티스토리 뷰

CTF write-up

ALEX CTF RE5: packed movement [ 350 ]

marshimaro aSiagaming 2017. 7. 6. 22:00

[ 발영어 연습 -_- ㅋㅋ ]


This is interesting Reversing Challenge.

Now i describe why it is interesting.



This binary is 32-bit ELF format, and dynamically linked.

And this binary is upx-packed.

So i unpacked it -> [ upx -d move ]




While i analyze this binary, i found a something interesting.

It use movfuscator( some obfuscator ).


What is the movfuscator?


You can get more informations in here : https://github.com/xoreaxeaxeax/movfuscator


It compiles binary into mov instruction. -> only mov instruction.

So called One-instruction Binary.


When you disassemble this binary, you can see below Graph View.




This is _start() Function Graph View.

As you know, it sets two signal handlers. ( SIGSEGV, SIGILL )





Program run through abnormal flow.

How to solve this problem???





Using gdb to analyze it dynamically is useless because of abnormal flow ( SIGSEGV, SIGILL Handler )

Program gets some strings and we should guess and find what it is.

Now, i analyze this program with IDA Pro, Binary NInja.





First, i found string lists in IDA-Pro.

"Wrong Flag1\n" is interesting.

Xref function is Good for me.





As you know, so many .text sections reference it.

I chooses first thing and Let's analyze it.





Above few instructions, You can see this.

mov R2, 'A'(0x41) and maybe cmp my first input char with 'A'

So i decide to use objdump.





Maybe all of this are ascii value.

So parsing it by using grep options.




And write simple python script.


Flag is ALEXCTF{M0Vfusc4t0r_w0rk5_l1ke_m4g1c}



발영어 죄송 ㅎㅎ

댓글
댓글쓰기 폼