jjencode - Javascript Obfuscation

jjencode - Javascript Obfuscation

Today, I try a challenge where I need to decode the jjencode text. I know that it is javascript obfuscation, but I dont know where to find the correct decoder since I search with a wrong keyword. Lol!

Then when I found the decoder, I try to decode the text, and got the flag. For example this challenge soooomixeddd, where I need to decode the jjencode.

So how to make javascript unreadable? This web can help you do so. Actually there are many webs/tools that are provide this services.  To decode it, you can use toos such as python-jjdecoder or Decoder-JJEncode. 

For example :

Javascript code :

window.alert("Hello Programmer!");

jjencode :

$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+"\\"+$.__$+$.$$_+$.$$$+"\\"+$.__$+$.$_$+$.__$+"\\"+$.__$+$.$_$+$.$$_+$.$$_$+$._$+"\\"+$.__$+$.$$_+$.$$$+"."+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"(\\\"\\"+$.__$+$.__$+$.___+$.$$$_+(![]+"")[$._$_]+(![]+"")[$._$_]+$._$+"\\"+$.$__+$.___+"\\"+$.__$+$._$_+$.___+"\\"+$.__$+$.$$_+$._$_+$._$+"\\"+$.__$+$.$__+$.$$$+"\\"+$.__$+$.$$_+$._$_+$.$_$_+"\\"+$.__$+$.$_$+$.$_$+"\\"+$.__$+$.$_$+$.$_$+$.$$$_+"\\"+$.__$+$.$$_+$._$_+"!\\\");"+"\"")())();
jjdecode :

 window.alert("Hello Programmer!");

Simple and clean. 
UiTM CTF 2015 - soooomixeddd

UiTM CTF 2015 - soooomixeddd

You have been given text file contains this script. Obviously it is javascript.

