Late Writeup – AngryReverser (hackcon)

Earlier this year, I participated in the “hackcon” CTF. At the time, I did not solve the “AngryReverser” challenge, and I was pretty pissed with myself for not doing so – this appeared to be a straightforward solve.

Today, I attempted to solve this challenge with angr (primarily so I could learn angr), and I was successful. I will present the writeup below:

AngryReverser

This challenge was presented as a binary, “yolomolo”. You can download this (as well as the solution and flag) here: angryreverser

Initial analysis of the binary, reveals what appears to be a debug check:

yolomolo

And the “GoHomeOrGoCrazy” function, which is tremendous:

yolo_fuck

Further analysis breaks shows this function comes in three parts. Part 1, which ranges from approximately 0x40065C to 0x4029FD, consists of a static stack initialization function. There are no effective branches, and a lot of hard-coded data is moved onto the stack:

yolo_part1

The second part of the function, ranging from this point to the end of the function, is a series of linear equations. If you fail one of the “equation blocks”, you end up in a no-no zone with a ptrace debug check, which appears designed to fail:

yolo_equation_block

At this point, it is clear that this challenge should be solved via symbolic execution – angr is our tool of choice. Unfortunately, a naive angr script (stdin/stdout based) doesn’t work, giving us an error that nothing is on stdout (YMMV: sorry, forgot to grab a screencap).

Instead, to make this work, we can modify our angr script, and use two “failure” conditions:

  • Printing “NOPE” at 0x405AB4
  • Using “ptrace”

To enable this, we also quickly patch our binary to remove the first ptrace call (at 0x405AAA), as there is no path to avoid this. You can find the revised Python script here.

yolomolo_solve

I’d like to thank the hackcon team for putting together this event: unfortunately, I was not able to enjoy all the challenges because I suck at computers, but I hope next year I will be more prepared to tackle these challenges.

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s