Cracking Evil Santa's Box - Reverse Engineering Tutorial with Ghidra

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello i am witsun 2 from ragnar security and today we will be cracking evil santa's box which is a ctf challenge i wrote for umd ctf let's start working on the ctf challenge so i'm in the directory where i have the binary evil santa's box what should i first do with this so generally so i'm going to do what i normally do i'm going to run uh four strings file just to make sure that we know what we're working with so we have an l64 bit executable statically linked meaning printf um scanf are going to be um in this binary as well any code for it not just the reference to it and then no section headers meaning that we're going to probably have no symbols so now that we have that now let's run strings on it and see if we could just find the flag um ourselves and as you can see because it's statically linked there's a lot of strings that we wouldn't normally see so rather than searching through all this i'm going to just grab for the flag so we're going to do this and then we're going grep and the flag format is essentially in this format however i'll just look for umd ctf to see if anything's there and looks like there isn't so let's start executing this and seeing if we can get anything dynamic okay so we're looking for a code and if they're wrong we're getting five coal for the next five years okay that's some information so we know we don't want to look for this i'm going to run this again but with l trace and estuaries that didn't give me anything so let's run it with s trace uh-huh we got a new message santa really doesn't like this you're getting cold for the next five years and we never even got um our box what happens if we run this in gdb just out of curiosity so info functions no for symbols so we got nothing to work with let's just run it just to see if we get how we can reproduce this message so looks like any time we put some sort of debugging tool in here we're going to get this message um but it seems like we can't just run it dynamically and figure out what's going on we are going to have to open this engine so i have kidro open here and i created a new project i call it youtube and we're going to import the binary now for this one we're going to do there's two formats executable in linking format is the easiest to analyze and you're going to work with this most of the time but we will later today work with the raw binary i'll explain this later um and then let's import this you can use other tools like idaho or binary ninja but i happen to love guidra and this is my default gold go to let's open this and let's start analyzing this so now we have evil santa's box open on guitar so the first thing we gotta do is we gotta find out where human written code is so essentially finding main so right now we're in the elf head we can find the entry point to the code through here this is the elf entry so if you haven't taken a look already in one of my earlier videos i have i went through um what an elf header is um some of the basics of it and what is a pe header which is the windows format i'll link that below so let's go to entry and as you can see here we have this function call and this do while loop um so in this function call we're going to have this label stat um stack references things like that this first one here is always going to be made unless it's there's some sort of obfuscation in that so we're going to go here we can verify that this is main because when we scroll down we can see that evil santa's mysterious box is here so now we're at a function that we could work with so just to go through a little bit of the program this is just initialization of code here it's a function call uh a function pointer which is the return value must be zero um we have this is uh probably puts so i will rename this to puts this is likely printf so i will rename this to printf and this is probably in a cisco format um here we got scanf and then here we have some uh from the buffer that we put our code our text in we go and put that into another variable we call another function on that modified variable and we have some modification to the code and some comparisons sorry i mean modification to the input so let's first figure out where this um anti-debugging technique is likely going to be so let's go back to this if statement here let's see what is going to what it does so here this is where it begins and this needs to be 0 in order to call any of this and it ends beyond here and which means that's likely to call to the anti-debugging technique we can verify this through the assembly so if we go in here um we're let's start off at so this is the prologue and then we're going to set so we're going 0 eax just because eax is also the return value we're going to call that function pointer then we're going to make sure that it's zero if it's zero we're going to jump right beyond here which will be our print which will be our evil santa's box printing out to the standard output if we fall through we're going to realign the stack we're going make this function okay we'll make this function call here this seems like this is that canary so we're going to go back and ignore that and then this is going to be our epilogue so we're really so essentially we're executing this code um and returning out okay so let's go let's confirm that this is that what we have here is our anti-debugging let's go so as we can see here it's pointing to this function and we can verify that based on if we go to this data we can see here that this is actually an address that is storing in the data and if we go to that address we go to the same place so we have this weird thing this is definitely the anti-debugging technique here because we see santa really doesn't like this but let's go a little bit further and figure out what this function is so let's google anti-debugging techniques anti debugging techniques on linux and a good resource that i found is here oh not here it is here so this is a great entry article to debugging so what we see here is we have let's move this over so p trace is one option so p trace traces this is a tracing itself and detecting whether um the parent calling to execute evil santa's box is actually going to be is actually a debugger um if so let's so what we're going to do is we're going to run this function if this returns negative one we're going to print out don't trace me and as you can see here we have something very similar we have this function it's basically all zeros this first zero is p trace it traces me and we can confirm that in the manuals but i'm not going to go through that right now and if it's neg if a negative one is um the value of l bar one we're going to put print out this if anything bigger we're going to return zero so