Wednesday, October 2, 2013

CSAW 2013 Qualifier - Reversing - CSAW Reversing 2013 2 - 200

This challenge was curious as it billed it self as being more difficult than the CSAW  Reversing 2013 1, and was worth double the points. Perhaps it was more difficult if you were using a debugger, but I always prefer static analysis.

To begin with, this program didn't even run properly, I guess this was due to all their tricks in making this "harder".

Repeating like I did in the previous challenge, I worked up from the end and quickly found a suspicious xor loop. This time though they stuffed the encoded data onto the heap.

Rather than repeat my previous write-up, I'll paste the memory dump and the decoded message. The last obvious trick I saw here is that they started the string with a null, which if someone had been working this through with a debugger, they may have been puzzled while there was a 0 length string being printed. Huzzah for disassembly!
e9 f5 cc bb alf
fd f7 d1 dc un{g
fa fc c8 d6 rebm
e9 ea c3 89 asi2
fc ed c3 d7 ttil
e1 fb cf d7 ibel
fa f8 c2 cf raht
b2 eb cf df :red
88 99 d7 cb   }p
88 99 aa bb <- key


No comments:

Post a Comment