Tuesday, 24 April 2012

Uniten Hack@10 2012 binary write-up (ex02)

Continued from here

Now lets analyze the second binary.

It looks and behaves identically with the first one, we could simply try to backtrack to the check function through searching for static texts "Correct" and "Wrong".

This time, we try to search for all jumps to the "Wrong" section. Do this with Right Click at 013D111D > Find References to > Selected command

The results shows that only one jump is referred to this function. This could mean that there are only one check for this binary. But, we cant still be too sure as checks does not necessarily have to jump straight to the "Wrong" section. Lets go and see our jump over there with Right Click > Follow in Disassembler

A compare of EAX is what the binary checks for. But 467BB09B is a static number, so there must be some calculation done beforehand. Lets see what calculation is there.

That looked pretty short, we could just try to reverse this function to get EAX = 467BB09B. Lets see where our input goes. Place a breakpoint at 013D10D7, and run the check by pressing the check button at our binary. After the application stops at our breakpoint, look for the EAX value to see what if it holds.

So the application stops at our breakpoint. We've spotted our input string at our stack. But strangely enough, EAX is 0 at this point. Lets put a breakpoint higher to see how the binary process our input. Right click at 013D10C6 > Breakpoint > Toggle. Let the application finish running by pressing F9 once.

 After clicking the check button for the second time, we should land at our new breakpoint. The grey lines at the right column indicates that the binary will be going through some sort of function call. Looks like there are 3 arguments for this function call. Lets see if we can find our input string in any of them. Press F7 to step into instruction and Ollydbg will show the values of the argument as it passes through the respective operands.

While Arg3 and Arg2 shows nothing really interesting, Arg1 is the pointer to our input string. This means that our input string will be processed before going to the check function. Lets just skip the CALL function at 013D10D2 for now. Skip it by pressing step-over (F8) instead of step-into.

Unsurprisingly, our EAX is still zero for the input string "testing". Lets try with another input "123abc" and run the application to our breakpoint.

This is our new string, getting ready for the process function. We'll just step over the CALL function and see if EAX holds anything other than 0.

Aha! Finally, our input string has affected EAX. "123ABC" is available in hexadecimal, so the process function must have literally converted our input string to hexadecimal value. So now that we know we can set EAX to a hexadecimal value, we can surely obtain the flag by reversing the check function to find out what value produces the "Correct" statement.
A good knowledge in assembly is required to reverse the check function. For this example, I would translate the assembly instructions into C instructions, so that we can reverse it in C and see what EAX should be.

These are the assembly instructions that we need to reverse:
ADD EAX,45370DF7
ADD ESP,0C ; We can safely remove this operand, it has nothing to do with EAX

Notice the ROL EAX, 5 operand. This operation is a bitwise rotation operation, and is not available at most higher level languages, even in C. But theres a workaround to it, a simple two shift and or operation could do the trick.

int rol(unsigned int x, int n)
        return ((x >> (32-n)) | (x << n)); //32 for 32 bits

Now lets prototype a C program that does the same as the binary.

int rol(unsigned int x, int n)
        return ((x >> (32-n)) | (x << n)); //32 for 32 bits

int main()
        int a = 0;
        a = a + 0x45370DF7; //ADD EAX,45370DF7
        a = a ^ 0xAAFBBCBE; //XOR EAX,AAFBBCBE
        a = a + 0x0D1507BA; //ADD EAX,0D1507BA
        a = rol(a, 5);      //ROL EAX,5 
        a = a ^ 0xBA14C823; //XOR EAX,BA14C823
        printf("%X", a);
        return 0;

To test our code, we should try input a = 0 first, so we can check whether the result is equals as per our binary's check procedure.

Remove all previous breakpoints. Set a new one at our CMP function just before the conditional jump.
Set the binary to check for "testing" or any other invalid hexadecimal strings so that EAX = 0, which is equals to a = 0 in our C code.

Now we have obtained the value of EAX as what it should be if the starting value of EAX is 0. Lets see if our application gets the same result.

Yes! 2623E85C is exactly what we're looking for. So now that we have successfully ported the assembly codes to C codes, we could reverse our C code to obtain the flag.
ROL function is a bit rotate-left function, so we must first define ROR function in C that does the exact opposite of ROL.

int ror(unsigned int a, int n)
        return (a >> n) | (a << (32-n));

It's done, so lets reverse everything else :
int main()
        int a = 0x467BB09B; // obtained from CMP EAX,467BB09B
        a = a ^ 0xBA14C823; // a = a ^ 0xBA14C823;
        a = ror(a, 5);      // a = rol(a, 5);
        a = a - 0x0D1507BA; // a = a + 0x0D1507BA;
        a = a ^ 0xAAFBBCBE; // a = a ^ 0xAAFBBCBE;
        a = a - 0x45370DF7; // a = a + 0x45370DF7;
        printf("%X\n", a); 
        return 0;

Well, we've scored another! :)

Uniten Hack@10 2012 binary write-up (ex01)

As these binaries are neither packed nor had implemented anti-debugging, so I lazily used the back-tracking method to obtain the flags. For most easy binaries, it should not be a problem.

