[Insomni'hack 2019] Junkyard(미완성)

2019-02-08

Problem description:

Wall-E got stuck in a big pile of sh*t. To protect him from feeling too bad, its software issued an emergency lock down. Sadly, the software had a conscience and its curiosity caused him to take a glance at the pervasive filth. The filth glanced back, and then…

Please free Wall-E. The software was invented by advanced beings, so maybe it is way over your head. Please skill up fast though, Wall-E cannot wait for too long. To unlock it, use the login “73FF9B24EF8DE48C346D93FADCEE01151B0A1644BC81” and the correct password.

Software was leaked a long time ago and is available here

올 해 insomni’hack CTF는 대회 당일 일정으로 인해 참가를 하지 못하고 조금 미루다 이제서야 풀어보게 되었다. 먼저, 파일을 다운받아 file 명령어로 확인 한 결과 64bit ELF파일임을 확인할 수 있다. 파일을 실행 해 보면

nalda@nalda:~$ ./junkyard
Usage: ./chall user pass

userid와 pass를 넣으라고 한다 별 생각없이 nalda를 넣으면

nalda@nalda:~$ ./junkyard nalda 123123123
I don't like your name

이따구로 name이 맘에 안든단다..

description을 보면, 73FF9B24EF8DE48C346D93FADCEE01151B0A1644BC81 과 correct password로 로그인 하라는걸 보아 name은 나온것 같다

nalda@nalda:~$ ./junkyard 73FF9B24EF8DE48C346D93FADCEE01151B0A1644BC81 44234324324234
Is that a password?

예아~ 이제 password를 찾기위해 IDA를 보잣

void __fastcall __noreturn main(int argc, char **argv, char **env)
{
  __int64 v3; // rdx
  char s; // [rsp+40h] [rbp-810h]
  unsigned __int64 v7; // [rsp+848h] [rbp-8h]

  v7 = __readfsqword(0x28u);
  if ( argc != 3 )
    sub_2EB3(8u, 0xFFFFFFFF);
  if ( (unsigned __int8)sub_2F91(argv[1], 0LL, env) ^ 1 )
    sub_2EB3(0, 0xFFFFFFFF);
  sub_1384();
  if ( (unsigned __int8)sub_2F91(argv[2], 1LL, v3) ^ 1 )
    sub_2EB3(1u, 0xFFFFFFFF);
  sub_1B85();
  sub_2AF8(7, off_8C18, &s);
  puts(&s);
  sub_1B40();
  memset(&s, 0, 0x800uLL);
  sub_3857(argv[1], argv[2]);
}

이제 decrypt를 수행하는 sub_3857(argv[1], argv[2])함수를 보자!

void __fastcall __noreturn sub_3857(const char *argv1, const char *argv2)
{
  size_t arg1_len; // rax
  size_t arg2_len; // rax
  unsigned __int64 argv1_len; // rax
  unsigned __int64 argv2_len; // rax
  int v7; // ebx
  __int64 v8; // STC0_8
  int v9; // ST8C_4
  signed int v10; // eax
  signed int v11; // eax
  size_t v12; // rax
  size_t v13; // rax
  unsigned __int8 k; // [rsp+1Fh] [rbp-11B1h]
  signed int counter; // [rsp+7Ch] [rbp-1154h]
  unsigned int v17; // [rsp+80h] [rbp-1150h]
  unsigned int v18; // [rsp+84h] [rbp-114Ch]
  int v19; // [rsp+88h] [rbp-1148h]
  __int64 v20; // [rsp+90h] [rbp-1140h]
  unsigned __int64 j; // [rsp+98h] [rbp-1138h]
  signed __int64 v22; // [rsp+A0h] [rbp-1130h]
  signed __int64 v23; // [rsp+A0h] [rbp-1130h]
  unsigned __int64 i; // [rsp+A8h] [rbp-1128h]
  char *argv1_copy; // [rsp+B0h] [rbp-1120h]
  char *argv2_copy; // [rsp+B8h] [rbp-1118h]
  __int64 v27; // [rsp+C0h] [rbp-1110h]
  char v28[5]; // [rsp+CBh] [rbp-1105h]
  __int64 v29; // [rsp+D0h] [rbp-1100h]
  __int64 v30; // [rsp+D8h] [rbp-10F8h]
  __int16 v31; // [rsp+E0h] [rbp-10F0h]
  char v32; // [rsp+E2h] [rbp-10EEh]
  char a; // [rsp+F0h] [rbp-10E0h]
  char b; // [rsp+F1h] [rbp-10DFh]
  char c; // [rsp+F2h] [rbp-10DEh]
  char d; // [rsp+F3h] [rbp-10DDh]
  char e; // [rsp+F4h] [rbp-10DCh]
  char f; // [rsp+F5h] [rbp-10DBh]
  char g; // [rsp+F6h] [rbp-10DAh]
  char h; // [rsp+F7h] [rbp-10D9h]
  char i_1; // [rsp+F8h] [rbp-10D8h]
  char j_1; // [rsp+F9h] [rbp-10D7h]
  char k_1; // [rsp+FAh] [rbp-10D6h]
  char l; // [rsp+FBh] [rbp-10D5h]
  char m; // [rsp+FCh] [rbp-10D4h]
  char n; // [rsp+FDh] [rbp-10D3h]
  char o; // [rsp+FEh] [rbp-10D2h]
  char p; // [rsp+FFh] [rbp-10D1h]
  char q; // [rsp+100h] [rbp-10D0h]
  char r; // [rsp+101h] [rbp-10CFh]
  char s; // [rsp+102h] [rbp-10CEh]
  __int64 v52; // [rsp+110h] [rbp-10C0h]
  __int64 v53; // [rsp+118h] [rbp-10B8h]
  int v54; // [rsp+120h] [rbp-10B0h]
  __int16 v55; // [rsp+124h] [rbp-10ACh]
  char v56; // [rsp+126h] [rbp-10AAh]
  char v57; // [rsp+150h] [rbp-1080h]
  char s2; // [rsp+180h] [rbp-1050h]
  char hex_data[2048]; // [rsp+1B0h] [rbp-1020h]
  char v60[2056]; // [rsp+9B0h] [rbp-820h]
  unsigned __int64 v61; // [rsp+11B8h] [rbp-18h]