<script language=javascript>document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%7D%3C%2F%73%63%72%69%70%74%3E'));dF('%264Diunm%264F%261B%264Difbe%264F%261B%264Dtdsjqu%2631uzqf%264E%2633ufyu0kbwbtdsjqu%2633%264F%261Bgvodujpo%2631tipx%60bmfsu%2639%263%3A%261B%268C%261Bbmfsu%2639%2633F%5BXIJP%5B8PCVIBEJLNW4HD4CJN66HT4UHOSRYJ%5BKJNKRYH%5BKXHSQXJ%5BMEO6THLLCIOKMHJ%5BELH%5BZFTSLRHGCDX63NKKWHTVDRH6KWLUEOJSVFDOEXJF5IL3UIPOOHTS%5BROW5H54KSHJ5UTPLFNWYUTPDGLVZHZWSSLSZEF5MDPS3YHU%5BWGO5WJ6SWNK6FV4TONRYVL%5BSYHOFEBR4XNFZXTXTRHJZF334RJZZUTPLNPO%5BDXNDHHBWWTW%5BUKO3X37CZOZ4IN7TRON%5BXD%5BTFNSHYRWU3KOJF5N%5BTQKSUR633KWUHFS4HKJZIRWTJHKLHNN4FP64IJUTONO3DXUCXO6MXH4M%5BKO4EFOTLMCNXLPDGJGTEL%5BKZQKYIRZLGP%5B5GVWK%5BHWKFHM3QPWBVT4SMPSFH534CJGOEP3%5BSPNYWN6CVPVZHD3EUHGXDXR3%5BPR5FJXDRG6HELT3FO%5BJELTCQN6YHRW3ENKCUJWMRG6UWDZ%5BWKCWIBPK%5BNS3D7NMDOKTXPUEXMBZYBOTZIC%5BVF%5BUHKKTGFSUDOJ4UNL3SK53EDS4KJK3YT6MJQK3DX7KUP6VXTZTGJGSUJTSWMFYXR%5BT%5BNNZXXSCZGOGEDO4FKC3GVUCMHGOHNVESJWNID3CMLGOENO4CPC3UJ4UOH%5B3FHO3KO%5BWFPUDRJFWX5ZLOLG6GLTLENK5VDWKZJSHHTXUOHSFINVMVMBYVLXUEKOXYLXUNNF4IRUDIQGDXDNTVNSYVZODSHG5DXVMQHWGYN7EDPGSX3XTKNN%5BGTL4QLCTWLXEDIG5FN4EMHOYXNVTSHOIHX4MMJOHXF4MXLSSITWUWPGXYF3%5BMGOHUJNTTORYXT7UHQCLHN7CUH54YDOE3LC5XJL%5B%5BPR5YFM43JNYXTVMXQCYED3TFQFWVNTDPLWHHN%5BTCP%5BRVHUTXLC%5BXFT3QLCKF7U3FNR5YFSDUOOJHDODXNGWYRWSMNKKVP4TTNV%5BIDVUSHOXGD3DROK4IPNCRPSYHZPE3PKSGB5M3L6JVZXSRGO4EPV3NJ6VHFW%5BWH6LHP43IPWHEDL33K%5BRWL7U3KSSIH4KQNW%5BGPOUWNK4DXZMMLKXXJ44TKSVXN4KMJOUUH4UKPWHEHULMNS4EFXEWKKNXF%5BLFH55WN3K%5BOSWHJ3KZGO5H53KRJ%5B5D77EFHKTH7WTWK%5BLIBOKRLZZWR6C%5BH6ZYVSMNKR%5BUPXEEGOCYHNSMNV3ET7UJHRYYLTEOO6CV56CRNGSHRV33NF%5BIV5%5B%5BPSMXLT4%5BN5%5BYFNUUN%5B3VXWETLSKHV7UPJGSIH5SXPO3VT4SYHB3GH%5BSTNOTGR3LQLOXHVUDLP%5BKVRXEMQGFXPXT%5BHS4WD%5BCWKG4UN6DMMG%5BWT7EINR3GD643LWTWP6T3H%5B3TXZLPIB3FZ4TPIC5ED43TO%5BUIDWUUPKYFXXEXMK4GJ7SUHODH3%5BK%5BNR4V5SEHGOGWNZSWNOSWTXEMH%5B5FR33QGOVYFU3PNZ3FX3UEQCXHLZKUH%5BLXV7TVKJ4GRZ4THCCWJS%5BTL6KXLNUXPGRXDUKULG%5BD7V%5BSO%5BTHN7MONR3IBTEZHF4VR63ROZ5HRTCQOB%5BXR7UWNODIPZ4RPSTXF6EFHFYUJNMCLGYEHNLZJK%5BHLS4XPWTUDVU%5BIFWYBW3YJOZHJO3LLC3XPVSXMJ%5BVP4TRJKFWV%5B3XOR5V5ZKULSOGBOMEGOWERVDOOGLHZ3LFH6%5BD74MCKSVVNUTZOK4EPZUTQCDTXXDMPW3EBN3KLOTHJNCSK6%5BHDPLVH65INV4XPWXF5O4QJ%5BXXPV4FOKYHXSSMMGYDXO33HOZIR4TJNR4XVR4VQCFEN4EZH%5B4HR%5BDLOG6F57USLR3FX6TNP%5BCT7WDQPKHEHXMXMGXEPZLPGONXLV4PN%5B5WD7E3LRWYF6KTIBZWRUS%5BHSNILN4YNV5YNODSGORT7V%5BWJV%5BVRVDWOKXYDL%5BQMKYIPZSMKCCWPTEYN%5BNID7MHNWLWTOUNPR4GLOM%5BPWJH3%5BUIJOGIPWCZOCMITZTIPKTXZL%5B%5BQK%5BDXO%5BYP%5B4XDL4PHFWX3OEJOG6FR3MTMB%5BELSSRKCLVV%5BLTLZZFHUCQLOJGPSEHHGYINRSUJWSTX5EKICNETV%5BWN5%5BUNSUFMCKXR%5BUKJGDHTNDROGWEPNUVNKXGNVEYKWTF3L3IG5ZVZ63RKSSEF%5BMEJSTWHU4LL%5BTFXSCYP6UHJXSVH6TV5TDCH5ZDXOULL54GNO4%5BJKOIFTLFNOMX533XNN%5BYRNUVN%5BJFF6EUKS3VDTKQQKLYLS%5BYHS6FFRULOORYV4CVNOLXNOLYNW5FPN4MLCCUDR3GQCYIVUTFJ53YR%5BE%5BQFZYBM%5BQH%5BGHHS%5BVGN%5BH5PEKOGBV36CZNZ3HPWEVHNYTPLKKGF6R3DS8F%5BUYJPZ%264E%2633%263%3A%264C%261B%268E%261B%264D0tdsjqu%264F%261B%264D0ifbe%264F%261B%264Dcpez%264F%261B%261B%264Djoqvu%2631uzqf%264E%2633cvuupo%2633%2631podmjdl%264E%2633tipx%60bmfsu%2639%263%3A%2633%2631wbmvf%264E%2633Hppe%2631Mvdl%2632%2632%2632%2631%266F%60%266Fz%2633%26310%264F%261B%261B%264D0cpez%264F%261B%264D0iunm%264F1')</script>
Then we change the extension file .txt to .html. And open the file with web browser.  You will see a button "Good Luck...", press the button and pop up strings. Copy and paste to anywhere to see the whole strings.


