During the Nuit do Hack Quals CTF, I didn’t manage to successfully solve the “Matroichka 4” challenge (a minor consolation is that only 10 people did by the time I went to sleep). That said, I learned a little about tooling during this challenge, which I’ll record here incase people find it useful:

Matroichka 4 is an obfuscated MBR:

The first step of debugging this binary is to load it into IDA/bochs. I followed the steps here to do this: I needed to fiddle a bit with the loader batch file (I manually used mbr.py to update the bochs disk image with the matroichka4 MBR image, and started IDA manually with bochsrc.idb).

Opening bochsrc.ida starts IDA in it’s usual format, but it’s clear that this binary is obfuscated, making repeated calls to functions like this:

There’s six of these functions that I’ve seen being used so far: they return to the caller with an offset of +1, +2 and +4 (you can test this by sticking this in a “shell” program and seeing what happens). Static analysis only takes us so far, and dynamic analysis is the way forward. To debug this:

• Debugger->Start Process (or F9)
• In the bottom pane of IDA (where the Python prompt usually lives), you’ll get a Bochs prompt (Python will change to “BOCHS”).
• The Bochs prompt functions like GDB, a quick reference to a few key functions are below:
  • break 0x1234 sets a breakpoint
  • bpd 1 delets breakpoint 1
  • r eax displays registers
  • x /4bx 0x1234 dispalys 4 bytes in hexadecimal format at 0x1234 (first character is the type of item, middle character changes length of item displayed, x is for hexadecimal).

Two things to note as well:

• Bochs/IDA is a little unstable. Closing bochs sometimes causes IDA to hang.
• Make sure you set a “start” breakpoint – I can’t find a way to force Bochs to cede control back to IDA, so I used the “power reset” function with a breakpoint at the first byte of code to deal with this.

Blindly stumbling around the MBR for a bit, I ended up revealing a few useful tidbits of code:

• Printing the welcome message (“What’s the password?” is at 0x1094
• 0x1117 is the key entry routine

This is about as far as I got in the time allocated before I went to sleep – I’ll look further into this during the week.

Props to the handful of brave individuals who solved this during the CTF time – I’m looking forward to learning more about this 🙂

(On a side note: there’s the Teaser CONFidence CTF 2016 coming up and sCTF 2016 Q1 for a bit of relaxing fun next week. Operation suck less proceeds at a most glorious pace).