SharifCTF-2016/srm

From aldeid
Jump to: navigation, search
You are here
srm (50 points)

Description

The file (RM.exe) is a Windows 32 bit executable:

MD5 105e5372413ad12b2fd78485d54b785b
SHA1 1dee31b54de559b5f1f948c865ad45bcd2e549fb
SHA256 78ba82e5136f3222b493b7cf2628b949a8f18d61cdcdf216f01d24ad9f9cff05
File PE32 executable (GUI) Intel 80386, for MS Windows

Analysis

Running the executable

When launched, the program shows a graphical interface with 2 fields: an email address and a serial number:

SharifCTF-2016-srm-gui.png

Attempting to put some incorrect email or serials provides us with following messages:

  • Your E-mail address is not valid
  • Registration failure

DialogFunc

Graph overview

It should be quite straightforward to identfy that the interesting code is located in the
DialogFunc
function at offset
0x401280
. Below is the graph overview of the function:

SharifCTF-2016-srm-dialogfunc-graph-overview.png

Checks

Without detailing every line of code, the program first checks the email format. If the user input provided for the email field does not contain required characters (
@
,
.
, ...), the program jumps to the invalid email format section.
.text:00401364                 lea     eax, [ebp+my_email]
.text:0040136A                 push    offset a_       ; "."
.text:0040136F                 push    eax
.text:00401370                 call    check_email_valid
.text:00401375                 add     esp, 8
.text:00401378                 test    eax, eax
.text:0040137A                 jz      short loc_401346
.text:0040137C                 lea     eax, [ebp+my_email]
.text:00401382                 push    offset a_       ; "."
.text:00401387                 push    eax
.text:00401388                 call    check_email_valid
.text:0040138D                 add     esp, 8
.text:00401390                 cmp     byte ptr [eax+1], 0
.text:00401394                 jz      short loc_401346
.text:00401396                 lea     eax, [ebp+my_email]
.text:0040139C                 push    offset unk_410A38 ; '@'
.text:004013A1                 push    eax
.text:004013A2                 call    check_email_valid
.text:004013A7                 add     esp, 8
.text:004013AA                 cmp     byte ptr [eax+1], 2Eh
.text:004013AE                 jz      short loc_401346
Later, at offset
0x4013F7
, the serial length is checked. If the serial is not 16 characters long, the program jumps to the bad boy.
.text:004013F7                 sub     ecx, edx
.text:004013F9                 cmp     ecx, 10h        ; len(my_serial) = 16
.text:004013FC                 jz      short loc_401407

Checking serial characters

Then, each of the serial characters is tested. If a test fails, the program jumps to the bad boy, which would have been brute force a good candidate. But let's perform a static analysis. The full section is commented below:

