Tuesday, October 1, 2013

CSAW 2013 Qualifier - Reversing - CSAW Reversing 2013 1 - 100

For this challenge, we were given a file csaw2013reversing1.exe. As the extension suggests, it was a PE executable. When launched, we saw a window like this which displayed some gabled message.


I treated the reverse engineering challenges like malware and analyzed them beginning with the end and working my way backward to the front, following calls only one or two levels. My reasoning for this is pretty simple. Typically when a program launches, it performs a good deal of prep work. Setting variables, checking files, opening sockets, bypassing AV, checking for debuggers, and so on. Near the end, is where you'll undoubtedly find the meat of what the program is doing.

Sure enough near the end of this program I found a function that contained a xor loop. Typically I see this in obfuscated code, where instructions must be decoded by xoring them with a value, and then the malware jumps into the decoded instructions.

The xor loop was referencing a string at 0x408b20, which in 32bit words looks like this:

AB BC 82 99
A5 B5 9A 84
BF B4 DF 8C
B8 B8 9C 8F
AD B8 97 8B
E5 E7 97 8C
CC DD EE 82
CC DD EE FF

Note that the key used by the xor loop appears at the end of the encoded message. This was so to tell the xor loop when to end, because the key xor'd with itself will result in 0. So a handy note to those who find themselves with possibly xor'd text and don't have the key (say for programs where the key is given on command line), try the last 1 to 4 characters (8 for 64-bit programs) as the key.

This was the first time I had used IDA pro, so I didn't have experience writing IDA scripts (and unsure if IDA Pro free supports scripting) to do my decoding for me. Since the message was small I just plugged the numbers away manually using Windows Calc, and got..

67 61 6C 66 galf
69 68 74 7B iht{
73 69 31 73 si1s
74 65 72 70 terp
61 65 79 74 aeyt
29 3A 79 73 ):ys
00 00 00 7D }
00 00 00 00

or when rearranged into network order (big endian)...

flag{this1isprettyeasy:)}

In the future it would be smart for me to learn scripting for IDA pro.

No comments:

Post a Comment