LABYRENTH CTF WINDOWS TRACK CHALLENGE #8

File: revloader.exe

SHA256:A085D97CBC2C3F11062C54C1E3B4B850903FE7EC5BB8C0888CD5B7CE9034C5C6

Packed: No

Architecture: 64Bit

Tools used: exeinfo, IDA Pro, Cuckoo Sandbox, cerbero profiler

Codes & Binaries: https://github.com/jmprsp/labyrenth/tree/master/Window-Challenge-8

Description: This challenge installs a driver on the target machine. Reverse the driver to get the flag!

exeinfo
Figure 1. 64 bit executable

The binary is not pack… looking through the strings we can see some interesting stuff.

interesting-strings
Figure 2. interesting strings

Firing up Cerbero Profiler, we can see 3 resources embedded in the binary. 2 executables and 1 text file.

profiler
Figure 3. resources

I shall attempt to use cuckoo sandbox to aid in my analysis (well i am lazy =D). Interestingly revloader.exe dropped 3 files in temp folder as shown below. We can also see a VBoxDrv.sys dropped by dsefix.exe. The use of this driver reminds me of a exploit few years ago that makes use of a VBox driver exploit to gain privilege escalation. Well let’s analyze this some other day. For now we shall stay focus on getting the flag.

files
Figure 4. cuckoo box’s written files

In cuckoo box, we can download the files that has been written on disk.

dropped
Figure 5. Download written files

Analyzing revhunt.sys via IDA Pro,w e can see some interesting strings.

strings
Figure 6. revhunt.sys’s string

Looks like there is a high chance that the flag is hidden in this driver.

flag
Figure 7. OMG we are getting nearer to the flag.

Now if we look at 0x001400014D9, we can see that a function is called. In which the return result determines whether the flag is shown! Lets jump right in to the function @0x000000014000181C to see if we can find anything interesting.

pan
Figure 8. PAN flag in 0x0014000181C subroutine

From the above figure, we can see that a variable is being checked against with the string “PAN{“. Let’s analyze further down…

Looking at the figure below, @0x0140001946 we can see a cmp operations. Seems like the value is obtained after xoring with 0x1A1B1C1D (@0x014000193E). Doing a reverse xor…. eax should contain 0x2C776F57 in order to pass the cmp test. 0x2C886F57 === ,woW (to be exact Wow, -> little endian).

flag2
Figure 9. We got more characters!

so far the flag is PAN{Wow, ????

Cool looks like we are on the right track! For simplicity i have tabulated a table for decoding the flag.

pos cmp address math transformation value
1 0x0000000140001913 None P
2 0x000000014000191D None A
3 0x0000000140001927 None N
4 0x0000000140001931 None {
5-8 0x0000000140001946 0x366C734A ^ 0x1A1B1C1D = 0x2C776F57 Wow,
9 0x000000014000196C (0xF0 ^ 0xB0) >> 1 = 0x20 [space]
10 0x000000014000198 (0x56 ^ 0x20) – 4 = 0x72 r
11-18 0x0000000140001990 0x8888999900001110 ^ 0x0A9FAFCEA72656770 = 0x2172657372657660 [` – o]verser!
19 0x0000000140001B30 None [space]
20 0x0000000140001B3C 0x67 ^ 0x20 = 0x47 G
21 0x0000000140001B71 None r
22 0x0000000140001B58 0xFC ^ 0x99 = 0x65 e
23 0x0000000140001B4B 0xC3/3 + 0x20 = 0x61 a
24 0x0000000140001B7D 0x3B ^ 0x4F = 0x74 t
25 0x0000000140001B66 None [space]
26 0x0000000140001B89 (0x71 – 0xf) ^ 0xf = 0x6D m
27 0x0000000140001BA4 (0x81 ^ 0x21) – 0x31 = 0x6F o
28 0x0000000140001B95 0x46 ^ 0x30 = 0x76 v
29 0x0000000140001BB9 0x58 + 0xC + 1= 0x65 e
30 0x0000000140001BC2 none s
31 0x0000000140001BFC none ,
32 0x?? none  [space]
33 0x0000000140001C08 0x1AC0 >> 6 = 0x6B k
34 0x0000000140001C1A X*8 +0xFFFFFFE0 == 0x308 e
35 0x0000000140001C31 ((0xE002 ^ 0xF2F2) >> 4) / 3 = 0x65 e
36 0x0000000140001C45 (0x9542 ^ 8942) >> 6 p
37 0x?? none [space]
38 0x0000000140001C6D ((0x834 << 2) >> 4) /5 = 0x69 i
39 0x0000000140001C81 (0x94DD ^ 0x83c1) / 0x33 = 0x74 t
40 0x0000000140001C56 0x1F + 1 = 0x20 [space]
41 0x0000000140001CC5 (0x1DD36C ^ 0x46) / 0x4142 = 0x75 u
42 0x0000000140001CAC 0x328250 / 0x7373 = 0x70 p
43 0x0000000140001C98 0x2D – 1 = 0x2C ,
44 0x0000000140001D09 0xB6 ^ 0x32 = 0x2C ,
45 0x0000000140001D29 0x40 – 0x20 = 0x20 [space]
46 0x0000000140001D1B (0xD7 ^ 0x44) – 0x23 = 0x70 p
47 0x0000000140001D3B (0xB2 ^ 0x21) – 0x21 = 0x72 r
48 0x0000000140001D4D ((X*4)+7C) & 0xFF == 0x38 o
49 0x0000000140001D5D (0x8F25 ^ 0x8875) >> 4 = 0x75 u
50 0x0000000140001D72 (0xd6 ^ 0xE4)/2 >> 2 = 0x64 d
51 0x0000000140001D84 (0x62^0x42) = 0x20 [space]
52 0x0000000140001E05 (0x70D49 ^ 0x48354) / 0x833 = 0x6F o
53 0x0000000140001E1D (0x14C3A1 ^ 0x232221) / 0x8C40 = 0x66 f
54 0x0000000140001DE3 && 0x0000000140001DEE must be same as 50 && btc 0xA0, 7 == 0x20 [space]
55 0x0000000140001E5F 0x5C ^ 0x25 = 0x79 y
56 0x0000000140001E71 (0x20F63 ^ 0x23) / 0x4C0 = 0x6F o
57 0x0000000140001E89 (0x242067 ^ 0x12567)/0x5100 = 0x75 u
58 0x0000000140001E9E ((0x61 ^ 0x21) >> 6) + 0x20 = 0x21 !
59 0x0000000140001EB3 ((0x13F ^ 0x903) / 0x44) << 2 = 0x7C (0x7C – 0x7F) }

I guessed some of the values as I did not manage to spot the cmp instructions (character 32 and 37). For character 11, the value is also guessed due to loss of data during transformation.

FLAG: PAN{Wow, reverser! Great moves, keep it up, proud of you!}

Advertisements
LABYRENTH CTF WINDOWS TRACK CHALLENGE #8

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s