CSAW CTF: Reversing 400

After downloading the executable, I use file to get some information:

thinkfast ~/learning/csaw-2012 $ file csaw2012reversing
csaw2012reversing: ELF 64-bit LSB executable, x86-64, ...

Uh oh. My system is 32 bit and I don’t have any cross compilers installed. Luckily, I have an Amazon AWS account. I spin up a generic Ubuntu 64 bit micro instance, transfer the file, and begin investigating.

A quick run of the program prints the target key, but it’s encrypted. No command line arguments are accepted, therefore this problem requires a patch.

ubuntu@ip-10-202-43-148:~/csaw$ ./csaw2012reversing
Encrypted Key: Å×

I fire up gdb and start snooping around in the binary. To my luck, the ELF still has debugging symbols, so all of the function calls have obvious names:

(gdb) disas main
Dump of assembler code for function main:
0x000000000040062e <+0>: push rbp
0x000000000040062f <+1>: mov rbp,rsp
0x0000000000400632 <+4>: sub rsp,0x40
...snip...
0x0000000000400694 <+102>: lea rax,[rbp-0x20]
0x0000000000400698 <+106>: mov rdi,rax
0x000000000040069b <+109>: call 0x4005c9 <encrypt>
...snip...
0x00000000004006be <+144>: call 0x4005b4 <done>
...snip...
0x00000000004006c3 <+149>: lea rax,[rbp-0x20]
0x00000000004006c7 <+153>: mov rdi,rax
0x00000000004006ca <+156>: call 0x4005f3 <decrypt>
...snip...
0x0000000000400707 <+217>: ret

The only three non library calls are encrypt, decrypt, and done. There are no branching instructions switching between calling encrypt and decrypt, so everything after is dead code (as done doesn't return.)

So instead of patching the binary, which would be tough with gdb, I decide to modify its state at runtime. I set a breakpoint on the call to encrypt and run the program. It hits and I change RIP (not EIP, this is 64 bit) to the call of decrypt.

(gdb) b *0x40069b
Breakpoint 1 at 0x40069b: file csaw2012reversing.c, line 31.
(gdb) run
Starting program: /home/ubuntu/csaw/csaw2012reversing
Breakpoint 1, 0x000000000040069b in main (argc=1, argv=0x7fffffffe718, env=0x7fffffffe728) at csaw2012reversing.c:31
31 in csaw2012reversing.c
(gdb) set $rip = 0x4006ca
(gdb) cont
Continuing.
Decrypted Key: csawissohard__:(

This problem had the same solution to Reversing 100, except it was an ELF binary instead of an EXE. What a quick 400 points!