Tuesday, 28 January 2014

Nullcon HackIm 2014 Reverse-1

This was a easier one though i had to dig a bit.

Question : Find the flag hidden not so deep inside.

link : http://ctf.nullcon.net/data/2014/lev/re/win32_input.zip

Ah now lets get back to work. :-)

First thing load in olly to patch it and load in IDA to understand program flow.This is my way of solving reverse engineering challenges for windows.

In IDA if u look at strings window u find this ")T(+,*'))$&T(Y)*#(+&#+)$%'T+&#(T" repeated 4 times and 1 accompaning the string FLAG.By running the exe u can find that it prints out "FLAG:)T(+,*'))$&T(Y)*#(+&#+)$%'T+&#(T",so It goes to the 4th ")T(+,*'))$&T(Y)*#(+&#+)$%'T+&#(T".Well now we will check what is making it print it and you can see that in olly similarly these calls before it prints the string FLAG:")T(+,*'))$&T(Y)*#(+&#+)$%'T+&#(T"
Click to enlarge..I have written comments..so check it out..
NOP the Call..


Move to 401000 and check what happens there..add a breakpoint after the loop to check that u r close to the flag :-D

you see the string ..wait check down its not yet over u see the calculations happening..IDA has a feature to view source code . before i realized abt the call i had found the pseudo code and had coded down myself and had found half the flag. "_AND_MOOOOO" ok lets check it..use step into and go on u see the contents adding to stack..WAIT oh crap its the string i mentioned before :-D lol..Yes it is and thats the key.Enjoyed solving this coz i actually found the flag reverse order for a reverse engineering question :-D
FLAG : 6a589746613a5f670583086124a8305a_AND_MOOOOO

No comments:

Post a Comment

enter valid comments.Suggestions are most welcome and would be interested in correcting my mistakes.