.text:00401407                 mov     ecx, dword ptr [ebp+my_serial_00] ;
.text:00401407                                         ; ecx = my_serial
.text:0040140D                 cmp     cl, 43h         ; my_serial[0] = 'C'
.text:00401410                 jnz     short invalid_serial
;-----------------------------------------------------------------------------
.text:00401412                 movsx   eax, [ebp+my_serial_15]
.text:00401419                 add     eax, 43h
.text:0040141C                 cmp     eax, 9Bh        ; my_serial[15] = 0x9B - 0x43 = 'X'
.text:00401421                 jnz     short invalid_serial
;-----------------------------------------------------------------------------
.text:00401423                 movsx   ecx, ch         ; ch = my_serial[1]
.text:00401426                 lea     eax, [ecx-3]
.text:00401429                 cmp     eax, 57h        ; my_serial[1] = 0x57 + 3 = 'Z'
.text:0040142C                 jnz     short invalid_serial
;-----------------------------------------------------------------------------
.text:0040142E                 movsx   eax, [ebp+my_serial_14] ; eax = my_serial[14]
.text:00401435                 add     eax, ecx        ; ecx = my_serial[1] = 'Z' (0x5A)
.text:00401437                 cmp     eax, 9Bh        ; my_serial[14] = 0x9B - 0x5a = 'A'
.text:0040143C                 jnz     short invalid_serial
;-----------------------------------------------------------------------------
.text:0040143E                 movsx   ecx, [ebp+my_serial_02] ; ecx = my_serial[2]
.text:00401445                 lea     eax, [ecx+1]
.text:00401448                 cmp     eax, 3Ah        ; my_serial[2] = 0x3A - 0x1 = '9'
.text:0040144B                 jnz     short invalid_serial
;-----------------------------------------------------------------------------
.text:0040144D                 movsx   eax, [ebp+my_serial_13] ; eax = my_serial[13]
.text:00401454                 add     eax, ecx        ; ecx = my_serial[2] = '9' (0x39)
.text:00401456                 cmp     eax, 9Bh        ; my_serial[13] = 0x9B - 0x39 = 'b'
.text:0040145B                 jnz     short invalid_serial
;-----------------------------------------------------------------------------
.text:0040145D                 cmp     [ebp+my_serial_03], 64h ; my_serial[3] = 'd'
.text:00401464                 jnz     short invalid_serial
;-----------------------------------------------------------------------------
.text:00401466                 movsx   eax, [ebp+my_serial_12]
.text:0040146D                 add     eax, 64h
.text:00401470                 cmp     eax, 9Bh        ; my_serial[12] = 0x9B - 0x64 = '7'
.text:00401475                 jnz     short invalid_serial
;-----------------------------------------------------------------------------
.text:00401477                 cmp     [ebp+my_serial_04], 6Dh ; my_serial[4] = 'm'
.text:0040147E                 jnz     invalid_serial
;-----------------------------------------------------------------------------
.text:00401484                 movsx   eax, [ebp+my_serial_11]
.text:0040148B                 add     eax, 81h
.text:00401490                 cmp     eax, 0C8h       ; my_serial[11] = 0xC8 - 0x81 = 'G'
.text:00401495                 jnz     invalid_serial
;-----------------------------------------------------------------------------
.text:0040149B                 movsx   ecx, [ebp+my_serial_05]
.text:004014A2                 lea     eax, [ecx-2Dh]
.text:004014A5                 cmp     eax, 44h        ; my_serial[5] = 0x44 + 0x2D = 'q'
.text:004014A8                 jnz     invalid_serial
;-----------------------------------------------------------------------------
.text:004014AE                 movsx   eax, [ebp+my_serial_10]
.text:004014B5                 add     eax, ecx        ; ecx = my_serial[5] = 'q' (0x71)
.text:004014B7                 cmp     eax, 0AAh       ; my_serial[10] = 0xAA - 0x71 = '9'
.text:004014BC                 jnz     invalid_serial
;-----------------------------------------------------------------------------
.text:004014C2                 cmp     [ebp+my_serial_06], 34h ; my_serial[6] = '4'
.text:004014C9                 jnz     invalid_serial
;-----------------------------------------------------------------------------
.text:004014CF                 movsx   eax, [ebp+my_serial_09]
.text:004014D6                 add     eax, 34h
.text:004014D9                 cmp     eax, 9Bh        ; my_serial[9] = 0x9B - 0x34 = 'g'
.text:004014DE                 jnz     invalid_serial
;-----------------------------------------------------------------------------
.text:004014E4                 cmp     [ebp+my_serial_07], 63h ; my_serial[7] = 'c'
.text:004014EB                 jnz     invalid_serial
;-----------------------------------------------------------------------------
.text:004014F1                 movsx   eax, [ebp+my_serial_08]
.text:004014F8                 add     eax, 63h
.text:004014FB                 cmp     eax, 9Bh        ; my_serial[8] = 0x9B - 0x63 = '8'
.text:00401500                 jnz     invalid_serial

Solution

The above code eventually leads to the following serial:

CZ9dmq4c8g9G7bAX

It is our flag!

SharifCTF-2016-srm-solution.png

Comments

blog comments powered by Disqus

Keywords: sharif 2016 challenge reversing