[Day 2] RE101

Viewing the Challenge, We see next:

A Downloadable file that is actually a Binary, Downloading the file and testing it:

We can see that the binary takes an input of a password and then checks it, The flag is the md5 of that password

Going through the binary itself:

These were in the strings output of the file, Looks like the password has been encoded somehow, To know what to do, We gotta check the main function of that binary, We’ll be using ghidra:

Viewing the main function, We can see that after submittin the password by the user (look at the first red block), The program builds a constant value:

*local_58 = (undefined1 *)0x6331323039363630;
local_58[1] = (undefined1 *)0x6336663062306436;
*(undefined8 *)((long)local_58 + 10) = 0x3332633666306230;
*(undefined8 *)((long)local_58 + 0x12) = 0x6336633266326336;

These values are in little-endian, So to transform them we gott do the next, and I’ll be using 0x6331323039363630as an example:

So we have the value :

0x6331323039363630

These constants are stored in little-endian order, meaning the bytes are reversed in memory

30 36 36 39 30 32 31 63

In ASCII:

0669021c

This operation is the same for the 4 values:

0x6331323039363630
0x6336663062306436
0x3332633666306230
0x6336633266326336

Now you may concern , we saw at the begining of the code that local_78 = 0x1a, Which tells us that the generated value will be 26 bytes long, but a quick math tells us that we have 4 values that each of them generated an ASCII of 8charswhich will end up with us having a 32chars long string, This hangs us with the last value (0x6336633266326336), Which will give 8chars, but only 2 of them will be taken, the other 6 overlaps the tail of the buffer, Only the needed characters are used before the null terminator is set, in simpler words, THEY ARE DISCARDED.

since we now have that value of the combination of these operations:

0669021c6d0b0f6c236c2f2c6c

We can continue with the encoding algo, However this matches the value that have been defined in the strings output, This means we could’ve saved time if we didn’t have TRUST ISSUES.

Now moving on with the handling of that value, Which is obviously a Hexadecimal value

We can see the program normalizing the input to the loop by making all of the chars lower case, this will make it easier to transform these values later on

This part converts ASCII into numeric values:

The unusual constants (0x9f, 0x57) are compiler artifacts or deliberate obfuscation. They avoid obvious comparisons such as if (c >= 'a' && c <= 'f') The very exact same thing happens to the second char taken:

And then the two values are merged:

The code is taking each two chars and combining them into a byte, In no-rocket-science words, It decodes them from hex, Which we also would’ve saved time by simply GUESSING.

After making the full Hex to Byte operation, The program does this:

Each Byte is XORed with the value 0x5a, and then SUBBed by 3, This is a very easy operation that can be solved easily, But HELL YEAH, We now know what is acually happening, the value 0669021c6d0b0f6c0b0f6c236c2f2c6cis generated, Unhexedand the XORedand lastly SUBBed, Performing these operations:

There it is, Now you might ask yourself, Do I have to make that exact same Python code, the Answer is no, I did that just to look Smarter, In fact you can use CyberChef:

Now let’s test our Password:

Aaand the author asked for the md5, For this you can use any online tool, Also it’s on CyberChee:

Aaaaand that’s it for today’s Challenge

See you Bokra ya basha