CyberTalents — Malware Reverse Engineering (RE): Find the Pass for Beginners

CyberTalents — Malware Reverse Engineering (RE): Find the Pass for Beginners

source:https://www.cybertalents.com
Find the Pass is a malware reverse engineering challenge on cyber talent that is rated as basic by the author but rated a little above basic by the community. The Challenge will help you understand reverse engineering basics and understand code flow from assembly instructions. To solve this challenge, we’re expected to answer the following questions:
Q1- What is the address of the main function?
Q2- What is the address of the function that Validates the input?
Q3- What is the address of the hardcoded password?
Flag format : flag{Ans1|Ans2|Ans3}
source:https://cybertalents.com/challenges/malware/Find-the-pass

In this walkthrough, we’ll be using two tools:

  1. x32dbg to step through the code and understand the code flow
  2. cutter to map out functions of the assembly code

Dynamically Stepping through the code

To start with the challenge, open x32dbg, and drag the executable (find_the_pass file) into the x32dbg console.

Click on “Symbols” (icon 1) as highlighted in the image above. The symbols panel provide names and additional metadata for functions, variables, and other program elements, making it easier for us to analyze and understand the code. Ensure you select our actual program (icon 2), i.e., cybertalentdemo0.exe, and double-click on the selected program (icon 3) to take you to the disassembler panel.

The image above shows the CPU panel (icon 1), and we can see the address of the entry point in memory (icon 2). The entry point holds the address of the first instruction that will be executed when the program starts.

In the above image, we are searching for string references. To search for the strings: In the disassembly window, right-click and go “search for” -> “Current Module” -> “String references” or use shift + D. We can observe some noteworthy strings related to our challenge: “elite”, “Enter your pass key: \n”, “correct password” and “wrong password”. To continue with our analysis, we need to select the strings individually and set a breakpoint by hitting F2. A breakpoint allows us to pause the execution of the program at a chosen location (in our case, the location referencing the strings), which allows us to inspect the program’s state, memory, registers, and other relevant information.

After setting our breakpoints, go back to the CPU panel, hit F9 to run the program and halt at the first breakpoint, which is the entry point (set by default). Hit F9 again to get to our first manually configured breakpoint (icon 1). Notice we set new breakpoints on the two functions highlighted (icons 2 and 3) by selecting the function and hitting F2. Hit F9 again to take you to the function at icon 2. This is the function that will request our password. At the bottom right (see image below), we should see running, which is an indicator that our program is expecting an input (in our case).

In the image above, we put in a random password, “trial” and clicked enter to continue with the program execution.

If we go back to our debugger as seen above, we’ll notice our chosen random password is now in the “edx” register (icon 1). The EIP highlighted in green is pointing to the address of the next instruction to be executed by the processor. In our case, the function will validate our randomly inputted password. It does this by comparing our inputted password (icon 2) with a hardcoded password (see the image below for the hardcoded password—remember to hit F9) and setting a condition Jump if not equal (jne) to the hardcoded password. i.e. If our inputted password is not equal to the hardcoded password, the program will execute the wrong password function (the last highlighted breakpoint).

From the image above, we can see the program comparing our input “trial” with the hardcoded password “elite”.

To confirm the password, re-run the program with ctrl + F2 and hit F9 until the program requests our input. Type in the hardcoded password and click enter. Hit F9 again until you see the comparison as explained earlier and seen in the image above.

As seen in the screenshot above, our password meets the condition.

Mapping out functions of the assembly code

Now to answer the challenge questions, we have to see the memory addresses in “disk”. Previously, we saw the addresses in “memory”. Load our program into the cutter tool. As seen in the screenshot below, use the scrollbar until you see “main”.

Double-click on “main” to take you to the disassembly tab, as seen below. To preserve the integrity of the challenge, I have obfuscated the addresses. We can see the address of the “entry point” highlighted.

Next, click on the strings (icon 1) at the bottom to get to the strings section (see image below), and search for the interesting strings as we did previously with x32dbg. We’ll start with the “enter your passkey” (icon 2) string. Hit X on your keyboard to see where this string has been referenced in the program code. Notice the instruction that does the comparison with the hardcoded password previously seen in x32dbg (icon 3). Here we can find the address of the function that does the validation of the program’s input.

Kindly open the image in a new tab for clarity

Still on the strings tab, search for our other interesting string “elite”. Hit X again and notice the string has been called at a particular address.

Kindly open the image in a new tab for clarity

From the image above, we’ve answered the last question of this challenge.

The flag format should be flag{0x40####|0x40####|0x40####}. Replace # with the actual value seen.

Although the challenge was rated basic (the community thinks otherwise), it would help you understand reverse engineering basics and understand code flow from assembly instructions.

For a video tutorial on how we solve this challenge and also alter the behaviour of the program to accept any password, kindly click on the link below to take you to my YouTube channel. coming soon

Thank you…

References


CyberTalents — Malware Reverse Engineering (RE): Find the Pass for Beginners was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

原始链接: https://infosecwriteups.com/cybertalents-malware-reverse-engineering-re-find-the-pass-for-beginners-7e70d1bf5e3e?source=rss----7b722bfd1b8d---4
侵权请联系站方: [email protected]

相关推荐

换一批