CSAW 2012 – Reversing 400

Reversing 400 was a 64bit Linux ELF that you needed to crack/reverse. Let’s have a look.

blasty@fastbox:~/csaw2012$ file csaw2012reversing 
csaw2012reversing: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x012c3cf67d5aa15a9985ea064958921dc600c367, not stripped
blasty@fastbox:~/csaw2012$ ./csaw2012reversing 
Encrypted Key:  ??????????????

Let’s have a look what happens here..

blasty@fastbox:~/csaw2012$ gdb ./csaw2012reversing
(gdb) disas main
   0x00000000004006b4 <+134>:   callq  0x4004a0 <printf@plt>
   0x00000000004006b9 <+139>:   mov    $0xffffffff,%edi
   0x00000000004006be <+144>:   callq  0x4005b4 <done>
   0x00000000004006c3 <+149>:   lea    -0x20(%rbp),%rax
   0x00000000004006c7 <+153>:   mov    %rax,%rdi
   0x00000000004006ca <+156>:   callq  0x4005f3 <decrypt>
   0x00000000004006cf <+161>:   mov    $0x400810,%eax
   0x00000000004006d4 <+166>:   lea    -0x20(%rbp),%rdx
   0x00000000004006d8 <+170>:   mov    %rdx,%rsi

What is this mystery routine called ‘done’, and why is it invoked right before ‘decrypt’?

(gdb) disas done
Dump of assembler code for function done:
   0x00000000004005b4 <+0>:     push   %rbp
   0x00000000004005b5 <+1>:     mov    %rsp,%rbp
   0x00000000004005b8 <+4>:     sub    $0x10,%rsp
   0x00000000004005bc <+8>:     mov    %edi,-0x4(%rbp)
   0x00000000004005bf <+11>:    mov    -0x4(%rbp),%eax
   0x00000000004005c2 <+14>:    mov    %eax,%edi
   0x00000000004005c4 <+16>:    callq  0x4004c0 <exit@plt>

Ah, that doesn’t look good(TM). We *dont* want to exit()! 🙂

(gdb) break *0x00000000004006be
Breakpoint 1 at 0x4006be: file csaw2012reversing.c, line 33.
(gdb) r
Starting program: /home/blasty/csaw2012/csaw2012reversing 
Encrypted Key:  ??????????????

Breakpoint 1, 0x00000000004006be in main (argc=1, argv=0x7fffffffe608, env=0x7fffffffe618) at csaw2012reversing.c:33
33      csaw2012reversing.c: No such file or directory.
(gdb) set $rip=0x00000000004006c3
(gdb) c
Decrypted Key:  csawissohard__:(
[Inferior 1 (process 14463) exited normally]

Phew! So simple! (again)

Flag: csawissohard__:(

