NcN 2015 CTF - theAnswer Writeup

1. Overview

Is an elf32 static and stripped binary, but the good news is that it was compiled with gcc and it will not have shitty runtimes and libs to fingerprint, just the libc ... and libprhrhead
This binary is writed by Ricardo J Rodrigez

When it's executed, it seems that is computing the flag:

But this process never ends .... let's see what strace say:

There is a thread deadlock, maybe the start point can be looking in IDA the xrefs of 0x403a85
Maybe we can think about an encrypted flag that is not decrypting because of the lock.

This can be solved in two ways:

• static: understanding the cryptosystem and programming our own decryptor
• dynamic: fixing the the binary and running it (hard: antidebug, futex, rands ...)

At first sight I thought that dynamic approach were quicker, but it turned more complex than the static approach.


2. Static approach

Crawling the xrefs to the futex, it is possible to locate the main:

With libc/libpthread function fingerprinting or a bit of manual work, we have the symbols, here is the main, where 255 threads are created and joined, when the threads end, the xor key is calculated and it calls the print_flag:

The code of the thread is passed to the libc_pthread_create, IDA recognize this area as data but can be selected as code and function.

This is the thread code decompiled, where we can observe two infinite loops for ptrace detection and preload (although is static) this antidebug/antihook are easy to detect at this point.

we have to observe the important thing, is the key random?? well, with the same seed the random sequence will be the same, then the key is "hidden" in the predictability of the random.

If the threads are not executed on the creation order, the key will be wrong because is xored with the th_id which is the identify of current thread.

The print_key function, do the xor between the key and the flag_cyphertext byte by byte.

And here we have the seed and the first bytes of the cypher-text:

With radare we can convert this to a c variable quickly:

And here is the flag cyphertext:

And with some radare magics, we have the c initialized array:

radare, is full featured :)

With a bit of rand() calibration here is the solution ...

The code:
https://github.com/NocONName/CTF_NcN2k15/blob/master/theAnswer/solution.c

3. The Dynamic Approach

First we have to patch the anti-debugs, on beginning of the thread there is two evident anti-debugs (well anti preload hook and anti ptrace debugging) the infinite loop also makes the anti-debug more evident:

There are also a third anti-debug, a bit more silent, if detects a debugger trough the first available descriptor, and here comes the fucking part, don't crash the execution, the execution continues but the seed is modified a bit, then the decryption key will not be ok.

Ok, the seed is incremented by one, this could be a normal program feature, but this is only triggered if the fileno(open("/","r")) > 3 this is a well known anti-debug, that also can be seen from a traced execution.

Ok, just one byte patch,  seed+=1  to  seed+=0,   (add eax, 1   to add eax, 0)

before:

after:

To patch the two infinite loops, just nop the two bytes of each jmp $-0

Ok, but repairing this binary is harder than building a decryptor, we need to fix more things:

•  The sleep(randInt(1,3)) of the beginning of the thread to execute the threads in the correct order
•  Modify the pthread_cond_wait to avoid the futex()
• We also need to calibrate de rand() to get the key (just patch the sleep and add other rand() before the pthread_create loop

Adding the extra rand() can be done with a patch because from gdb is not possible to make a call rand() in this binary.

With this modifications, the binary will print the key by itself. 

