Categories
Capture The Flag

Reverse Engineering Challenges – Cohesion Writeups

These are the writeups for Reverse Engineering Challenges of the Cohesion CTF by IEEE NCU.

1. Basic Rev

Reverse Engineering Challenges - Cohesion Writeups 1

Downloading the file gives us an ELF binary.

Reverse Engineering Challenges - Cohesion Writeups 2

Let’s make this executable and run this file.

Reverse Engineering Challenges - Cohesion Writeups 3

It doesn’t seem like this will help. Let’s try running the strings command on it by typing >strings basic-rev

Reverse Engineering Challenges - Cohesion Writeups 4

Voila, here’s the flag: IEENCU.CTF{R3V3R53_15_N0T_H4RD_0000}

2. Basic Rev 2

Reverse Engineering Challenges - Cohesion Writeups 5

Again we get an ELF binary, let’s make it executable and try to run it.

Reverse Engineering Challenges - Cohesion Writeups 6

We need to provide a flag as an argument and it’ll test that if it’s correct.

Let’s fire up Radare2 and view the assembly code to get the logic.

>r2 basic-rev2

Reverse Engineering Challenges - Cohesion Writeups 7

We see that there is a main function, let’s disassemble it and see the source by typing in >pdf @main

Reverse Engineering Challenges - Cohesion Writeups 8

It looks like it checks that each character is equal to certain values for the whole input string. Let’s go through the disassembled code and try to reverse the correct flag.

After some effort, we get that the flag is IEEENCU.CTF{B451C-R3V3R53-3NG-4-FUN}. Let’s try to enter this as the flag in the file and check if it’s correct or not.

Reverse Engineering Challenges - Cohesion Writeups 9

And congratulation, this is the correct flag.

3. Andy

Reverse Engineering Challenges - Cohesion Writeups 10

Once again we get a random file, let’s run file command on it to see what it is.

Reverse Engineering Challenges - Cohesion Writeups 11

It’s a zip archive, let’s extract it and see what’s in it.

Reverse Engineering Challenges - Cohesion Writeups 12
Reverse Engineering Challenges - Cohesion Writeups 13

The extracted files looks like it’s from an android apk. Let’s use jadx to decompile this file.

Reverse Engineering Challenges - Cohesion Writeups 14

Opening the extracted files and viewing the resources/AndroidManifest.xml file gives us the following.

Reverse Engineering Challenges - Cohesion Writeups 15

This looks like a base64 encoded string, let’s decode it.

Reverse Engineering Challenges - Cohesion Writeups 16

And here’s the flag: IEEENCU.CTF{W0W_4NDR01D_H45_4PK!!}

4. Pyro

Reverse Engineering Challenges - Cohesion Writeups 17

Here, we’ve got an ELF executable. Let’s make it executable and run it.

Reverse Engineering Challenges - Cohesion Writeups 18

And let’s run radare2 on it as well.

Reverse Engineering Challenges - Cohesion Writeups 19

The functions doesn’t seem recognizable, probably because it’s stripped. On further investigation, we get to know that this file is made with python.

So on searching, we get to know that we can reverse it by using pyinstxtractor by extremecoders-re. Using this we can reverse the file by the commands

>objcopy –dump-section pydata=pyro.dump pyro

>python pyinstxtractor.py pyro.dump

Reverse Engineering Challenges - Cohesion Writeups 20

In the extracted folder, there is a file py-ro.pyc. Let’s try running strings command on it.

Reverse Engineering Challenges - Cohesion Writeups 21

And here’s the flag: IEEENCU.CTF{TH3_FUN_0F_R3VERS1NG-PYTH0N}

5. Grep the Flag

Reverse Engineering Challenges - Cohesion Writeups 22

Again, an ELF file. Repeat the steps to make it executable now.

Reverse Engineering Challenges - Cohesion Writeups 23

It seems like the grep command on Linux. Let’s try >grep help

Reverse Engineering Challenges - Cohesion Writeups 24

It surely is the grep command. Now let’s try the string command and grep the flag format on it.

Reverse Engineering Challenges - Cohesion Writeups 25

We can see there is an option to test if the flag is correct or not. Let’s open this up in radare2.

Reverse Engineering Challenges - Cohesion Writeups 26

We can see it has a lot of functions. Anyways, let’s try decompiling @main

Reverse Engineering Challenges - Cohesion Writeups 27

Upon going through the function, we can see that a function sym.val_f is called and then according to the output, string “Correct Flag!” is printed.

Reverse Engineering Challenges - Cohesion Writeups 28

Let’s now analyse this function sym.val_f. This looks a bit complicated but don’t worry, you’ll understand it with practice.

Here it seems like each character in the flag is XORed with something.

Reverse Engineering Challenges - Cohesion Writeups 29

And then 2 is added to each character.

Reverse Engineering Challenges - Cohesion Writeups 30

Which is then base64 encoded.

Reverse Engineering Challenges - Cohesion Writeups 31

And finally compared against a string to check if it’s correct or not in parts.

Reverse Engineering Challenges - Cohesion Writeups 32

Upon analyzing, we find that the base64 string is: e3V1eXwnY0e3V1eXwnY0ZjMEfndoaCsDbnWBBXY/BA9hSjZURmE2SH8= and the string it was XORed was: 06624f4da489e774a32292a235373b38.

Now we have all the things we need. We have to first base64decode the string, followed by subtracting 2 from each of the character. And at last XOR it with the other string.

We can do this with the following program:

Reverse Engineering Challenges - Cohesion Writeups 33

Compiling and running it will give us the following output:

Reverse Engineering Challenges - Cohesion Writeups 34

Here’s the flag: IEEENCU.CTF{GR3PP1NG_TH3_FL4G_15_H4RD_4F}

6. Not So Basic

Reverse Engineering Challenges - Cohesion Writeups 35

Repeat the first steps for this ELF executable again and run it.

Reverse Engineering Challenges - Cohesion Writeups 36

It is again checking the flag against the input. Open up Radare2 and analyze it.

Reverse Engineering Challenges - Cohesion Writeups 37

Decompiling the @main gives us following.

Reverse Engineering Challenges - Cohesion Writeups 38

Over here, it looks like some calculations are done on the tax register, and then the value stored in it is treated as a function and called.

Reverse Engineering Challenges - Cohesion Writeups 39

And this all is in a loop. Analyzing it a bit further, it seems as if all these functions are being called by their addresses instead of their names.

Reverse Engineering Challenges - Cohesion Writeups 40

Let’s try to see one such function call.

Reverse Engineering Challenges - Cohesion Writeups 41

Here, it is comparing values of flag and if it’s correct, it continues or else it exits.

And each of the function call compares the value of one character.

Reverse Engineering Challenges - Cohesion Writeups 42

And at the end, we have this sym.final function.

Reverse Engineering Challenges - Cohesion Writeups 43

Going through the addresses and checking each of the function for characters of the flag gives us the flag: IEEENCU.CTF{FUNCT10N5-4R3NT-FUN-4ND-345Y}

Get the latest tech news and updatesethical hacking tutorials and cybersecurity tips and tricks. Check out MeuSec for more.

Sometimes we include links to online retail stores and/or online campaigns. If you click on one and make a purchase we may receive a small commission.

Comments:

Leave a Reply

Your email address will not be published. Required fields are marked *