After downloading the executable, I use file to get some information:
thinkfast ~/learning/csaw-2012 $ file csaw2012reversing csaw2012reversing: ELF 64-bit LSB executable, x86-64, ...
Uh oh. My system is 32 bit and I don’t have any cross compilers installed. Luckily, I have an Amazon AWS account. I spin up a generic Ubuntu 64 bit micro instance, transfer the file, and begin investigating.
A quick run of the program prints the target key, but it’s encrypted. No command line arguments are accepted, therefore this problem requires a patch.
ubuntu@ip-10-202-43-148:~/csaw$ ./csaw2012reversing Encrypted Key: Å×
I fire up gdb and start snooping around in the binary. To my luck, the ELF still has debugging symbols, so all of the function calls have obvious names:
(gdb) disas main Dump of assembler code for function main: 0x000000000040062e <+0>: push rbp 0x000000000040062f <+1>: mov rbp,rsp 0x0000000000400632 <+4>: sub rsp,0x40 ...snip... 0x0000000000400694 <+102>: lea rax,[rbp-0x20] 0x0000000000400698 <+106>: mov rdi,rax 0x000000000040069b <+109>: call 0x4005c9 <encrypt> ...snip... 0x00000000004006be <+144>: call 0x4005b4 <done> ...snip... 0x00000000004006c3 <+149>: lea rax,[rbp-0x20] 0x00000000004006c7 <+153>: mov rdi,rax 0x00000000004006ca <+156>: call 0x4005f3 <decrypt> ...snip... 0x0000000000400707 <+217>: ret
The only three non library calls are encrypt, decrypt, and done. There are no branching instructions switching between calling encrypt and decrypt, so everything after
So instead of patching the binary, which would be tough with gdb, I decide to modify its state at runtime. I set a breakpoint on the call to encrypt and run the program. It hits and I change RIP (not EIP, this is 64 bit) to the call of decrypt.
(gdb) b *0x40069b Breakpoint 1 at 0x40069b: file csaw2012reversing.c, line 31. (gdb) run Starting program: /home/ubuntu/csaw/csaw2012reversing Breakpoint 1, 0x000000000040069b in main (argc=1, argv=0x7fffffffe718, env=0x7fffffffe728) at csaw2012reversing.c:31 31 in csaw2012reversing.c (gdb) set $rip = 0x4006ca (gdb) cont Continuing. Decrypted Key: csawissohard__:(
This problem had the same solution to Reversing 100, except it was an ELF binary instead of an EXE. What a quick 400 points!