You can get the binaries right here.
Tools required : OllydbgPEiD.
Prior knowledge required : Assembly language (x86), basic debugging, windows.
Note : Addresses in this tutorial could differ from yours. If so, use your addresses instead of mine.

Lets start:

It is a good practice in reverse engineering, that we scan PEs for the signature, packer and compiler information.
This is what PEiD found for all 6 binaries :

Nothing really interesting here, except for ex05.exe which is a C# program. By chance, we could decompile it easily if it had not been protected.

So lets start with the first binary. Fire up your debugger, and open ex01.exe.

By default, Ollydbg should automatically break at the program's Entry Point, if you had not fiddle with the debugging options. Just run the application with F9.

Well, the dialog had shown up. As we can see, Answer is where we put the password or flag, and status would show either we got it right or wrong. Lets try with the word "testing".

Not surprisingly, we've got it wrong. Notice the "Wrong!!" text, I would assume this is stored as static text in the binary. Static texts are searchable with ollydbg as it automatically analyzes pointers to consecutive  printable ASCII characters sequences.

Open up memory map with ALT-M.
Then right click at the ".text" section of ex01, and click on "View in CPU Disassembler":

Then, right click at anywhere on CPU window, choose Search for > All referenced strings

There you can see, Ollydbg has found several static strings made up of ASCII values. "Correct!!" and "Wrong!!" are the strings that we're looking for. Right click on "Correct!!", and Follow in Disassembler.

We now landed on the part of the program where it produces "Correct" and "Wrong". Our objective here is to analyze the "check" procedure of the binary, and intercept its logic so that we can obtain the flag.

Notice the "CMP EDX,14" and "JNE SHORT 0132112E" opcodes.
0132112E is the address where the program changes its status to "Wrong!!". This must be some sort of a check. A wild guess, this could be checking the input length. If our input is not 20-characters-long (14 for hexadecimal), it would jump straight to "Wrong". So our EDX must be exactly 14 at the compare operand.

Scroll up, we can see that there are some looping going around (Ollydbg indicates it with the black lines going from jump operand upwards).

Curiously, we can see that the bigger loop also have a conditional jump procedure which jumps to "Wrong!!". This must another check. So what does it check for? We can determine it by the compare operand above.

The compare operand checks 
[EDX+132300C] with AL. So either one of these parameters could be the pointer to our flag. 
So lets place a breakpoint at 013210E0 to find out. Right click at 013210E0 > Breakpoint > Toggle:

After placing a breakpoint, the address 013210E0 should be highlighted in red. This indicates that if the program executes at the address, Ollydbg would interfere and stop the program's execution, and start debugging. It would wait for user input to step-in and execute instructions. Press the Check button over our binary so that it runs through the check procedure. The process would halt as debugger has caught its thread.

We start at 013210E0.

The opcode at 013210E0 is "MOV AL,BYTE PTR SS:[EDX+ESP+0C]"
This indicates that AL will obtain data from the pointer [EDX+ESP+0C] which is in our stack. This could be our flag. Lets see what is in there. Right click, Follow in Dump > Memory address.

Aha! We have found our input string. So if AL is our input string, the latter must be our flag. Lets see what does the next instruction do with AL.

An XOR! This is definitely important. The next compare operand should point to our flag. Press F7 to step into the instructions. Stop at the compare operand.

So now we have arrived at the compare instruction, we could directly access to the data in [EDX+132300C]. Right click, Follow in Dump > Memory address.

This is the dump at [EDX+132300C]. Select 20 (remember the length check) first bytes, and copy it with Right Click > Edit > Binary copy

So now that we have our encrypted flag, we should decrypt it with the same encryption which is XOR 65. A simple python script could achive this:

string = [  0x32, 0x00, 0x09, 0x06, 0x0A, 0x08, 0x00, 0x45, 
   0x11, 0x0A, 0x45, 0x2D, 0x04, 0x06, 0x0E, 0x25, 
   0x54, 0x55, 0x44, 0x44 ,0x65  ]

result = ""
for i in string:
 result += chr(i^0x65)
print result

Congratulations, you have just captured the first flag:

Reverse binary & Assembly

Caveats: This tutorial runs for intel's x86 architecture. Also, windows.

