Tuesday, March 8, 2016

BKP Writeup - JIT in my Pants

Author: Spitfire

This challenge was a reversing challenge for Boston Key Party CTF 2016.

The challenge name immediately gave away that dynamic debugging is the key to solving this challenge. According to Wikipedia: " In computing, just-in-time (JIT) compilation, also known as dynamic translation, is compilation done during execution of a program - at run time - rather than prior to execution."

I initially ran the program with no arguments, and it immediately exited. It takes one argument, the flag, and the program will check to make sure it is the correct flag.

My strategy to solving the challenge was figuring out where the program starts (via readelf and IDA), find where my input is initially stored in memory, and then from there set a watchpoint whenever that input is reused. I set a couple breakpoints at the start of the program, which resulted in the following output upon execution.

I then set a watchpoint on the flag guess I inputted (BKP{HACK_ALL_THE_THINGS}), and continued. I was able to continue through the program a couple steps until I hit the following output.

I noticed that the address 0x778333 was beyond the final memory address in IDA, which meant that somewhere between the start of the program and now, the binary compiled this latter part of memory. Awesome! I know I'm at a good spot.

In the registers, you see the first character of my input and the first character of some random string being stored. I can assume this string is the encrypted flag, which will somehow compare itself against my input.
As you can see above, the next few instructions take the first character of my input, xor it by five, subtract by one, and then compares it to the first character of the random string. 
So, to make this simple, I took the random string, added one to each character, and then xor'd each character with five.  
The result:

Flag: BKPCTF{S1de_Ch4nnel_att4cks_are_s0_1338}