Reverse Engineering w/GDB and Ghidra! | picoCTF 2022 #08 "Keygenme"

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's up everyone back with more Pico CTF 2022 Capture the Flag challenges today we are looking at the key Jin me reverse engineering challenge the description is pretty short it simply says can you get the flag reverse engineer this binary and then it gives us a link to download right click copy link and then I like to make a new working directory with the name of the challenge so make it there he join me CD into that directory and then download the file with wget LS Tech la Egen mean let's make it executable so we can actually run it enter your license key please stop that key is in valid okay can we cheese it with a l Trace to look at the library calls it's making maybe there's a string compare no what about estrace okay a giant wall of text this is just setting up the virtual address space but down here at the bottom we see the right call enter your license key and then read because you're waiting for our input um nothing I was just checking to see if there's a string compare or anything similar that would just print out the flag let's look at the strings of this binary pipe that into less because the output is going to be pretty massive okay lib64 that's the C standard Library or rather lipsy.so.6 that's the C standard Library this is properly related we see it called a Sprint F call it puts standard in is red format it get string string length okay this is interesting we see the start of a flag Pico CTF and then an H bring yo ER own so if we start piecing This Together Pico CTF bring your own something and then the rest of the flag is cut off we don't see closing curly brace or anything we see more you know strings that was earlier enter your license key that keeps valid that he's invalid but nothing else here okay LS let's open this up in gitra Ampersand to run that in the background so it gives me back my command prompt Deidre takes a little bit to load up so jump cut all right get your finally loaded um gidra as a Project based reverse engineering disassembly and decompilation Tool but you need a project you can see I have no active project so go here file new project non-shared next all right that's the directory I want just call this Keygen me finish okay now I have this project folder and here's my tool chest if I hover over it it shows that this is the code browser I have a debugger and version tracking so I played around with the guidra debugger a little bit early on and I just could not get it to work and I did not really try that hard so we are going to use the code browser click on that you get a cool dragon pop-up nice so the code browser is loaded but you see there's no program so go to file import file and then we want our keygen.me binary it Imports it it correctly identifies that this is an elf file well one thing I forgot back here in the command prompt we can run file and then key gen me and she's stripped now that's important stripped means that it no longer has the debugging information so if I try to run this in GDB right here it pops up trying to read symbols from Keygen me dot dot dot no debugging symbols found okay what's the big deal there's no debugging symbols but can't we still debug the program technically yes but if I try to disassemble the main function I get an error no simple table loaded okay what if I just say disassemble nothing no frame selected use the file command all right file me so it re-reads the file and no debugging symbols found so this is right now just too hard to debug GDP doesn't understand it it gets confused there's no debugging info there's no symbols it does not know what main is I can type disass disassemble and then tab twice and it auto completes so these are the functions I can see right these are the things that has access to but there's no main there's no main function anywhere so for right now this is not very helpful let's go back to our guidra tab elf okay cool cool hit okay we get this neat little animation of a dragon eating some ones and zeros TJ and me has not been analyzed would you have to analyze it now yes please so that's gonna that's gonna analyze the ASCII strings the calling convention that it uses and so on and so forth you can uncheck these as you want but I'm just going to leave it as the default click analyze here's some more info about our binary hit OK and you can see down here in the bottom right that it's still analyzing it's taking a little bit all right guidra is done analyzing the program and there's no main function but we have entry so I can click on that double click and it brings me here so this is the disassembly this middle panel this is all the assembly instructions that we could not see in GDB and here over on the right let me expand this this is the D compiler window right so this tries its best to recreate the source code in this case C lip C start main let me just click on this first function see where that takes us okay so I like ghidra um it's free it's open source and it has a built-in decompiler however it doesn't always pick the best variable names so we see four variables declared here a character a long some type of buffer you another long and then this looks familiar right printf oops didn't mean to double click that line 11 printf enter your license key format it get string so it reads in our input and it stores it here so I don't like local underscore 38 that's not very clear what that means so I can right click and either click here rename variable or just press l so let me rename that instead of Local 38 let's name it something more familiar buff and you see that it renames it here and here as well line 13 C ver 1 equals the output of this and if that is equal to zero the key is invalid otherwise print the keys valid so this is probably the return value hit L to change it I'm just going to call it red vowel and I'm gonna go through and clean up the rest of these variables so they make a little bit more sense cool so I've renamed all the variables and the function at the top I've just called this Main it declares four variables and then the return value if it equals zero that's invalid otherwise it prints valid so what is this function what is fun zero zero one zero one two o nine that takes in our buffer that's our user input is an argument double click on it let me expand this okay let me name this something better like um check key so we see a crap ton of variables being defined all right what is this data oh cool um it goes away quickly but you can see there care and then the open and closing Brack bracket there's a quote that looks like our flag but it's backwards right reading it backwards you can see p i c o c t f and the opening brace you can see that over here as well in the disassembly output so the next one BR 1n g y zero okay so this is our flag in rehearse I'm guessing because this is a little Indian um anyone in the comments who knows better please correct me why is our flag being printed in reverse cool let me open like a notepad or something so I can jot this down and I'll be right back all right guys so I went through one by one highlighted these entries and wrote In what we have so far of our flag so we see this is leaked speak Pico CTF bring your own key and then I have eight question marks here because uh Pico CTF at the end like the beginning part of the key will be the same and then it adds eight random characters at the end to make your flag your key like unique and this prevents you from being able to just copy paste and share flags from write-ups or copy paste