NcN 2015 CTF - theAnswer Writeup

1. Overview

Is an elf32 static and stripped binary, but the good news is that it was compiled with gcc and it will not have shitty runtimes and libs to fingerprint, just the libc ... and libprhrhead
This binary is writed by Ricardo J Rodrigez

When it's executed, it seems that is computing the flag:

But this process never ends .... let's see what strace say:

There is a thread deadlock, maybe the start point can be looking in IDA the xrefs of 0x403a85
Maybe we can think about an encrypted flag that is not decrypting because of the lock.

This can be solved in two ways:

• static: understanding the cryptosystem and programming our own decryptor
• dynamic: fixing the the binary and running it (hard: antidebug, futex, rands ...)

At first sight I thought that dynamic approach were quicker, but it turned more complex than the static approach.


2. Static approach

Crawling the xrefs to the futex, it is possible to locate the main:

With libc/libpthread function fingerprinting or a bit of manual work, we have the symbols, here is the main, where 255 threads are created and joined, when the threads end, the xor key is calculated and it calls the print_flag:

The code of the thread is passed to the libc_pthread_create, IDA recognize this area as data but can be selected as code and function.

This is the thread code decompiled, where we can observe two infinite loops for ptrace detection and preload (although is static) this antidebug/antihook are easy to detect at this point.

we have to observe the important thing, is the key random?? well, with the same seed the random sequence will be the same, then the key is "hidden" in the predictability of the random.

If the threads are not executed on the creation order, the key will be wrong because is xored with the th_id which is the identify of current thread.

The print_key function, do the xor between the key and the flag_cyphertext byte by byte.

And here we have the seed and the first bytes of the cypher-text:

With radare we can convert this to a c variable quickly:

And here is the flag cyphertext:

And with some radare magics, we have the c initialized array:

radare, is full featured :)

With a bit of rand() calibration here is the solution ...

The code:
https://github.com/NocONName/CTF_NcN2k15/blob/master/theAnswer/solution.c

3. The Dynamic Approach

First we have to patch the anti-debugs, on beginning of the thread there is two evident anti-debugs (well anti preload hook and anti ptrace debugging) the infinite loop also makes the anti-debug more evident:

There are also a third anti-debug, a bit more silent, if detects a debugger trough the first available descriptor, and here comes the fucking part, don't crash the execution, the execution continues but the seed is modified a bit, then the decryption key will not be ok.

Ok, the seed is incremented by one, this could be a normal program feature, but this is only triggered if the fileno(open("/","r")) > 3 this is a well known anti-debug, that also can be seen from a traced execution.

Ok, just one byte patch,  seed+=1  to  seed+=0,   (add eax, 1   to add eax, 0)

before:

after:

To patch the two infinite loops, just nop the two bytes of each jmp $-0

Ok, but repairing this binary is harder than building a decryptor, we need to fix more things:

•  The sleep(randInt(1,3)) of the beginning of the thread to execute the threads in the correct order
•  Modify the pthread_cond_wait to avoid the futex()
• We also need to calibrate de rand() to get the key (just patch the sleep and add other rand() before the pthread_create loop

Adding the extra rand() can be done with a patch because from gdb is not possible to make a call rand() in this binary.

With this modifications, the binary will print the key by itself. 

