Challenge 4 – Easy ELF

http://reversing.kr/download.php?n=11

Purpose: Find the correct flag

File name: Easy_ELF

File type: ELF file

Using IDA to decompile this file. We can easily to found everything we need.

reversing-kr-ezelf-1

Go to function sub_804851() to know how to confirm flag.

reversing-kr-ezelf-2

It is basic xor, we can solve the problem with Python

reversing-kr-ezelf-3

Flag: L1NUX

Challenge 9 – Position

http://reversing.kr/download.php?n=7

Purpose: Input the correct Name in textbox when the Serial is 76876-77776

File name: Position.exe

File type: Portable Executable 32

File info: Microsoft Visual C++ 8

reversing-kr-position-1

Using IDA to decompile this file. In String Window view, we can’t  find string “Wrong” or “Correct”. So, we find functions which call SetWindowTextW API from Import view (select API and Ctr+x). There are 2 function call SetWindowText API: sub_10C1CD0() and sub_10C15E0()

reversing-kr-position-2

We found “Correct” string in function sub_10C1CD0(). Easy to know that function sub_10C1740() is confirm function

reversing-kr-position-3

Go to sub_10C1740(), the first code is check length of name and serial

reversing-kr-position-4

Then, it calculate some temp variables from Name and compare some sums with Serial.

reversing-kr-position-5

We can easily see in my Python code

reversing-kr-position-6

Using burp force method in my keygen code to find out name

reversing-kr-position-7

With the result, we can try some name have meaning and end with ‘p’

reversing-kr-position-8

Flag: bump

 

Challenge 8 – Csharp

Purpose: Input the correct flag in textbox

File name: CSharp.exe

File type: Portable Executable 32 .NET Assembly

File info: Microsoft Visual Studio .NET

reversing-kr-csharp-1

Using dnSpy to decompile the file. Go to function Main(), we can see that it has run the Form1()

reversing-kr-csharp-2

Go to function btnCheck_Click(), we found that it call function MetMetMet() with input is our flag

reversing-kr-csharp-3

In function MetMetMet(), the body of confirm method was created by Form1.bb

reversing-kr-csharp-4

When Form1() was created, Form1.bb was loaded from function MetMett() and had some changes. Thus, the original MetMett() was changed to another function but we can’t read the changed code in Debug mode.

reversing-kr-csharp-5

Set breakpoints at line 6 and line 25 to read bytes of original MetMett and changed MetMett. Find address of original in PE file and replace them with changed MetMett by HxD. Reload file in dnSpy and we can see new MetMett() 🙂

private static void MetMett(byte[] chk, byte[] bt)
{

if (bt.Length == 12)
{

chk[0] = 2;
if ((bt[0] ^ 16) != 74)
{
chk[0] = 1;
}
if ((bt[3] ^ 51) != 70)
{
chk[0] = 1;
}
if ((bt[1] ^ 17) != 87)
{
chk[0] = 1;
}
if ((bt[2] ^ 33) != 77)
{
chk[0] = 1;
}
if ((bt[11] ^ 17) != 44)
{
chk[0] = 1;
}
if ((bt[8] ^ 144) != 241)
{
chk[0] = 1;
}
if ((bt[4] ^ 68) != 29)
{
chk[0] = 1;
}
if ((bt[5] ^ 102) != 49)
{
chk[0] = 1;
}
if ((bt[9] ^ 181) != 226)
{
chk[0] = 1;
}
if ((bt[7] ^ 160) != 238)
{
chk[0] = 1;
}
if ((bt[10] ^ 238) != 163)
{
chk[0] = 1;
}
if ((bt[6] ^ 51) != 117)
{
chk[0] = 1;
}

}

}

That is common xor, using python to find flag.

reversing-kr-csharp-6

Flag: dYnaaMic

Challenge 7 – Ransomeware

Purpose: Input the correct key to decrypt file (EXE)

File name: run.exe

File type: Portable Executable 32

File info: UPX v3.0

reversing-kr-ransomware-1

Using CFF explorer to unpacked this file, then using IDA to decompile it. First, program calculate lenght of key [ebp – 0C] and open the “file” (encrypted file)

reversing-kr-ransomware-2

Then, it read file to memory at byte_5415B8

reversing-kr-ransomware-3

Then, the memoy will be decrypted with key.

reversing-kr-ransomware-4

Look to the ASM code, we can rewrite decrypt code segment to Python

reversing-kr-ransomware-5

That is xor encrypt, if we find the part of clear file, we will find out the key. As we all know, EXE files have the same dos_header. So we can easily find the key.

reversing-kr-ransomware-6

Key = letsplaychess

Enter key to decrypt file, we get “file” is PE file. Then we run and get the flag. (Notice if windows decide file msvcr100d.dll, download it to same folder and run again)

reversing-kr-ransomware-7

Flag: Colle System