Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Ebctf 2013 b200_writeup
1. EB CTF 2013 Writeup
By Darkfloyd, VXRL (Valkyrie-X Security Research Group)
Updated: August 2013
Binary 200
When we execute the binary, and debug it via step over and into the call eax at 0x40124B,
we started to get a key (Sup3RSeCr3tStuFf) from its memory:
Figure 1: A key in memory?!
However, it is not the key EBCTF wants but another hint is about where can they hid the comment.
[*] Yes, that is correct! However that was not the goal of this
challenge.
Did you know that compiled code does not contain any comments?
By referring to the documents about reversing PERL2EXE (http://forum.tuts4you.com/topic/31340-
decompile-perl2exe/ and http://fileoffset.com/re/tutorials/perl2exe.htm), it is said we could export
other files other than DLL to the temporary directory. We simply execute with debug mode, it
shows the key is probably stored in _main.pl:
C:Documents and SettingsAdministratorDesktop>ebCTF_BIN200.exe
-p2x_debug
P2X: Debug mode enabled - V090508
P2X: Expanded module filename = C:Documents and
2. SettingsAdministratorDesktop
ebCTF_BIN200.exe
GetTempDir: returning C:DOCUME~1ADMINI~1LOCALS~1Temp/p2xtmp-
1160
ISEXT_Init: filename = p2x_stub.lib
ISEXT_Init: filename = p2x_header.pm
ISEXT_Init: filename = p2x_pre_exec_message
ISEXT_Init: filename = p2x_trial_message
ISEXT_Init: filename = p2x_exec_command
ISEXT_Init: filename = p2x_info.pm
ISEXT_Init: filename = _main.pl
ISEXT_Init: filename = P2XDLL/p2x5123.dll
P2X: ISEXT_Init done
P2X: OpenScript: C:Documents and
SettingsAdministratorDesktopebCTF_BIN200.ex
e FOUND IN PERL2EXE_STORAGE
[*] ebCTF BIN 200
No comment...
[*] What is the secret?
From the binary, we have figured out the loop to export DLL file only, if we would like to export all
other files, we need to ensure all the JNZ (Jump if non-zero) will be patched to become
unconditional jump (JMP), meanwhile, we need to set up a break point after the loop.
We have identified the loop as below:
3.
4. Figures 2a-d: Main loop to export the files, it will loop and jump back to 280AC4F9
Meanwhile, here are the breakpoints I have set up:
Figure 3: Breakpoints
Afterwards, we patch the JNZ as JMP at the following memory addresses:
6. Finally, we simply step over and run it, once hitting the breakpoint (at where the loop is complete)
at:
280AC654 68 F4610C28 PUSH p2x5123.280C61F4 ; ASCII "P2X: ISEXT_Init done"
Let us take a look over the folder and we have found the _main.pl file is exported and we got the
key from its source code. The key is found as
EBCTF{EDBDB03C7998FA751BE21D1364A58600} .
Figures 5a-b: _main.pl and keys, Mission Complete :)