From here you need to differentiate between Base32 and Base64, Base32 their characters mix of upper characters and numbers, while Base64 mixed with upper and lower chars and also number and other characters. Both strings will end whether = , == or nothing. So this is Base32, when we decode it, we will get php code.

So just edit to display the strings that will be deobfuscated and open the file with your browser and you will get this strings.


After that I try to decode it with base64 and got another weird string.

So after done some research of that weird strings, I got a website that mentioned about obfuscation. I dont know which language obfuscation is this. So try with php, no luck. Try with javascript. Yes!
Here is the output :
5930753472332430213333377a44754433436f6e4772415432546831734953666c3467thisisnottheanswerbutyouareNEAR 
So here just decode the hexadecimal, then got the flag.

Uniten Hack@10 Binary ex03

For this challenge, I will explain what I did to solve this challenge, eventhough it is quite easy if you really understand how the program's work.

So of course first we check whether it is packed or unpacked with PEiD.


So it shows nothing found? Means nothing to worry? Haha. So second step we do strings the program to check any weird/interesting string. Nothing interesting for me except this.


Then we try open the program with OllyDbg. And try to run the program with dummy input.


For sure got wrong. Then try to search for reference strings. But got no clue since the ouput "Wrong" and "Correct!!" did not display. So I search in Memory Map (alt + M), then double click .text.


And then searching and searching, I found this "Correct" and "Wrong" strings!


So I mark a breakpoint at the JBE instruction at 0x0119292C. So wen run the program again, and using dummy input to check whether it stops at our breakpoint marked or not?

No! It still display "Wrong" status, it means that it didn't stop at our breakpoint marked. So when we click at "Wrong" section, we can see in Hint Pane that the jump to "Wrong" section come from two address which were 0x01192915 and 0x0119292C.



So 0x0119292C is our breakpoint marked just now. And the other one is not, so we need to mark breakpoint at 0x01192915 too which is JNZ instruction. After that just dummy input to see whether it stop at our new breakpoint.

Yeah it stop at 0x01192915! From the instruction there, it compare register AX with BX, if it same then continue to the next instruction, if not go to "Wrong" section.

So we just change the zero flag so that we can continue, then we reach to our second breakpoint where it compare the EAX register with constant value 0F(in decimal 15), JBE(Jump if below or equal), so I assume that it compare the length of the strings. If the string length below or equal to 15 then it will go to the "Wrong" section, else continue to "Correct" section. So from there we just to reverse the step to get the string.

When we reverse to our first breakpoint, we know that it compare AX and BX register, so we need to know how AX and BX get the value. From the cpu window, there are 2 functions that have been called before the comparing section happen.


So we set a breakpoint at both functions and then analyse what happen when the function is called with our dummy input.

Then we reach to the first function, and then press F7 to step into the function called.

So here are the function 1 procedure.


So we just step into the function procedure, and then return back. From my understanding, the algorithm is just encode the string input into 4 bytes. Below is C code that I translate.


Then we go to the second function. Try to understand the algorithm. Based on my understanding, the EAX register will change to 7EEF. And 60 bytes are reserve in the stack. So we check that they input the value in the stack in unordered. After input all the value in the stack, then they do XOR instruction around 0x28 (40) times.



 Then return back, and compare the AX register with BX register. So that's how the program work.

1) Encode the strings to 4 bytes, and then return it. EAX hold the values of 4 bytes then move the value EBX register.

2) Then in the second function will place some value in stack and do some XOR then return back.

3) Compare AX and BX.

I assume that our strings maybe 40 characters, why? Because it is weird to reserve bytes in stack and do XOR for 40 times.

And also at step 3, AX value always 7EEF, while BX value depends on our input. So if we can make a string that will generate a value 7EEF after it encoded, it would be nice!

So I try to reverse the encoded function, but no luck! Haha. Around 2 days I spend to reverse the algorithm. And I also put a breakpoint at first instruction in both function.

First function


Second function


Then my luck comes, when I restart the program, I try to run at each breakpoint,
 then I found interesting string at first function procedure before the program start!



"This message is encrypted with blowfish"
I just copy the strings and input it to our program.


Yeah! Finally got the answer.

So I assume all this algorithm are blowfish cipher algorithm, that is why it was hard to reverse. Haha.

But but.. my technique was not so efficient, since I was just lucky to see the strings before the program start.. But but it was fun challenge!


Self-Study material - example 1 (Basic explanation)

Self-Study material - example 1 (Basic explanation)

Memandangkan tadi tulis note berkaitan assembly ni di TBD, so just copy paste je la. Haha. Untuk rujukan masa depan.

Berdasarkan note yang diberikan oleh @ZackStark di http://forum.tbd.my/topic/13451/self-study-material-sempena-bengkel-rce-2016. Aku cuma nak bincangkan basic-basic yang perlu tahu untuk memahami example-example yang diberikan dalam tu. Jadi penerangan aku dalam BI, dan ada maklumat yang disampaikan tu aku just copy paste dari website lain, tapi aku tulis balik sebenarnya sebab untuk pemahaman aku.




The above is the template for x86 assembly language. I will explain one by one.

1. .386    =    This is an assembler directive, it will tell the assembler to use  80386 instruction set. Actually there are many instruction set which are .486, .586, but the safest is to stick to .386.

2. .MODEL Flat, STDCALL    =    .MODEL is an assembler directive that specifies memory model of your program. Under win32, there's only one model, FLAT model. STDCALL tells MASM about parameter passing convention. Parameter passing convention specifies the order parameter passing, left-to-right or right-to-left, and also who will balance the stack frame after the function call.

C calling convention passes parameter from right to left, that is, the rightmost parameter is pushed first. The caller is responsible for balancing the stack frame after the call. For example, in order to call a function named foo(int first, int second, int third) in C calling convention the asm code will look like this :

  

3. .DATA
   .DATA?
   .CONST
   .CODE

all of this above are what we call section. You don't have segments in win32, remember? But you can divide your entire address space into logical sections. The start of one section denotes the end of previous section. There are two groups of section which are data and code. 

   -Data sections are divided into 3 types:


  
   -Code section only have one section :

   

  where <label> is any arbitary label is used to specify the extent of your code. Both labels must be identical. All your codes must reside between <label> and end <label>


All of these above explanation I got it from http://www.programminghorizon.com/win32assembly/tut1.html. So thanks to them.


Back to example 1, here are the assembly codes given :


So we go through by each line,

1. they used 80386 instruction set,
2. used Flat model for memory model and STDCALL for parameter passing convention,
3. include kernel32.inc and include user32.inc, so this is new directive which is include. So include will open all the files stated, then process it,
4. .data, here where you initialized your program. msg_text and msg_caption are our variable, db is our define byte and "Hello world",0 is your string, why 0? The string is called [null-terminated string](https://en.wikipedia.org/wiki/Null-terminated_string) where characters is stored as array and end with terminated character which is 0.

for db(define byte) explanation :

db(define byte)  = will store one byte
dw(define word)  = will store two bytes
dd(define dword) = will store for bytes

so why this program use db? because all the character used are only in one byte range which is from 0-255.

for further explanation can read http://www.tutorialspoint.com/assembly_programming/assembly_variables.htm.

5) .code where the <label> is 'main'.
    I have comment some in the code. Okay first, four push instruction you see in that code are referring to parameter that MessageBoxA will receive. Dont understand?

    Okay here is the C example :



    why MessageBox receive 4 parameters?
    refer : https://msdn.microsoft.com/en-us/library/windows/desktop/ms645505%28v=vs.85%29.aspx
    So MessageBoxA will receive 4 parameters, after push to the stack, then it will call the MessageBoxA to process all the parameter. Then it will return the value. About call and ret maybe you can search google about their function. Since I also dont understand it very well. Haha.


Jadi itu sahaja penerangan saya. Saya buat ni untuk nota sendiri, jadi alang-alang tu share dengan warga TBD. :)

UTPHAX'15 - (ROUND 2) Challenge 3 - Web 1.0

Description :  http://kemboja.utphax.my/YmVjNTMwNGNmYTg0ZGIzZjFlZWY3OGI3/index.html
Point : 100

When open it just nothing in the web page. So view source and see any information.

