Breaking Code

March 1, 2017

R2con 2016 reverseme challenge

Filed under: Conferences, Just for fun, Reversing — Tags: , , , , , — Mario Vilas @ 5:18 pm
R2con poster, by the talented artists of Hackerstrip

Poster by Hackerstrip

Back in September 2016 I attended R2con, the first public and international congress about Radare. Needless to say, it was pretty awesome 😀 and I recommend everyone interested in reverse engineering to go there next year. During the conference, Riscure proposed a simple reversing challenge using Radare to play with. You can find the challenge here. This is my (very short and dumb) writeup of it.

The challenge consisted of reversing an ELF binary and figuring out a password. When running the binary, you had to enter the password to get a message saying that you won the challenge. No modifying was allowed, just reversing. Now, this in itself was super easy since it was meant as an introduction, but I didn’t know how to use r2 well enough so it took me a while to solve it. 😀

The first problem I ran into was that it used a different version of libcrypto than my distro so I had to set up a VM. I suppose I could have installed another libcrypto and have them coexist, or used a chroot jail or whatever, but just firing up a VM seemed like the easiest choice to me – especially since I’m already used to Vagrant for this kind of thing.

After that, it was time to fire up Radare:

$ chmod +x RHme2_prequalification_challenge # (did not have the +x bit in Github)
$ ./r2 ./RHme2_prequalification_challenge

Then analyzed everything with the “aaaa” command and launched the UI with “=H” (because I’m lazy). Using the UI I quickly listed the strings, found the relevant ones, then looked for references to them. Turns out everything was right there in main() so this step wasn’t really needed! 😀

So, going back to the console, using visual mode we can see the code right away:

Gotta love ASCII art graph view

Gotta love ASCII art graph view

There was some code before the AES decryption that may be some kind of obfuscation, but I didn’t bother with it statically because it was easier to just put a breakpoint at the memory compare after decryption to see what the hardcoded password was.

Turns out to run Radare as a debugger you need to specify -d before opening the file. I got stuck there for a while because I’m such a n00b. #shame 😀

So, after running “r2 -d”, setting the breakpoint with “db 0x0040081d” then executing the program with “dc”, I got prompted for a password. Just typed anything and continued, after that the breakpoint was hit.

From the code I knew the argument with the decoded password should be in the rbx register, so using the “dbr” command to show the registers, then the “s” command to change the pointer (another odd concept for those of us coming from gdb!) and finally using the “x” command I could see the memory contents:

Gotcha!

Gotcha!

Running the program again and trying out that password confirmed it was correct. TA-DA!

Well, now that I’ve made you waste your time reading this, here’s a much better writeup for it. Enjoy! 😉 #trolling

December 2, 2012

Navaja Negra (Black Razor) Conference

Filed under: Conferences — Tags: — Mario Vilas @ 6:39 pm

Just came back today from the Navaja Negra (Black Razor) Conference in Albacete, Spain. Had a great time there, seen lots of old and new faces (they literally filled the room!) and after the talks had a taste of the Albacete nightlife, and a fantastic dinner where I left my mobile phone on the table unattended, and my fellow speakers kindly reminded me in a polite and civilized manner of the importance of locking one’s phone.

This time my friend Aladdin Gurbanov (@SeTx[X]) and I gave a presentation called “Take a walk on the wild side”, an introduction to the world of e-crime on the Internet. I’ll update this post when the slides and the video are online. They’ll be in Spanish only, sorry! Think of it a chance to practice what you learned in Spanish class. 😉

Update: Unfortunately not all videos are available! A fragment of our talk is available at Ustream. There’s also a summary of the conference (in Spanish) at the MADESYP Academy blog.

Yup, that's my new knife! }:D

The organization had a really original gift for the speakers this year: a traditional Albacetean Teja black razor.

April 20, 2012

Hackito Ergo Sum 2012

Filed under: Conferences — Tags: , , , , , , , , , , — Mario Vilas @ 11:27 pm

Hi everyone. Last week I’ve attended Hackito Ergo Sum 2012, and I wanted to share with you some of the things that I found most interesting during the talks. This won’t be a detailed review of each talk, but rather an account of a few details on the talks that I personally found more interesting, in no particular order. If you’re looking for a detailed review of each talk check out this blog.

Oh, by the way. I totally made up the names of the talks. I think it’s more fun that way. 🙂

The event took place at the headquarters of the French Communist Party, and I have to say the conference room was quite impressive. It was an underground dome all covered with white metallic plates and lamps behind, giving a peculiar visual effect.

An additional advantage of this place is that some security agencies can’t send their spooks there. Hurray to the ridiculously outdated cold war laws! 🙄

One thing I didn’t like though, was that the slides were projected in a sort of tilted curved screen, making it a bit difficult to read the slides unless you were sitting in the middle. I don’t think I was the only one with this problem because I saw a lot of heads tilted sideways… 😉

(more…)

Create a free website or blog at WordPress.com.