For those who are new on the subject, let me shed some light for you. Reverse engineering is the art of inspecting, intercepting, interrupting, or manipulating application's inner workings. Even with obfuscations and protections, nothing can really be hidden from the prying eyes of determined cracker whose intention is nothing but to tear application's innards apart. This is simply because of one rule. If the application needs to be working, it has to be truthful to the machine. It just could not achieve its task without revealing itself to the machine beforehand.  And then,  in between the application and hardware, there is the Operating System, drivers, and software. This is where crackers come in. Through applications such as Ollydbg and Immunity Debugger, you not only can gain control to program's flow and logic, you can also produce a patched software with your own programming included.

Assembly language
Assembly is the closest language to machine language (If you could crack a complicated binary with mere machine language, you sir, has win). High level languages are always translated into assembly language through an assembler, before the machine could comprehend the programming. Assembly language has human readable operation codes (opcodes) such as MOV, ADD, and JMP. Basic operations available are divided into 3 groups, eg: Logic, Arithmetic, and Jumps.

Assembly can be quite simple if you can understand its logic. In fact, it can be the most efficient programming language you'll ever know. For these upcoming tutorials, understanding basic assembly language is a MUST. Otherwise, you could have hard times understanding the details in reversing binaries.

So, here goes the first lesson:

Memory and registers
Unlike high-level languages which uses variables, assembly has two locations to store its numbers which are: Memory and Registers. And then there are flags. They are boolean variables that holds either true or false. Some instructions sets flags, and some instruction uses flags in its operation. Memory are pretty much direct forward, I will explain them later. Registers are something that you should pay attention to. In intel x86, available registers are as follows:

Each register has its own, constant name, which is:
EAX, EBX, ECX, EDX, ESI, EDI, ESP, and EBP. They are all 32-bits. AX, BX, CX, and DX are 16 bits. AH and AL are the corresponding 8 bits sections of AX, for which AH is the higher 8 bits and AL is the lower 8 bits. This goes for all AX, BX, CX, and DX registers with their own High and Low representatives.

Size is IMPORTANT when it comes to assembly. Assembly language does not have data types, it treats every data as raw bits and bytes, thus overflowing must be handled manually for most times. There are specific instructions to handle data between different sizes, which, I leave to yourself to explore.

Assembly indirectly interact with your RAM through Virtual Memory. If you're not familiar with the concept of memory addressing, do read this.

All assembly instructions have syntax just like other languages. The syntax in assembly operations are either 0, 1 or 2. This syntax could be destination, source, or quantity (count).

A language that is very close to assembly is C. C is almost the little brother of assembly. Understanding C would be very helpful as C is a considerably low-level language which programmers could explicitly use pointers, just like assembly.

Lets start with the first operation in assembly. MOV.

MOV EAX, 1000

The MOV instruction has a Destination and Source parameter. This MOV instruction has EAX as its destination and 1000 as its source. In this example, 1000 is a static number. NOTE: Most applications show assembly numbers in Hexadecimal, instead of decimal. Thus, 1000 in decimal is 4096. In C, the code would look like this:

int main()
     int a = 0x1000; // 0x1000 is hexadecimal

With MOV instruction, you could move data between registers to registers, registers to memory, and vice versa. Example for memory instruction:

;Assume that 0x00400000 is already allocated with R/W page access
MOV EAX, 00400000
MOV [EAX], 500

Note the brackets. Those are the indicator to write to memory at given address. They will tell the machine to treat EAX as a pointer to memory address. In this example, this code will input the address 0x00400000 into eax, and then modify 32-bit of data in 0x00400000 into 0x500.

In C:

int main()
        int *eax = (int*)0x00400000;
        *eax = 0x500;

Running this code will most probably crash your program. Why? 0x00400000 could be unallocated memory address in your program. Running it will simply produce memory access exception.

To read data from memory addresses, you could simply do this:

MOV EAX, [00400000]
This would read a 32-bit content at 0x00400000 and then transfer it to EAX.

In C:

int main()
       int *eax = (int*)0x00400000;
       printf("%d", eax);

Now for control flows in assembly.

CMP operand sets flags that are then used to make conditional jump instructions' decisions. This is equivalent to "if (...), then" in other languages. There is unconditional jump operand, which is the JMP. Conditional jumps are the ones that are important to decide a program's flow. Such jumps are like:

JE (Jump if equal)
JNE (Jump if not equal)
JL (Jump if lower)
JA (Jump if higher)
And so on.. this is a simple wiki of conditional jumps

MOV EAX, 1000
CMP EAX, 1000
JE 00800000
MOV EAX, 0 ; This code will never be executed
;Some codes here
This example will set and then compare EAX to 0x1000. EAX IS equal to 0x1000, so JE will accept the condition as TRUE (ZF = true) and execute the jump. Hence, EAX will never be set to 0, as the code will never be executed.

C equivalent:

int main()
      int eax = 0x1000;
      if (eax == 0x1000) 
            eax = 0; // This will never be executed

That is all that I have to teach you for now, things are better for you yourself to explore. Do read up more on assembly.