More articles

1. Hacker Tools Apk Download
2. Pentest Tools Apk
3. Hacker Security Tools
4. Hacking Tools For Windows Free Download
5. Hack Website Online Tool
6. Hak5 Tools
7. Nsa Hack Tools Download
8. Hacker Tools Software
9. Hacker Tool Kit
10. Hacker Security Tools
11. Underground Hacker Sites
12. Hacker Tools For Mac
13. Growth Hacker Tools
14. Hack Tools Mac
15. Hacker Tools Github
16. Hacking Tools
17. Hacking Tools 2019
18. Pentest Tools For Ubuntu
19. Hacking Tools Windows
20. Beginner Hacker Tools
21. Hacker Tools 2020
22. Hacking Tools For Windows
23. Tools For Hacker
24. Tools 4 Hack
25. Hack Tools Github
26. Hacking Tools 2020
27. Termux Hacking Tools 2019
28. Pentest Tools Bluekeep
29. Easy Hack Tools
30. Pentest Tools Port Scanner
31. Hacking Tools For Beginners
32. Hackers Toolbox
33. Hacker Tools For Pc
34. Free Pentest Tools For Windows
35. New Hack Tools
36. Pentest Tools Free
37. Pentest Tools List
38. Pentest Tools Apk
39. Termux Hacking Tools 2019
40. Pentest Tools Tcp Port Scanner
41. How To Install Pentest Tools In Ubuntu
42. Hacker Tools Free
43. Hacking Tools Name
44. Hacker Tools For Pc
45. Pentest Tools List
46. Pentest Tools For Ubuntu
47. Hacker Tools For Ios
48. Nsa Hack Tools
49. Hacking Tools 2019
50. Hacker Techniques Tools And Incident Handling
51. Hacker Tools
52. Hack Tools
53. Tools Used For Hacking
54. Hack Tools Download
55. Pentest Tools Framework
56. Hacker Tools Apk Download
57. Hack Tools Pc
58. Hacking Tools For Games
59. Hack App
60. Hacker Tools
61. Ethical Hacker Tools
62. Pentest Recon Tools
63. Hacking Tools Windows
64. Beginner Hacker Tools
65. What Is Hacking Tools
66. Hacking Tools For Windows 7
67. Usb Pentest Tools
68. Pentest Box Tools Download
69. Hacker Tools For Ios
70. Hacking Tools Kit
71. Hacking Tools For Mac
72. Pentest Automation Tools
73. Hacking Tools Windows 10
74. Hacker Tools Hardware
75. Hackers Toolbox
76. Termux Hacking Tools 2019
77. Pentest Tools Website Vulnerability
78. Hacking Tools Software
79. Hacking Tools Windows 10
80. Hacking Tools For Windows 7
81. Hacking Tools For Games
82. Hacker Tools Apk Download
83. Easy Hack Tools
84. World No 1 Hacker Software
85. Nsa Hack Tools
86. Hacking Tools For Pc
87. Github Hacking Tools
88. Hacking Tools Pc
89. What Are Hacking Tools
90. Tools For Hacker
91. Wifi Hacker Tools For Windows
92. Hacker Security Tools
93. Pentest Tools Bluekeep
94. Pentest Tools Nmap
95. Hacker Tools Github
96. Pentest Tools List
97. Hacker Tools Apk Download
98. Pentest Tools Subdomain
99. Pentest Automation Tools
100. New Hack Tools
101. Hacker Tools For Mac
102. Hacking Tools For Games
103. Pentest Tools For Ubuntu
104. Hacks And Tools
105. Nsa Hack Tools Download
106. Pentest Tools Online
107. Blackhat Hacker Tools
108. Best Hacking Tools 2019
109. Pentest Tools
110. Pentest Tools Review
111. Pentest Tools For Windows
112. Hacker Tools List
113. Hacking Tools Mac
114. Pentest Tools Android
115. Hacker Tools Free Download
116. Hacking App
117. Hack Website Online Tool
118. Hack Tools For Games
119. Hacker Tools For Pc
120. Hack Tools Github
121. Pentest Tools Website Vulnerability
122. Beginner Hacker Tools
123. Hack Tools
124. Pentest Tools
125. Pentest Tools List
126. Hack Tools Pc
127. Hack Tools
128. Hackers Toolbox
129. Growth Hacker Tools
130. Pentest Tools Linux
131. Hack Tools Github
132. Growth Hacker Tools
133. Hacker Tools For Windows
134. Hack And Tools
135. Beginner Hacker Tools
136. Hacker Tools For Mac
137. Pentest Tools Subdomain
138. Hacker Tools Software
139. Pentest Tools Apk
140. Hack Tools For Mac
141. Hack Tools For Pc
142. Underground Hacker Sites
143. Hak5 Tools
144. Hack Tool Apk No Root
145. Hacker Tools Online
146. Pentest Automation Tools
147. Pentest Tools Review
148. Hack Tools
149. Pentest Tools Bluekeep
150. Nsa Hacker Tools
151. Hacking Tools Usb
152. Hacking Tools Hardware