Writeup – Morph (34C3)

This week, I participated in the 34C3 CTF. Unfortunately, I was only able to solve a single challenge in the time available (and not a high-value one) – as always, I will present the writeup here.

Morph

This challenge was presented as a Linux binary, which you can download here.

On first opening the binary in IDA, the beginning of the main function immediately gives away the heart of the challenge:

It is obvious that there is self-modifying code, currently located at “src”. Travelling further down into the disassembly, we see the beginning of the payload:

Further down still, we can see the “next stage” decryption code:

There’s no immediate clue to what our decryption key is – but given that we know where the “original” self-modifying code is, we can modify the decryption stub to include a breakpoint before retn, allowing the code to decrypt itself in memory (wherever it is), copy out the decrypted memory, and stick it back into IDA. A little gdb later, and we have some limited success:

At this point, the astute reader will notice that the “parts” of the payload actually follow a very static pattern, with the first instructions being “push esi” for both the first and second part. Therefore, the easiest solution would be to brute force the decryption keys for the remainder of the challenge.

A bit of Python later, and the flag is ours. You’ll also need the “1.bin” file extracted from the challenge itself.

I would like to thank the 34C3 CTF organisers for putting together this event – well done. See you all in SANS Holiday Hack, followed by the Insomnihack Teaser CTF early next year 🙂

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.