Thursday, September 25, 2014

Writeup - CSAW 2014 : Reversing 200 - csawreversing200

This is a straightforward reversing challenge.  The name of the file provided is "csaw2013reversing2.exe" and the hint says "We got a little lazy so we just tweaked an old one a bit".  Seems like a red herring, but it turns out to be a great hint.  A quick Google search brings up solutions to that challenge.  Always start with a little recon.

Back to 2014 . . .

When you execute "csaw2013reversing2.exe" on a Windows box, a textbox appears with an encrypted flag:

Clearly not helpful.  I opened it in IDAPro to try to find a way to get the program to deobfuscate.  Here is the top of main

The first code block ends in a branch, but it turns out that the function at 0x401002A XORs EAX with itself right before the return, so the test eax, eax  (2nd to last instruction in first code block, above) will always return 0 (set the zero flag to 1), so the last instruction in that block (jnz 0x401096) will never be taken.  Program execution will then follow the red arrow to the function containing the IsDebuggerPresent call. 

As you might expect, IsDebuggerPresent is a Windows API call that tests to see if the program is running in a debugger and sets eax to 1 if true, 0 otherwise (you can look up Windows API calls at  The program then checks eax (test eax, eax) and if it s zero (no debugger present), program execution follows the green arrow to the left.  (An examination of the left branch will show that it simply constructs the GUI seen above with the encrypted flag and displays it, then exits).

If a debugger IS present, program execution follows the red arrow to the right, which is what we want.  The next step is to start the program in a debugger and follow that branch.  The go-to debugger for many reverse engineers is OllyDbg, which is a great tool.  I've already got this thing open in IDA, so I might as well start it in IDA's integrated Win32 debugger (this will work in the IDA 'demo' version as well as the full licensed version of IDAPro).

To start IDA's debugger, click the "Debugger" menu item, then click "Select Debugger" and click the radio button next to "Local Win32 Debugger".  Next click "Debugger->Start Process" (or press F9). 

The program conveniently throws an exception right after the line that says "Trap to Debugger" in the comment (stopping point is highlighted in dark blue by IDA, above).  That is to help us non-reverse engineers solve this thing without setting our own breakpoint ahead of time.  The function at 0x401000 is where the fun happens.  After clicking "No" on the exception handling dialog box to ignore the exception, press F7 a couple of times to get IDA to step into that function.

You end up in this function, which loads an address into the EDI register (remember, EDI is used for string pointers, so there is a good chance this is that encrypted string).  The function then iterates through a couple of loops several times before exiting.  You want to execute this function until just before it exits.  You can press F8 a couple of dozen times and follow execution, or you can right-click on the instruction at 0x00401027 and select "Run to cursor".  The upper-right window in the IDA debugger shows register values.  When you hover over the value in the EDI register, you will see part of the flag.  Right click on the EDI register and select "Jump in new window" to bring up a window showing the memory values that EDI is pointing to:

And voila!