Haa! We got something in the javascript. There are some hex string. So we decode it, and got userAgent, substr, length, getElementbyId and etc..

So we try to understand what they are doing.

Basically, it just take the value from the userAgent, for example like this :
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
And then compare that value with plaintext value which is :
The supreme art of war is to subdue the enemy without fighting.
So now if we change the userAgent value to that string, then we can proceed with the if statement here.


Then change the userAgent (User Agent Switcher for firefox) and you refresh the page and dont forget to edit the html page, because there is css element that will make it display nothing :




Just remove the "display:none" or you remove id="board" in the div tag. Then you will see a md5 hash string.


I dont know whether the md5 hash is the flag because I dont solve this challenge at that time. Haha.



UTPHAX'15 - (ROUND 2) Challenge 1 - Check The Packets!

Description : Hacker targetting an Apple computer. Give me the Apple's MAC. My email only accepting capital letters. Download the analysis file at http://kekwa.utphax.my/N2ZlNWQ4MDQwMmUxMjQ1OGQwMjRiODRl/senang1.pcap
Point : 100

So this is network forensic challenge where we need to analyze the pcap file and get the mac address of apple computer.

First step open the pcap file with wireshark, and then type this in display filter wireshark :

eth.addr
 After that you just search for "Apple" word, at packer no. 4, we got the Apple's mac address!


Thats our flag!

Flag : 00:16:CB:92:6E:DC

Wargames 2011 - Crypto 200

This challenge I refer to this post actually.

So this is how I solve this challenge, but I do not know whether answer I got was correct or not.

First we got an image, then just upload it to google and search for the same picture with keyword "cipher". So I got one image that's have the same character, and cipher name is masonic cipher.

Then search for masonic cipher, google displayed pigpen cipher, which is other name for masonic cipher, so just search for pigpen cipher.

And we get decoder for pigpen cipher here. The method of encoding is Image: Pigpen ##XX.


Then after translate all the characters, we got a new ciphered string. So based on p0pc0rn write up in this post, it was a substitute cipher. So I just tried to substitute by using first letter frequency method but the translation was quite weird so I just stop translated. Then I googling for suitable decrypter and got this site . Just paste the ciphered text we got just now and click "Solve" button.

And we got string text here.


So from the picture we just corrected the some word which we can guess. And then read the whole text, the interesting part is :

which group was ryan cleary accused or to be associated with? md5 the answer and submit the sum. that is yourflg.

So I just google about ryan cleary and got LulzSec. And it said that "md5 the answer and submit the sum." Hint in description said the flag must be in uppercase, so I dont know whether "LulzSec" need to be uppercase or the md5. So that's your flag.

[Other Method] UiTM CTF 2015 - Crypto200

You can read at this post before. At that post I was using Cryptool 2 to solve this challenge. Now I just want to show another way to solve(actually same method but do this in scripting?).

So I just found pygenere script which is useful when you want to decrypt vigenere cipher.

 You download the script and put it in the same directory with code below and save it as vigenere_dec.py.


So just compile vigenere_dec.py.


You can see "UITMCTF" is the key for the encrypted strings. After the "UITMCTF" strings, are the decrypted strings.



[Reverse Engineering] UTPHAX'15 - (FINAL) Challenge 6 - Privacy is no good

Description : Did I bought a fake sotware?!
Point : 300


Why I make this write up again? Because I just want to implement my new way to solve this problem, and of course the better way. Reverse engineering. Haha.


So the challenge is to activate the notepad. We open the notepad, and try to activate the software with dummy input. And of course got "Try harder" since we don't know the real key.

Input

Output



So I just open the notepad with OllyDbg to study how the program works.


1) Search for referenced string, why I do this? Because I just want to search for weird/interesting strings that can help us to understand more this program.


We can see that there are strings that capture our attention especially the string "The flag is" and continue some word that like 1xxmak1xx.... So we know maybe that's our flag.






2) We double click at "Try harder" string to follow in disassembler, to get further information about the algorithm. At 0x0040373E is where the string "Try harder" is. So we just need to reverse the algorithm, to know how it jump to this address. At 0x00403733, see in Hint Pane here, it says "Jump from 00402C0F", yeah it's a good hint. We know where to go now. Set a breakpoint here, so that's easy for us to check later.