  v61 = __readfsqword(0x28u);
  v29 = 8672370769196829778LL;
  v30 = 7588358910211810867LL;
  v31 = 25210;
  v32 = 97;
  argv1_copy = (char *)malloc(0x40uLL);
  argv2_copy = (char *)malloc(0x40uLL);
  arg1_len = strlen(argv1);
  strncpy(argv1_copy, argv1, arg1_len);
  arg2_len = strlen(argv2);
  strncpy(argv2_copy, argv2, arg2_len);
  v52 = 5778228730180750659LL;
  v53 = 7166409442638329960LL;
  v54 = 1815509589;
  v55 = 21574;
  v56 = 79;
  sub_1D9E(0LL, 220206LL, 490509LL, 103LL, 105LL, 426840LL);
  if ( strlen(argv1) <= 0x3F )
  {
    argv1_len = strlen(argv1);
    sub_3196(argv1_copy, argv1_len, 0x40uLL);   // 73FF9B24EF8DE48C346D93FADCEE01151B0A1644BC81
  }
  if ( strlen(argv2) <= 0x3F )
  {
    argv2_len = strlen(argv2);
    sub_3196(argv2_copy, argv2_len, 0x40uLL);
  }
  v7 = argv2_copy[(signed int)sub_369D(argv2_copy)] - 48;
  v8 = v7 + *((_DWORD *)&off_8140 + argv2_copy[(signed int)sub_379A(argv2_copy)]) + 634;
  v27 = sub_303E(argv1_copy, argv1_copy) + v8;
  for ( i = 0LL; i <= 0x28E; ++i )
    *((_DWORD *)&off_8140 + i) += v27;
  v20 = 0LL;
  for ( j = 0LL; j <= 0x28E; ++j )
  {
    if ( !(*((_DWORD *)&off_8140 + j) % 23) )
      v20 += *((signed int *)&off_8140 + j);
    if ( !(*((_DWORD *)&off_8140 + j) % 300) )
      v20 -= *((signed int *)&off_8140 + j);
    if ( v20 < 0 )
      v20 = -v20;
  }
  v22 = *((signed int *)&off_8140 + 155LL - *argv2_copy);
  snprintf(hex_data, 0x13uLL, "%lu", v22, argv2);
  do_not_working(
    84LL,
    "DLA0HCMPwFyFaopsh6CPqidcwRhIFF",
    422813LL,
    "CqpBWJlEX5LCBpMetRNi490WgCQ9vh",
    289754LL,
    "iVBcMkB48CyFamOvypefXCG3lPpip2");
  a = 'A';
  b = 'B';
  c = 'C';
  d = 'D';
  e = 'E';
  f = 'F';
  g = 'G';
  h = 'H';
  i_1 = 'I';
  j_1 = 'J';
  k_1 = 'K';
  l = 'L';
  m = 'M';
  n = 'N';
  o = 'O';
  p = 'P';
  q = 'Q';
  r = 'R';
  s = 'S';
  counter = 0;
  v19 = v22;
  while ( v22 && counter <= 15 )
  {
    v22 = ((signed __int64)((unsigned __int128)(7378697629483820647LL * (signed __int128)v22) >> 64) >> 2) - (v22 >> 63);
    ++counter;
  }
  v23 = v19;
  while ( v23 && counter <= 15 )
  {
    v9 = v23
       - 10
       * (((signed __int64)((unsigned __int128)(7378697629483820647LL * (signed __int128)v23) >> 64) >> 2) - (v23 >> 63));
    v23 = ((signed __int64)((unsigned __int128)(7378697629483820647LL * (signed __int128)v23) >> 64) >> 2) - (v23 >> 63);
    v10 = counter++;
    hex_data[v10] = *(&a + v9);
  }
  while ( counter <= 15 )
  {
    v11 = counter++;
    hex_data[v11] = 97;
  }
  sub_2A4A(hex_data, v60, 16LL);
  sub_1384();
  for ( k = 5; k <= 8u; ++k )
    v28[k - 5] = v60[k];
  v12 = strlen(v28);
  MD5(v28, v12, &v57);
  sub_2A4A(&v57, &s2, 16LL);
  sub_1384();
  v13 = strlen(s1);
  if ( !strncmp(s1, &s2, v13) )
  {
    v17 = 3;
    v18 = -1337;
    sub_33F2(hex_data, &s2);
  }
  else
  {
    v17 = 4;
    v18 = -101;
  }
  free(argv1_copy);
  free(argv2_copy);
  sub_2EB3(v17, v18);
}

분석 진행중 —-