just explain about the version of this ELF currently we are using the version 1 so nothing interesting to remember from this section

after that let us see about what is ABI ? ABI Version ? this section will explain about SYSV

ABI(Application Binary Interface)

each operating system have their own common list of similiar function, in addition they need to specify ones or at least minor differences between them, and in this section they are all are described and translated into something and already set in ABI(Application Binary Interface), in this way operating system and application both now what to expect and function are correctly forwarded, these 2 fields are described version of the ABI and the SYSV, what is SYSV, is called UNIX System V is one of commercial version of UNIX operating system, so in this section we will know if the output will be shown as System V.

next is type:

there is a lot of type that will explain about what will that file work there is 4 in the common list of file:

  • CORE (value 4)
  • DYN (Shared object file), for libraries (value 3)
  • EXEC (Executable file), for binaries (value 2)
  • REL (Relocatable file), before linked into an executable file (value 1)

well after this i want to explain about program section but in a row of general knowledge you need to know first in a program there is 3 common section :

  1. Program Headers
  2. Section Headers
  3. data

next is i want to tell you about how to solve the picoCTF challenge first you need to analyse the program, i am using IDAPro v7.0 to reverse it and disass it.

IDAPro output

first that all you need to know that IDAPro can make an pseudocode that will be looks like C but i will not recomend this because if you are read assembely you will know the algortihm more fast then you are seeing the syntax in pseudocode

picture 1
picture 2
picture 3
picture 4

huh it’s sucks and make your head dizzy right but if you aren’t like to read them from raw assembly you can prefer to read them in pseudo code but it will affect you when you are want to do the patching technique to make sure you can do that you must now what kind of instruction in assembly that you want to patch to the program.

first let us take sharp look in the conditon of the string, you will find it at what this program do first this program is reading some file from picture one and this instruction

push rbp
mov rbp, rsp
sub rsp, 50h
lea rsi, modes ; “r”
lea rdi, filename ; “flag.txt”
call _fopen
mov [rbp+stream], rax
lea rsi, aA ; “a”
lea rdi, aRevThis ; “rev_this”
call _fopen
mov [rbp+var_20], rax
cmp [rbp+stream], 0
jnz short loc_11CE

with reading this instruction you will know if this program is reading the file from flag.txt and then they will append something to rev_this file and after that they will compare the stream, while stream it self it’s the function that open flag.txt they will said if you are doesn’t have them then they will refered to picture 2, it will “No flag found, please make sure this is run on the server” and if they are found the rev_this this program will just make an output “please run this on the server”.

next thing is we know this program is using the .txt file as a temper to write something that they process in this program but second thing is you need to know about how the algorithm is developed in here, if it’s something like that you can see the picture 4 process they have

loc_124C:
mov eax, [rbp+var_C]
cdqe
movzx eax, [rbp+rax+ptr]
mov [rbp+var_1], al
mov eax, [rbp+var_C]
and eax, 1
test eax, eax
jnz short loc_126F

in here they need to do create a looping to process the string after that they will compare the the eax with 1 they will test if the eax will be 0 or not zero if they are not zero then they will jump to short loc_126f.

loc_126F:
movzx eax, [rbp+var_1]
sub eax, 2
mov [rbp+var_1], al

they will jump into here if the condition are meet. in this part we can find if they will have somekind of string they will sub it with 2, you can also translate into eax[i] = eax[i]-2. if they doesn’t meet the conditon to jump they will go to the next line after the special jump instruction this is really tricky but this is the natural of assembly.

movzx eax, [rbp+var_1]
add eax, 5
mov [rbp+var_1], al
jmp short loc_1279

if they are going to this line then the process will be diffrent from that condition of jump it will add the string with 5, the assumption is

if(eax & 1){

somechar -= 2

}else{

somechar += 5

}

if you are already get what i mean then the next step is we are just need to create an program to process the string that we need to solve.

here is my program

i am using python here and make some contracdiction logic from the real logic so we can get the string

after you are run the script then the output will be looks like this picture

so the answer of this challenge is picoCTF{r3v3rs32ccdd282}

so that’s it for today, thanks for taking your time to read this article, please let me know if there are a wrong explanantion in here and well sorry because i am not good in english.

resource:
https://linux-audit.com/elf-binaries-on-linux-understanding-and-analysis/

https://reverseengineering.stackexchange.com/questions/3815/reversing-elf-64-bit-lsb-executable-x86-64-gdb

--

--

b33f_k4r4g3#kazuya

hey ho, i am from indonesia, reverse engineering newb, CTF Player, Penetration tester and well in the end i am just a simple otaku ~ehe