docs: Add reversing writeups

Author: sbencoding

reversing/alien_saboteaur.md

@@ -0,0 +1,46 @@
+# Alien saboteaur (medium)
+We get a virutal machine and a binary it can execute.
+
+The binary asks us for the keycode. Which I don't know.
+
+Next I opened up ghidra on the `vm` to see how it works.
+Basically it loads the specified binary and allocates some space on the heap that will store the binary itself, the program counter and some additional space.
+
+Then the virtual machine is started with `vm_run`, which keeps executing instructions with `vm_step`.
+
+This function will get the op code from the blob and then use that as an index into the instruction lookup table to perform a certain action.
+
+Especially interesting instructions at this point are: `vm_je` and `vm_jne`
+After the flag is read it must be that it is compared to some already existing value
+
+Using gdb I have set a breakpoint on `vm_je` and sure enough I saw that my flag values were getting compared.
+
+The keycode length needs to be 17 as that is when execution goes from reading the input to checking it.
+
+However, before comparison got the the end of my flag, I saw that suddenly -1 and 0 were compared, which was odd, since I had neither values in my flag.
+
+After continuing I saw: *Terminal blocked!*
+
+I put 2 and 2 together and thought immediately that there must be some anti debugging technique at play here.
+
+After looking around more I found the `vm_inv` function makes a syscall, so I loaded the binary with `strace`.
+And sure enough after entering the passcode `c0d3_r3d_5hAAAAAA` I saw:
+```
+ptrace(PTRACE_TRACEME) = -1 EPERM (Operation not permitted)
+```
+So indeed the binary tries to attach a debugger but can't if some other tool is already debugging it.
+
+To get around this problem I simply set a conditional breakpoint on the `vm_je` function for whenever the compared values don't match. When I got to the -1 to 0 comparison again, I just set the values to be equal, and now we are onto the second password.
+
+After experimentation I found out that this password needs to be 36 characters long.
+
+Then similar to the previous password `vm_je` gets invoked, however this time I didn't see my input character anywhere.
+
+After trying an input full of `A`, then `B`, then `C` I have noticed that the value being compared and then one I enter is different, because the entered values get xored by 2.
+So now I knew that if I xor the value coming from the binary with 2, that will need to be my input.
+
+The last thing to figure out was that the password was not compared from left to right, but from different positions.
+By having an input string with unique characters, I have managed to trakc down which position was being compared to what character.
+
+Finally having replaced all characters I have arrived at the flag:
+**HTB{5w1rl_4r0und_7h3_4l13n_l4ngu4g3}**