essentially this is what we have what is implemented and i highly recommend in googling and if you haven't taken look at this book yet influential linux anti-debugging this book is so there's a book i won't go i won't go searching for it since that's not super important right now but implementing linux anti-debug anti-reversing techniques it should be is a very good book and i learned a lot of anti-reversing and anti-debugging through this book i'll put a link to it in the description once i find it so now we figure that out now we have an option to um we have a way of actually uh ignoring this completely so in ghidra we have this uh we have this patch instruction what this does is we can modify the bytes um inside the code we can't do it in this general listing here just for general um health and linking format um implementation that guidra has because this will give us a seg fault when we export the binary so we're going to have to open this file again or import it i should say so we're going import evil santa's box and you see how it says executable in linking format we're going to raw binary instead we're going to select the language and since we know that this is a 64-bit binary we're going to do x86 64 gcc and we're going to say raw okay one thing to know with the raw the offset almost always starts at zero so be aware of that then let's go back into here let's get the in here we have the offset of 400 000 hex so let's take this copy that go to here and let's disassemble this while this is loading in so we're going to have to wait a second okay we have it loaded in so now let's go and patch this binary so the shortcut to patching the instruction is ctrl shift g and we'll get this message and what we're going to do is we're going to fill this with knobs so 90. and we're going to keep doing this okay now what we're going to do is we're going to file and we're going to export program as a binary and we're going to do this and then let's go into here and as you can see we have evil santa's box raw dot bit so let's go into here let's make this executable and let's just run it just to sanity jack and it's running properly let's run it in gdb and we no longer have the anti-debugging technique so let me make this bigger and we have so now we can actually run any sort of debugging tool we want so let me close let me get out of here and let's start with another part to this where we're going to have to find what's the actual program what the actual value of what we need to enter is so let's go back to this so here we can remember how i so here we have this lvar 8 that is essentially going to be the length we can confirm that this is the length because there's multiple instances of it and we can also see that it's going to be the um it's going to be what we index by in certain cases um we don't totally can say we know for 100 for a fact but it's a very good indication so there are two pro approaches i like to use here you could theoretically go through this um and do it by hand because what you can do is in this function here we're going to go let's just go to it and see what it's all about and this is mod as you can see here it takes an input and modifies the output in this way we can decode this by hand um it's bit shifting anding um and then making some sort of comparison or i don't that's not really fun so there so what we could do is we could either run a symbolic executor on it like anger or we can use an instruction counting tool um depending on the situation one of the two works better in certain instances generally with more instructions instruction counting can work better but in other instances um in a lot of instances actually symbolic execution works um better we're going to hold off on the symbolic execution side and let's we're going to solve this using instruction count so i have a nifty tool here we're going to open up two new windows we're going to zoom in and we're going so we're going to so this is we have a tool called instruction stop and to give credit so instruction stop instruction stop is a tool made by one of the competitors at umd ctf chris the cool hunt he this is a very simple instruction counting tool built on qemu and uses celery as the back end and he has instructions on how you can use it so but i'm going to demonstrate here i will demonstrate here as well so let's start off but so we're going to actually take his documentation um run sub alright in the directory and then we're going to go to instruction stomp and let's do here's the usage so we know that the inputs from standard n we know the input line and we know the file so let's do this in stomp standard in i [Music] so 0x28 is 40 in decimal and we're going to go youtube slash evil and we're going to let this run so as you can see what it's going to do is going to solve one instruction at a time and as the back end is trying to figure out how to solve it so i'm going to let this run for a little bit and we will get back we'll get back to you so now this has finished um this has finished doing his instruction counting now we're going we got this output here so from here this looks like base 64. um so let's actually verify that this is actually the right result and we're not just crazy so let's just run evil santa's box paste it in and we received a present so obviously this is not a flag so we're going to open up cyber chef and since i could pretty much tell this is base64 we're going to put from base64 into here and as you can see we get the flag thank you for watching the video if you like more content from us please click subscribe and also follow us on twitter and reddit so that way you can get the latest information we'll have new videos every other sunday so stay tuned
Info
Channel: Ragnar Security
Views: 435
Rating: 5 out of 5
Keywords:
Id: _9MvIsuA8Xo
Channel Id: undefined
Length: 21min 11sec (1271 seconds)
Published: Fri Jan 15 2021
Related Videos
Reversing CrackMe with Ghidra (Part 1)
stryker2k2
23K
Inside the mind of a master procrastinator | Tim Urban
TED
44M
Reverse Engineering - Cracking WinRAR 5.9 (Latest release)
Suleman Malik
6.1K
Patching BInaries with Ghidra
Sooner Bourne
14K
Reversing and Cracking first simple Program - bin 0x05
LiveOverflow
350K
How Hidden Technology Transformed Bowling
Veritasium
5.3M
Writing a Simple Buffer Overflow Exploit
LiveOverflow
103K
Reverse Engineering Basics
Layer 8
305K
How To Defeat Anti-VM and Anti-Debug Packers With IDA Pro
OALabs
58K
Ghidra keyGme Reverse Engineer and Keygen
Sooner Bourne
27K
How Radiohead Wrote the Perfect Bond Theme
Listening In
777K
Pi-Hosted : Installing and Configuring Homer Dashboard Part 2
Novaspirit Tech
10K
Ghidra Code Analysis with Anuj Soni
SANS Digital Forensics and Incident Response
10K
But how does bitcoin actually work?
3Blue1Brown
10M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.