This week, I participated in the 34C3 CTF. Unfortunately, I was only able to solve a single challenge in the time available (and not a high-value one) – as always, I will present the writeup here.
This challenge was presented as a Linux binary, which you can download here.
On first opening the binary in IDA, the beginning of the main function immediately gives away the heart of the challenge:
It is obvious that there is self-modifying code, currently located at “src”. Travelling further down into the disassembly, we see the beginning of the payload:
Further down still, we can see the “next stage” decryption code:
There’s no immediate clue to what our decryption key is – but given that we know where the “original” self-modifying code is, we can modify the decryption stub to include a breakpoint before retn, allowing the code to decrypt itself in memory (wherever it is), copy out the decrypted memory, and stick it back into IDA. A little gdb later, and we have some limited success:
At this point, the astute reader will notice that the “parts” of the payload actually follow a very static pattern, with the first instructions being “push esi” for both the first and second part. Therefore, the easiest solution would be to brute force the decryption keys for the remainder of the challenge.
I would like to thank the 34C3 CTF organisers for putting together this event – well done. See you all in SANS Holiday Hack, followed by the Insomnihack Teaser CTF early next year 🙂