We are Recruiting!

Yes! We are actively recruiting individuals from the MD/DC/VA area for both online, on-site, and wireless CTFs.

To join our team solve this simple puzzle/captcha to find our New Member Orientation which contains a link to our discord server.

aHR0cHM6Ly9nb28uZ2wvNjJFVmpD


Tuesday, October 1, 2013

CSAW 2013 Qualifier - Reversing - CSAW Reversing 2013 1 - 100

For this challenge, we were given a file csaw2013reversing1.exe. As the extension suggests, it was a PE executable. When launched, we saw a window like this which displayed some gabled message.


I treated the reverse engineering challenges like malware and analyzed them beginning with the end and working my way backward to the front, following calls only one or two levels. My reasoning for this is pretty simple. Typically when a program launches, it performs a good deal of prep work. Setting variables, checking files, opening sockets, bypassing AV, checking for debuggers, and so on. Near the end, is where you'll undoubtedly find the meat of what the program is doing.

Sure enough near the end of this program I found a function that contained a xor loop. Typically I see this in obfuscated code, where instructions must be decoded by xoring them with a value, and then the malware jumps into the decoded instructions.

The xor loop was referencing a string at 0x408b20, which in 32bit words looks like this:

AB BC 82 99
A5 B5 9A 84
BF B4 DF 8C
B8 B8 9C 8F
AD B8 97 8B
E5 E7 97 8C
CC DD EE 82
CC DD EE FF

Note that the key used by the xor loop appears at the end of the encoded message. This was so to tell the xor loop when to end, because the key xor'd with itself will result in 0. So a handy note to those who find themselves with possibly xor'd text and don't have the key (say for programs where the key is given on command line), try the last 1 to 4 characters (8 for 64-bit programs) as the key.

This was the first time I had used IDA pro, so I didn't have experience writing IDA scripts (and unsure if IDA Pro free supports scripting) to do my decoding for me. Since the message was small I just plugged the numbers away manually using Windows Calc, and got..

67 61 6C 66 galf
69 68 74 7B iht{
73 69 31 73 si1s
74 65 72 70 terp
61 65 79 74 aeyt
29 3A 79 73 ):ys
00 00 00 7D }
00 00 00 00

or when rearranged into network order (big endian)...

flag{this1isprettyeasy:)}

In the future it would be smart for me to learn scripting for IDA pro.

About Crimson Agents

Formed in 2013, Crimson Agents is a DC based recreational security team that competes in various computer security wargames and hacker jeopardy contests. Our team comprised of various professionals seeking to practice and enhance our skills in penetration testing, vulnerability development, computer network defense, forensics, and reverse engineering. In addition to exploitation based CTFs, we also compete in Wireless CTFs with several members who focus solely in this domain. Our sister team Threat Inc focuses on defensive exercises such as malware analysis, forensics, honeypots, and network captures. We reuse what we learn from our "Blue Team" research to make our "Red Team" operations more effective and vice-versa.