Related news

1. Hacking Tools Pc
2. Hacker Tools List
3. Hacker Techniques Tools And Incident Handling
4. New Hacker Tools
5. Android Hack Tools Github
6. Pentest Tools List
7. Pentest Tools Free
8. Best Hacking Tools 2020
9. Pentest Tools Website
10. Hack Tools
11. Hacker Tools Mac
12. Free Pentest Tools For Windows
13. Hacker Tools For Pc
14. Hacker Tools 2020
15. Hack Website Online Tool
16. Hacking Tools Windows 10
17. Hacker Tools Free
18. Game Hacking
19. Hack Tools
20. Tools 4 Hack
21. Hack Tools For Ubuntu
22. How To Install Pentest Tools In Ubuntu
23. Hacker Tools For Pc
24. Pentest Tools Find Subdomains
25. Hacker Tools 2019
26. Hack Tools Github
27. Hacker Security Tools
28. Kik Hack Tools
29. Pentest Tools Nmap
30. Tools Used For Hacking
31. Ethical Hacker Tools
32. Kik Hack Tools
33. Pentest Tools Find Subdomains
34. Pentest Tools Find Subdomains
35. Tools For Hacker
36. Hacker Tools Hardware
37. Pentest Recon Tools
38. Hacking Tools Download
39. Hacker Tool Kit
40. Pentest Tools Review
41. Hacker Tools
42. How To Make Hacking Tools
43. Hack Tools
44. Hacker
45. Hack Tools For Ubuntu
46. Black Hat Hacker Tools
47. Hack Tool Apk No Root
48. Hacker Tools Software
49. Hacking Tools For Beginners
50. Hacking Tools Hardware
51. Hacker Tools Apk
52. Hack Website Online Tool
53. Hack Tools
54. Bluetooth Hacking Tools Kali
55. Hacking Tools For Kali Linux
56. Ethical Hacker Tools
57. Pentest Tools
58. Pentest Reporting Tools
59. Hack Tools Github
60. Kik Hack Tools
61. Hackrf Tools
62. Hacking Tools And Software
63. Pentest Tools Linux
64. Pentest Tools Kali Linux
65. Growth Hacker Tools
66. Physical Pentest Tools
67. Hak5 Tools
68. Hacker Tools Windows
69. Hacking Tools Windows
70. Pentest Tools Download
71. Pentest Tools Subdomain
72. Nsa Hacker Tools
73. Hack Tools For Pc
74. Hacking Tools
75. Hacking App
76. Hacking Tools Hardware
77. Hack Apps
78. Nsa Hacker Tools
79. Hacking Tools Free Download
80. Hacker Tools Windows
81. Pentest Tools Framework
82. Hack Tool Apk
83. Hacking Tools Windows 10
84. Hacking Tools Pc
85. Hacker
86. Termux Hacking Tools 2019
87. Hack Tools For Windows
88. Pentest Box Tools Download
89. How To Install Pentest Tools In Ubuntu
90. Hacker Tools Online
91. Bluetooth Hacking Tools Kali
92. Hacking Tools For Mac
93. Hacker Tools Free
94. Hacker Tools For Windows
95. Hacker Hardware Tools
96. Hacker
97. New Hacker Tools
98. Easy Hack Tools
99. Best Pentesting Tools 2018
100. Pentest Tools Apk
101. Hacking App
102. Hack Tool Apk
103. Hacking Tools For Beginners
104. Computer Hacker
105. Hacking Tools For Mac
106. Hacker Tools 2020
107. Best Hacking Tools 2019
108. Hacker Techniques Tools And Incident Handling
109. Hack Tools For Mac
110. Pentest Tools
111. Hacker Search Tools
112. New Hacker Tools
113. Hacker
114. Hack Tools Download
115. Pentest Tools
116. Tools 4 Hack
117. Install Pentest Tools Ubuntu
118. Hak5 Tools
119. Hacker Tools Free Download
120. Pentest Tools Github
121. Pentest Tools Subdomain
122. Hack Tools For Mac
123. Pentest Tools Android
124. Hacking Tools Free Download
125. Hack Tools Mac
126. Hack Tools Download
127. Hacking App
128. Pentest Recon Tools
129. Hacking Tools Kit
130. Hacking Tools Windows
131. Nsa Hack Tools
132. Hack Tools For Windows
133. World No 1 Hacker Software
134. Hack Tools Pc
135. Hack Tools Online
136. Pentest Tools List
137. Hacker Tools 2019
138. Hack Tools
139. How To Make Hacking Tools
140. Pentest Tools Find Subdomains
141. How To Install Pentest Tools In Ubuntu
142. Hacker Search Tools
143. How To Hack
144. Physical Pentest Tools
145. Pentest Tools Bluekeep
146. Hacker Tools
147. Pentest Tools Nmap
148. Pentest Tools For Ubuntu
149. Pentest Tools Nmap
150. Bluetooth Hacking Tools Kali
151. Hacking Tools Kit
152. Pentest Tools Url Fuzzer
153. Pentest Tools For Mac
154. Hack Tool Apk No Root
155. Hack Tools Pc
156. Tools For Hacker
157. Hacking Tools
158. Hack Tools Download
159. Hack And Tools