To begin with, this challenge is very exciting and tricky. I've learnt a lot from this challenge.
Here is a link:
http://ebctf.nl/challenges/BIN200
Here is a file:
http://ebctf.nl/files/fcb920470457ec583006ca1de1025e17/ebCTF_BIN200.exe
First of all, let's run a file we downloaded. It asks a secret. What is a secret? I don't know, may be we have to find out the right secret and it will give us a flag. Boom! After being given our random key, it show us a very interesting message.
"This exe file was created with the evaluation version of Perl2Exe.
For more information visit http://www.indigostar.com
(The full version does not display this message with a 2 second delay.)
..."
I didn't notice this message first, and I had to spent almost half of a day to trace the code in vain. Then, I decided to stop tracing and thought in a different way. I did some google searches with perl2exe and I found some very interesting articles. One of them is
http://www.fileoffset.com/re/tutorials/perl2exe.htm
My job is now dumping all file that are packed in that .exe file.
What this exe does is creating a p2x5123 in \Documents and Settings\xxx\Local Settings\Temp\p2xtmp-yyyy (yyyy is random), and loading it to do the task.
Now is time to start tracing again. I set breakpoint at
.text:00401241 loc_401241: ; CODE XREF: _main+65 j
.text:00401241 push edi
.text:00401242 push [ebp+envp]
.text:00401245 push [ebp+argv]
.text:00401248 push [ebp+SubStr]
.text:0040124B call eax <-- above.="" article="" as="" breakpoint="" here="" in="" mention="" p="" set="" the="">
Step into that function when it is called, and after few line of instruction, step into a function at:
p2x5123.dll:280B0EB1 lea eax, [ebp+8]
p2x5123.dll:280B0EB4 push eax
p2x5123.dll:280B0EB5 call near ptr unk_280AC0A5 <-- br="" function="" into="" step="" this="">p2x5123.dll:280B0EBA mov eax, [ebp+0Ch]
p2x5123.dll:280B0EBD mov edi, off_280B220C
I forgot to tell you why I need to step in to that function. As you know, this exe creates file p2x5123.dll when it is executed. This dll is packed with upx so it is easy to unpack it with upx -d command. When you have unpacked dll, open it in your debugger. Do a quick search with keyword "ISEXT_INT filename = ", you will be directed to a instruction in a function 280AC0A5. This is what the article above mentioned. However, I can not patch this dll because the exe will create another dll randomly, so I know remember this function address to patch it in our debugger. Write down the address of a jump command which is located below the instruction we have been directed.
.text:280AC522 push offset aDll ; "DLL/"
.text:280AC527 push esi ; Str
.text:280AC528 call edi ; strstr
.text:280AC52A pop ecx
.text:280AC52B cmp eax, esi
.text:280AC52D pop ecx
.text:280AC52E jnz short loc_280AC559
As far as I know, this jump will check to see whether a program need to dump file or not? So we need to change this jnz to what we want.
Now turn back to our tracing. step in to the call call near ptr unk_280AC0A5
let's go to address we have written down before (the jnz address), you can either change this jnz to jz or set breakpoint here and wait to change zf to 1 whenever it runs through this breakpoint.
while tracing the code, we check the tmp directory to see what new file is created. After few times, a very interesting pl file is created<< n.pl >> Yes. this is a perl file, switch to this file and see what is inside. .....
You can get the secret and put it into the program but there's not any special.
....
....
....
....
....
....
....
....
....
....
....
....
....
....
....
....
....
....
....
....
....
....
....
....
....
....
....
You need to check the perl file carefully and find the flag there, not in the program.
P/S: What I learn in this challenge is that I need to read carefully and do some google search before doing anything else.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment