Monday, July 7, 2014

pwnium 2014 rev300 (using Hopper scripting)

[Played with Team Segfault]
I've noted down a failed approach and a solution in the form of a Hopper script that I came up with after the CTF.
teammate who had solved the challenge in time has written a writeup on the same here(using PIN). Other writeups for the challenge can be found here(static analysis), and here(using gdb tracing). I strongly urge you to read those interesting writeups before proceeding.

-===========================]
Failed attempt description
During the CTF, I was trying to solve the problem in a bottom up fashion rather than top down. I realised that there were 6 possible end points that moved "1" into rax before returning from the function, something that was required to reach the winning state of the crackme. An instance is shown below. It is clear that one way of reaching that instruction would be if "al" evaluated to "0x6f".
As there is an unconditional jmp at 403574, the only way to get to 403580(the cmp instruction) would be via 403579(mov rax, qword [ss:rbp-0x0+var_m8]). So lets examine XREFS at this point,
Visiting the XREF we have,

Hence, to get to this point, eax needs to have a value of 0x90305228. Scrolling up we can see that eax gets the value here :-
Now we could examine the XREFS for the dword at 0x606b18 and see where its set to 0x90305228.

So far so good. We can continue tracing XREFS in this manner, however, this strategy fails to work for two reasons :-

  1. There are self loops.
  2. At certain points you see that the state value is set at multiple locations as shown in the image below.

-===========================]
Working approach

A hopper script that automates a top down approach can be found here. It uses the initial state value and follows checks as the occur, keeping track of state values. The code is simple, for API reference I used HopperScripts.

No comments:

Post a Comment