3) We go to the address 0x00402C0F by pressing Ctrl+G or Right click -> Go to -> Expressions, then input our addresss here which is 00402C0F. And here we jump to the address. I will set breakpoint at this address also.




JNZ BukuNota.00403733 instruction happened at this address, so by looking the above instruction, which is TEST EAX,EAX. TEST EAX,EAX instruction means if the value is not equal to 0, then Zero Flag will be 0, or else Zero Flag is set. JNZ instruction means jump if not equal to zero, so if the Zero Flag value is equal to 0, it will jump/lead to our "Try harder" section which is 00403733, else it will continue below instruction. Of course we want it continue to below instruction right?

4) So let us input again our dummy input, and when it arrive to our breakpoint at 0x00402C0F, we just change the Zero flag to 1.




I hope you understrand the arrow in the picture. Haha. Right arrow there where I just double click at the value Zero Flag to change it to 1 or we called it as Set. So we just click Run again, or F9.

But we still go to the "Try harder" section? Remember we made a breakpoint at the "Try harder" address which is 0x00403733? So there must be another condition that lead to "Try harder" address. We have to find it by click at 0x00403733 and see where the jump comes from the Hint Pane.




5) From the Hint Pane it says "Jump from 00402E4D", so we go to the address to know what happen there.




See that? The are string "The", " Flag"!. Okay relax. We need to bypass JE instruction first which will lead to our "Try harder" section if Zero Flag is 1. We just need to change the Zero Flag if we want to bypass the JE instruction!




6) We input dummy data, and change Zero Flag value at (0x00402C0F) JNZ instruction to 1, (0x00402E4D) JZ to 0, for two times. I dont know why there is a loop. Haha.

So here we got our flag!




I know that my method so simple just by changing the Zero Flag, but it gets the job done right? And of course better than the method that I show in the previous post. After this maybe I will study the algorithm to get the real activation key.

Uniten Hack@10 Binary ex04

Download binaries : binary.zip

Okay first check the file with PEID, to check whether it is packed or not, and other information related.



It just a normal 32 bit application unpacked. So we just need to fire up our debugger to analyse it.

I used 32 bit version of x64dbg to reverse engineer this program. Run the program in the debugger and just dummy input to get the output.



So we get "Wrong" output. We check those output string in strings references.



Here we got 2 interesting strings which "Correct!!" and "Wrong!". So I just right click in "Correct!!" string and follow in dissambler to go to the address that display it.



Then check how this program worked. Before it go to the output whether it is correct or wrong, we can see that there are some algorithm checking the input.



After going through the algo, it's just a simple algo which done with xor, shift right and rotate right. Lastly it will compare the input with 0xF298DC9E. So we know that our input must be exact the same with 0xF298DC9E to get the correct output. You can see that at address 0x00251112.

So i just make my own program in C that act same like the program.


Run the program with the value a = 0. Variable 'a' here same with EAX register in the program. And also we run the real program also in our debugger with the input 0. But before that I had mark breakpoint at the comparing section in address 0x00251112.

 


You can see that my program output same with the debugged program! The output is 0xE098D6DA. We know the algo, so we just need to reverse it now.

The problem when I want to reverse it is when I reached at
    a = (c ^ a) + c + a;

Because I dont know where to get the value for variable 'c'. My idea to solve this problem is just by bruteforce it!(If you know the better way to reverse it, just comment below.) Haha.

Here are my code in c.



Okay in this code, i just do looping for ULONG_MAX which is equals to 4294967295 or 2^32 - 1. Why using 32bit? This is because we want to bruteforce the value in EAX register, as we know EAX register hold 32 bits data which equals to 4 bytes.

After going through all the code, lastly it will compare variable 'a' with 0xF298DC9E, if it is true then it will display our answer!




So we got our answer which are 77859328. We try it with the real program.


Got "Correct!!". Yeahh. So that's our flag.

It was really fun to solve this challenge since I am too newbies in this area, and I know my explanation not so good like other write up since my understanding in assembly language, reverse engineering and other technical part are so lowwwwww...

References :

1) http://feetsonmyshoes.blogspot.my/2012/04/uniten-hack10-2012-write-up-ex02.html

2) http://justanotherctfnewbie.blogspot.my/2015/11/utphax15-group-stage-round-1-binary.html