[TSG CTF 2020] Reverse-ing
Reversing
2020. 7. 13. 01:52
This is what we call "Reversing."
file : reversing
When I opened this binary with IDA, I could see _start() and reverse().
_start() call reverse(), "call rbx"
reverse() is the function that reverse instructions. (0x6000e5 ~ 0x6001ba)
So, I setted breakpoint at 0x6000E4(end of reverse()) and checked decoded instructions.
"call rbx" instruction is executed in that range several times.
I combined original instructions with decoded instructions.
(original -"call reverse()"> decoded -"call reverse()"> original ...)
0x6000e5 <_start>: xor rbx,rbx
0x6000e8 <_start+3>: mov ebx,0x6000b0
0x6000ef <_start+10>: xor rdx,rdx
0x6000f4 <_start+15>: mov dl,0x25
0x6000f8 <_start+19>: mov rsi,rsp
0x6000fd <_start+24>: xor rdi,rdi
0x600102 <_start+29>: xor rax,rax
0x600107 <_start+34>: syscall
0x60010b <_start+38>: dec rdx
0x600110 <_start+43>: xor rcx,rcx
0x600115 <_start+48>: mov cl,BYTE PTR [rsi+rdx*1]
0x60011a <_start+53>: xor cl,BYTE PTR [rdx+0x600194]
0x600122 <_start+61>: add cl,BYTE PTR [rdx+0x600194]
0x60012a <_start+69>: or rdi,rcx
0x60012f <_start+74>: dec dl
0x600133 <_start+78>: jns 0x600171 <_start+140>
0x600137 <_start+82>: mov dl,0x8
0x60013b <_start+86>: mov al,0x1
0x60013f <_start+90>: xor rsi,rsi
0x600144 <_start+95>: mov esi,0x6001bb
0x60014b <_start+102>: dec edi
0x600151 <_start+108>: js 0x60015c <_start+119>
0x600155 <_start+112>: mov esi,0x6001c3
0x60015c <_start+119>: xor rdi,rdi
0x600161 <_start+124>: inc edi
0x600165 <_start+128>: syscall
0x600169 <_start+132>: mov al,0x3c
0x60016d <_start+136>: syscall
0x600171 <_start+140>: mov cl,BYTE PTR [rsi+rdx*1]
0x600176 <_start+145>: xor cl,BYTE PTR [rdx+0x600194]
0x60017e <_start+153>: add cl,BYTE PTR [rdx+0x600194]
0x600186 <_start+161>: or rdi,rcx
0x60018b <_start+166>: sub dl,0x1
0x600190 <_start+171>: jns 0x600115 <_start+48>
I wrote this code based on the analysis and finally got the flag.
a = [0x48, 0x80, 0x46, 0xBA, 0xA5, 0xD3, 0xFF, 0xC0, 0x31, 0x48, 0x1E, 0x65, 0x32, 0xA4, 0x88, 0xD3, 0xFF, 0xE6, 0x89, 0x48, 0x5F, 0x7A, 0x84, 0x3B, 0xD3, 0xFF, 0xD2, 0x31, 0x48, 0x4E, 0x36, 0xC9, 0xC5, 0xCF, 0x22, 0x32, 0x58]
b = [0xE4, 0xD3, 0xFF, 0x05, 0x0F, 0x6B, 0x7C, 0x13, 0xFF, 0xCA, 0xD3, 0xFF, 0xFF, 0x31, 0x48, 0x72, 0x63, 0x2B, 0x19, 0x8C, 0xD3, 0xFF, 0x25, 0xB2, 0x19, 0x5E, 0x61, 0xFB, 0xC1, 0xD3, 0xFF, 0x00, 0x60, 0x00, 0xB0, 0xBB, 0xDB]
c = []
d = []
for i in range(len(a)):
if i % 2 == 0:
c.append(a[len(a)-i-1])
else:
c.append(b[len(a)-i-1])
for i in range(len(a)):
if i % 2 == 0:
d.append(b[len(a)-i-1])
else:
d.append(a[len(a)-i-1])
flag = []
for i in range(len(d)):
flag.append(chr((0x100 - d[i]) ^ c[i]))
flag.reverse()
print ''.join(flag)
flag : TSGCTF{S0r3d3m0_b1n4ry_w4_M4wa77e1ru}