NcN 2015 CTF - theAnswer Writeup

1. Overview

Is an elf32 static and stripped binary, but the good news is that it was compiled with gcc and it will not have shitty runtimes and libs to fingerprint, just the libc ... and libprhrhead
This binary is writed by Ricardo J Rodrigez

When it's executed, it seems that is computing the flag:

But this process never ends .... let's see what strace say:

There is a thread deadlock, maybe the start point can be looking in IDA the xrefs of 0x403a85
Maybe we can think about an encrypted flag that is not decrypting because of the lock.

This can be solved in two ways:

• static: understanding the cryptosystem and programming our own decryptor
• dynamic: fixing the the binary and running it (hard: antidebug, futex, rands ...)

At first sight I thought that dynamic approach were quicker, but it turned more complex than the static approach.


2. Static approach

Crawling the xrefs to the futex, it is possible to locate the main:

With libc/libpthread function fingerprinting or a bit of manual work, we have the symbols, here is the main, where 255 threads are created and joined, when the threads end, the xor key is calculated and it calls the print_flag:

The code of the thread is passed to the libc_pthread_create, IDA recognize this area as data but can be selected as code and function.

This is the thread code decompiled, where we can observe two infinite loops for ptrace detection and preload (although is static) this antidebug/antihook are easy to detect at this point.

we have to observe the important thing, is the key random?? well, with the same seed the random sequence will be the same, then the key is "hidden" in the predictability of the random.

If the threads are not executed on the creation order, the key will be wrong because is xored with the th_id which is the identify of current thread.

The print_key function, do the xor between the key and the flag_cyphertext byte by byte.

And here we have the seed and the first bytes of the cypher-text:

With radare we can convert this to a c variable quickly:

And here is the flag cyphertext:

And with some radare magics, we have the c initialized array:

radare, is full featured :)

With a bit of rand() calibration here is the solution ...

The code:
https://github.com/NocONName/CTF_NcN2k15/blob/master/theAnswer/solution.c

3. The Dynamic Approach

First we have to patch the anti-debugs, on beginning of the thread there is two evident anti-debugs (well anti preload hook and anti ptrace debugging) the infinite loop also makes the anti-debug more evident:

There are also a third anti-debug, a bit more silent, if detects a debugger trough the first available descriptor, and here comes the fucking part, don't crash the execution, the execution continues but the seed is modified a bit, then the decryption key will not be ok.

Ok, the seed is incremented by one, this could be a normal program feature, but this is only triggered if the fileno(open("/","r")) > 3 this is a well known anti-debug, that also can be seen from a traced execution.

Ok, just one byte patch,  seed+=1  to  seed+=0,   (add eax, 1   to add eax, 0)

before:

after:

To patch the two infinite loops, just nop the two bytes of each jmp $-0

Ok, but repairing this binary is harder than building a decryptor, we need to fix more things:

•  The sleep(randInt(1,3)) of the beginning of the thread to execute the threads in the correct order
•  Modify the pthread_cond_wait to avoid the futex()
• We also need to calibrate de rand() to get the key (just patch the sleep and add other rand() before the pthread_create loop

Adding the extra rand() can be done with a patch because from gdb is not possible to make a call rand() in this binary.

With this modifications, the binary will print the key by itself. 

Read more

1. Hack And Tools
2. Free Pentest Tools For Windows
3. Hacker Security Tools
4. Hack Tools Mac
5. Tools 4 Hack
6. Pentest Automation Tools
7. Hacking App
8. Pentest Tools Website Vulnerability
9. What Is Hacking Tools
10. Pentest Tools For Android
11. Hacking Tools Github
12. Hacking Tools
13. Hack Tools For Pc
14. Hacking Tools And Software
15. Hack Tool Apk
16. Nsa Hack Tools
17. Hacking Tools For Kali Linux
18. Hacking Tools For Beginners
19. Hacker Tools Apk
20. Hack Tools For Mac
21. Pentest Tools Github
22. Hacking Tools Windows 10
23. Hacking Tools For Mac
24. Hacking Tools For Windows 7
25. Hack Tools Pc
26. Hacker Tools List
27. Hacking Tools For Pc
28. Pentest Tools Android
29. Bluetooth Hacking Tools Kali
30. Hacking Tools Usb
31. Hacker Techniques Tools And Incident Handling
32. Hack And Tools
33. How To Hack
34. Pentest Tools For Windows
35. Hack Tools For Games
36. Github Hacking Tools
37. Usb Pentest Tools
38. Hack Tools
39. Pentest Tools Website
40. Hacking Tools Software
41. Hacking Tools Kit
42. Best Hacking Tools 2020
43. Hacker Tools 2020
44. Pentest Tools Apk
45. Hacker Tools Mac
46. Pentest Tools Port Scanner
47. Bluetooth Hacking Tools Kali
48. Hacker Hardware Tools
49. Hacker Security Tools
50. Usb Pentest Tools
51. Hacking Tools For Beginners
52. Hacking Tools For Windows
53. Bluetooth Hacking Tools Kali
54. Pentest Tools List
55. Pentest Tools Subdomain
56. Hack Tools For Ubuntu
57. Hacking Tools Name
58. Pentest Tools
59. Pentest Tools Download
60. Physical Pentest Tools
61. Best Hacking Tools 2019
62. Hacker Tools Windows
63. How To Install Pentest Tools In Ubuntu
64. Hacking Tools Windows
65. Hacking Tools Hardware
66. Pentest Tools Website
67. Hacker Tools Software
68. Android Hack Tools Github
69. Hacker Tools
70. Hacker Tools Hardware
71. Pentest Tools Find Subdomains
72. Hack Tools For Mac
73. Hacking Tools 2019
74. Pentest Tools Windows
75. Pentest Tools For Windows
76. Pentest Tools Online
77. Hacking Tools Github
78. Pentest Tools For Windows
79. Tools Used For Hacking
80. Github Hacking Tools
81. Github Hacking Tools
82. Hacking Tools For Games
83. Nsa Hacker Tools
84. Hacker Tools
85. Hacker Tools Free Download
86. How To Make Hacking Tools
87. What Is Hacking Tools
88. How To Hack
89. Pentest Tools Alternative
90. Pentest Tools Free
91. Hack Website Online Tool
92. Android Hack Tools Github
93. Hackers Toolbox
94. Hack Tools For Ubuntu
95. Hacking Tools For Windows 7
96. Pentest Tools Alternative
97. Hacking Tools For Pc
98. Best Hacking Tools 2020
99. Pentest Tools For Windows
100. Bluetooth Hacking Tools Kali
101. Hacker Tools
102. Hacking Tools And Software
103. Pentest Reporting Tools
104. Hack Apps
105. Pentest Box Tools Download
106. Install Pentest Tools Ubuntu
107. Best Hacking Tools 2019
108. Hacker Tool Kit
109. Hacker Tools Software
110. Termux Hacking Tools 2019
111. Hacker Hardware Tools
112. Hack App
113. Hacker Hardware Tools
114. Hack Tool Apk
115. Hack Website Online Tool
116. Hak5 Tools
117. Pentest Tools List
118. Hack Tools Online
119. Pentest Tools Framework
120. Hack Tools
121. Install Pentest Tools Ubuntu
122. Pentest Tools Online
123. Hacker Tools Online
124. Hacker Tools List
125. Hacker Tools Apk Download
126. Pentest Tools Nmap
127. Hacking Tools Name
128. Bluetooth Hacking Tools Kali
129. New Hack Tools
130. Hacking Tools Usb
131. Hack Tools
132. Hack Tools For Windows
133. New Hack Tools
134. Hacker Tools Hardware
135. Hacker Tools Free
136. Hacking Tools For Windows
137. Hacking Tools And Software
138. Best Hacking Tools 2019
139. Pentest Tools For Mac
140. Hack App
141. Hack Tools For Windows
142. Hackers Toolbox
143. Pentest Tools Port Scanner
144. Computer Hacker
145. Game Hacking
146. Pentest Automation Tools
147. Hacking Tools
148. Hacker Tools 2019
149. Hacking Tools For Windows 7
150. Pentest Box Tools Download
151. Hacker Techniques Tools And Incident Handling
152. Hack Tool Apk
153. Pentest Tools Linux
154. Hack Rom Tools
155. Pentest Box Tools Download
156. Hack Tools For Ubuntu
157. Hacking Tools Usb
158. Pentest Tools Android
159. Hacking Tools Name
160. Best Hacking Tools 2019
161. Hacker Tools 2020
162. Hack Tools Pc
163. Tools Used For Hacking
164. Hacker Techniques Tools And Incident Handling
165. Bluetooth Hacking Tools Kali
166. Pentest Tools Android
167. Pentest Tools For Android