30
Sep
2012

CSAW 2012 – Reversing 100

Reversing 100 is a Windows 32bit PE executable. When you run it displays a MessageBox containing “Encrypted Key: “. Once you close the MessageBox the program exits.

Let’s investigate this a bit in a disassembler. main() is really small to begin with.. scrolling a bit down we see:

.text:013510D0                 push    offset Source   ; "Encrypted Key:  "
.text:013510D5                 lea     ecx, [ebp+Text]
.text:013510D8                 push    ecx             ; Dest
.text:013510D9                 call    strcpy
.text:013510DE                 add     esp, 8
.text:013510E1                 lea     edx, [ebp+Source]
.text:013510E4                 push    edx             ; Source
.text:013510E5                 lea     eax, [ebp+Text]
.text:013510E8                 push    eax             ; Dest
.text:013510E9                 call    strcat
.text:013510EE                 add     esp, 8
.text:013510F1                 push    0               ; uType
.text:013510F3                 push    offset Caption  ; "Key!"
.text:013510F8                 lea     ecx, [ebp+Text]
.text:013510FB                 push    ecx             ; lpText
.text:013510FC                 push    0               ; hWnd
.text:013510FE                 call    ds:MessageBoxA
.text:01351104                 push    0FFFFFFFFh      ; Code
.text:01351106                 call    ds:exit
.text:01351106 _main           endp
.text:01351106
.text:0135110C ; ---------------------------------------------------------------------------
.text:0135110C                 lea     edx, [ebp-18h]
.text:0135110F                 push    edx
.text:01351110                 call    sub_1351030
.text:01351115                 add     esp, 4
.text:01351118                 push    offset aDecryptedKey ; "Decrypted Key:  "
.text:0135111D                 lea     eax, [ebp-58h]

That’s odd.. why is it exit()’ing before starting to do stuff involving a “Decrypted Key”? Stepping over the exit() call gives us the flag welcometocsaw!

Let’s have a quick look at the more “hardcore” way of solving things without doing runtime debugging.

.text:00B1110C                 lea     edx, [ebp-18h]
.text:00B1110F                 push    edx
.text:00B11110                 call    sub_B11030 # hmm...
.text:00B11115                 add     esp, 4
.text:00B11118                 push    offset aDecryptedKey ; "Decrypted Key:  "

The sub_B11030 is likely “decrypting” the key before displaying it.

int __cdecl sub_B11030(int a1)
{
  int v2; // [sp+0h] [bp-4h]@1

  v2 = 0;
  while ( *(_BYTE *)a1 )
  {
    *(_BYTE *)a1 = ~*(_BYTE *)a1;
    ++a1;
    ++v2;
  }
  return v2;
}

Alright, that looks like a simple deobfuscation loop. All it does is invert every byte. It’s being called with (ebp-18) as argument. If we go back to the start of main we see:

.text:00B11070 Source          = byte ptr -18h
..
.text:00B11080                 mov     [ebp+Source], 88h
.text:00B11084                 mov     [ebp+var_17], 9Ah
.text:00B11088                 mov     [ebp+var_16], 93h
.text:00B1108C                 mov     [ebp+var_15], 9Ch
.text:00B11090                 mov     [ebp+var_14], 90h
.text:00B11094                 mov     [ebp+var_13], 92h
.text:00B11098                 mov     [ebp+var_12], 9Ah
.text:00B1109C                 mov     [ebp+var_11], 0A0h
.text:00B110A0                 mov     [ebp+var_10], 8Bh
.text:00B110A4                 mov     [ebp+var_F], 90h
.text:00B110A8                 mov     [ebp+var_E], 0A0h
.text:00B110AC                 mov     [ebp+var_D], 9Ch
.text:00B110B0                 mov     [ebp+var_C], 8Ch
.text:00B110B4                 mov     [ebp+var_B], 9Eh
.text:00B110B8                 mov     [ebp+var_A], 88h
.text:00B110BC                 mov     [ebp+var_9], 0DEh
.text:00B110C0                 mov     [ebp+var_8], 0

Alas, it’s invoking the deobfuscation routine using the previously initialized char[] array.

# php -r '$a=array(0x88,0x9a,0x93,0x9c,0x90,0x92,0x9a,0xa0,0x8b,0x90,0xa0,0x9c,0x8c,0x9e,0x88,0xde); foreach($a as $b) echo chr($b^0xff); echo "\n";'
welcome_to_csaw!

Flag: welcometocsaw

{6 Responses to “CSAW 2012 – Reversing 100”}

  1. Hey. Could I know which software did you use to disassemble the exe? I tried PE explorer, but it doesn’t give as much detail as your disassembler did.

    Varun
  2. Hey. Could I know which software did you use to disassemble the exe? I tried PE explorer, but it doesn’t give as much detail as your disassembler did.

    Varun
  3. Which disassembler did you use?

  4. Which disassembler did you use?

  5. @Varun @thepcnerd: He used IDA Pro 🙂 .

    Minh Triet Pham Tran
  6. @Varun @thepcnerd: He used IDA Pro 🙂 .

    Minh Triet Pham Tran