share flags from um across teams right because this is a competition it's just a way to force you to kind of go through and at least attempt to solve the challenge so we have the main structure of our key and we got that again we haven't really reverse engineered anything we just came into this function and we noticed these values these strings being added to these different variables so just like before let me hit l to rename some of this instead of Local 98 I'm just going to call this flag piece one and so on and so forth for the rest of these all right guys um back um just as a reminder you do not need to rename variables at all I think it just makes it a little cleaner and easier to follow this logic so in line 38 we see a string length a flat piece one is called so let's call this length the md5 hash is computed and it's stored in like this buffer let's call it buff one same thing for flat piece five the very end let's call that buff two something equals zero and we see three four loops let me quickly just call this I call this J because you can't reuse variable names and this looks like an index all right local 78 not sure what that is some type of buffer so I would assume this is doing some type of like obfuscation and down here we see one two three four five six seven eight nine uh nine variables being stored in some stack variable some stack offset and the last one is our flag piece five so if there's nine of these and then we don't count the Flappy's five there's really eight so this is the eight unique um letters the eight unique strings that are added at the end to make our flag you know hole right now I have it just question mark As placeholders so we want to figure out what this is right local 43 62 and so on all right if the flag equals or if the length of the flag right param one that's a parameter up here um that's our key I'll say user input key right that's what we enter at the command line when it asks us enter the license key so if that is equal to ox24 which we see here is 36. so our flag needs to be 36 characters in length it does some for Loop and it checks every index of our flag against what's stored at this like stack variable and if at any point they do not equal each other it returns zero and we saw earlier if it returns zero you need to go back one more if it returns zero then it prints that Keys invalid so we want it to return one right and how does it return one if the flags are equal so we need to debug this and there's a few ways you can do it let me bring my GDB back up so I can't disassemble main right there's no debugging symbols loaded um you could do it in radar A2 that works fine but using the Dari 2 is very confusing for me so instead of setting a break point on Main because I can't find it I'm gonna set a break point on a function that can find such as this call to Sprint death or a printf breakpoint one set at this address we don't know what the Base address will be we just know the ending address before I do that let me back up we want to provide this is our argument right maybe I don't have to back up maybe I can just copy this run okay breakpoint one at printf enter your license key and I let me cue out of this so Vim um I don't know fake key fake flag let's paste in that now we're on GDB break it printf run and as input put in my fake flag so it reads in my fake flag and then it prints enter your license key so now if I hit disassemble I'm inside the printf function right if you're curious what this address is what you know why 7fff9b you can do info process map and these are the different addresses of um Lipsy right the C standard Library Lipsy libdll lip red so that's where it's getting that you know Base address for printf from enter we see our stack address is down here clear that screen so disassemble so this is the assembly code for the printf function cool but that's not really what we care about here I want to exit this so type finish now type layout assembly and just like that does any of this look familiar we see the call to printf that assets input our string and we see an F gets call down here if my mouse will work right and then we see put string and put string what does this look like he looks just like our code browser right if I go back to the main function you see a call to printf call to get string and you stop doing that so we're in this function we're in the main function and then here's our call to that um like key check right so I'm gonna set a break point there at a star which is important hit C to continue and now we're here Type S to step into that function call cannot find bounds is it s i there we go s i step instruction so here's the strings from earlier right this was a Pico CTF backwards I wonder if I can print that out examine a string all that doesn't work if anyone knows GDB better than I do is there a way we can print this out and have it as a string because before it was like the backwards Pico CTF thing so I'm using my mouse wheel and I'm scrolling down scrolling down and we see this we see these variables these values being pushed onto the stack this is the same as what was over here in our check key function is what I named it so these are the eight unique characters at the end they're all being pushed here so I want to set a break point and let this code execute so all this is pushed on the stack and then all I have to do is print the stack address so let me set a break point where's a good call where's a good uh stopping point I'm gonna do it here at this compare call the check that we've entered a 36 length string enter C to continue you see the little B is now a capital B so we're at this line and I want to print this stack address right so we know this very last one was the closing brace let's just print this out let's see what happens examine a string and GDB you need to put a dollar sign to specify a register [Music] K that's a bunch of crap let's try this one above it there that's the closing brace I'm not sure what this is maybe um some type of Terminator I don't know but this is the closing brace so this is the next unique character and so on and so forth but the stack is a first in last out so the first thing that gets pushed on like these just keep getting added on top of each other like a stack of plates stack of books so the first are you know the first books on the bottom the last one is on top so everything is in reverse programming and debugging can be very confusing at the beginning because a lot of things are just straight up backwards so if I print this first one this top one see what happens it prints everything else right and then like some garbage that I guess was on the stack beforehand and we see our flag Pico CTF bring your own key and then this is my unique string probably my unique characters right so I can replace this with that or I can just grab it here copy it and then submit it so that's how I solve this challenge guys um there is a way to do it with a different debugger I'm just a big fan of GDB again in order to get this graphical menu layout ASM layout assembly so that's how I did it guys I'm a reverse engineering Noob so if anything in this video make you cringe it makes you want to ball your eyes out because of how bad I'm doing let me know in the comments below let me know if you found a better way to do this as always take it easy and see you guys in the next video [Music]

Info

Channel: Jason Turley

Views: 15,021

Rating: undefined out of 5

Keywords: reverse engineering, ghidra, gdb, picoctf

Id: 5gff9XhAei0

Channel Id: undefined

Length: 22min 37sec (1357 seconds)

Published: Sat Sep 24 2022