reversing/cave_system.md

@@ -0,0 +1,136 @@
+# Cave system (easy)
+In this challenge a bunch of condition are checked against the user input.
+The user input is the flag itself.
+
+```c
+ fgets(local_88,0x80,stdin);
+ iVar1 = memcmp(local_88,&DAT_00102033,4);
+ if (((((((iVar1 == 0) && ((char)(local_88[21] * local_88[48]) == '\x14')) &&
+ ((char)(local_88[32] - local_88[36]) == -6)) &&
+ (((((((char)(local_88[37] - local_88[26]) == -0x2a &&
+ ((char)(local_88[16] - local_88[48]) == '\b')) &&
+ (((char)(local_88[55] - local_88[8]) == -0x2b &&
+ (((char)(local_88[26] * local_88[7]) == -0x13 &&
+ ((char)(local_88[4] * local_88[24]) == -0x38)))))) &&
+ ((byte)(local_88[34] ^ local_88[28]) == 0x55)) &&
+ (((((char)(local_88[30] - local_88[55]) == '4' &&
+ ((char)(local_88[59] + local_88[50]) == -0x71)) &&
+ ((char)(local_88[44] + local_88[27]) == -0x2a)) &&
+ (((byte)(local_88[17] ^ local_88[14]) == 0x31 &&
+ ((char)(local_88[56] * local_88[20]) == -0x54)))))) &&
+ (((((char)(local_88[58] - local_88[26]) == -0x3e &&
+ (((byte)(local_88[26] ^ local_88[6]) == 0x2f &&
+ ((byte)(local_88[14] ^ local_88[39]) == 0x5a)))) &&
+ ((byte)(local_88[44] ^ local_88[39]) == 0x40)) &&
+ (((((local_88[40] == local_88[26] && ((char)(local_88[23] + local_88[49]) == -0x68)) &&
+ ((char)(local_88[23] * local_88[59]) == 'h')) &&
+ (((char)(local_88[1] - local_88[28]) == -0x25 &&
+ ((char)(local_88[24] - local_88[29]) == -0x2e)))) &&
+ (((char)(local_88[38] - local_88[24]) == '.' &&
+ (((byte)(local_88[32] ^ local_88[22]) == 0x1a &&
+ ((char)(local_88[44] * local_88[4]) == -0x60)))))))))))) &&
+ ((((((char)(local_88[38] * local_88[27]) == '^' &&
+ ((((char)(local_88[15] - local_88[40]) == -0x38 &&
+ ((byte)(local_88[49] ^ local_88[53]) == 0x56)) &&
+ ((byte)(local_88[26] ^ local_88[45]) == 0x2b)))) &&
+ ((((((byte)(local_88[54] ^ local_88[9]) == 0x19 &&
+ ((char)(local_88[28] - local_88[47]) == '\x1a')) &&
+ (((char)(local_88[50] + local_88[19]) == -0x5f &&
+ (((char)(local_88[37] + local_88[57]) == 'V' &&
+ ((byte)(local_88[29] ^ local_88[18]) == 0x38)))))) &&
+ ((byte)(local_88[44] ^ local_88[60]) == 9)) &&
+ ((((((char)(local_88[15] * local_88[38]) == 'y' &&
+ ((byte)(local_88[37] ^ local_88[30]) == 0x5d)) &&
+ ((char)(local_88[2] * local_88[32]) == '\\')) &&
+ (((char)(local_88[10] * local_88[18]) == '9' && (local_88[29] == local_88[21])))) &&
+ (((char)(local_88[35] * local_88[21]) == '/' &&
+ (((char)(local_88[8] * local_88[37]) == -0x55 &&
+ ((char)(local_88[39] + local_88[26]) == -0x6d)))))))))) &&
+ (((((((byte)(local_88[26] ^ local_88[34]) == 0x73 &&
+ ((((byte)(local_88[20] ^ local_88[31]) == 0x40 &&
+ ((char)(local_88[25] + local_88[16]) == -0x57)) &&
+ ((byte)(local_88[39] ^ local_88[59]) == 0x15)))) &&
+ ((((char)(local_88[0] + local_88[59]) == 'i' &&
+ ((char)(local_88[34] + local_88[46]) == -0x5b)) &&
+ (((byte)(local_88[30] ^ local_88[52]) == 0x37 &&
+ (((char)(local_88[0] * local_88[28]) == '\b' &&
+ ((char)(local_88[34] - local_88[56]) == -0x3b)))))))) &&
+ ((char)(local_88[18] + local_88[60]) == -0x1c)) &&
+ (((((byte)(local_88[35] ^ local_88[40]) == 0x6e &&
+ ((char)(local_88[56] * local_88[16]) == -0x54)) &&
+ ((char)(local_88[54] - local_88[47]) == '\r')) &&
+ ((((char)(local_88[30] + local_88[55]) == -100 &&
+ ((char)(local_88[6] + local_88[33]) == -0x2c)) &&
+ (((char)(local_88[7] * local_88[29]) == -0x13 &&
+ (((byte)(local_88[56] ^ local_88[29]) == 0x38 &&
+ ((char)(local_88[1] * local_88[37]) == 'd')))))))))) &&
+ (((byte)(local_88[56] ^ local_88[58]) == 0x46 &&
+ (((((((char)(local_88[2] * local_88[19]) == '&' &&
+ ((byte)(local_88[26] ^ local_88[22]) == 0x2b)) &&
+ ((char)(local_88[1] + local_88[7]) == -0x79)) &&
+ (((byte)(local_88[27] ^ local_88[0]) == 0x2a &&
+ ((char)(local_88[21] - local_88[1]) == '\v')))) &&
+ ((char)(local_88[27] + local_88[54]) == -0x32)) &&
+ (((byte)(local_88[17] ^ local_88[13]) == 0x3b &&
+ ((char)(local_88[19] - local_88[58]) == '\x12')))))))))) &&
+ ((((local_88[17] == local_88[10] &&
+ ((((char)(local_88[14] - local_88[58]) == 'M' &&
+ ((char)(local_88[42] * local_88[52]) == 'N')) && (local_88[50] == local_88[32])))) &&
+ (((byte)(local_88[47] ^ local_88[51]) == 0x38 &&
+ ((char)(local_88[38] + local_88[25]) == -0x6c)))) &&
+ ((char)(local_88[41] + local_88[52]) == -0x31)))))) &&
+ ((((local_88[44] == local_88[20] && ((char)(local_88[12] + local_88[25]) == 'f')) &&
+ (((char)(local_88[60] + local_88[36]) == -0xf &&
+ ((((char)(local_88[41] - local_88[21]) == '\x11' &&
+ ((char)(local_88[36] - local_88[49]) == 'D')) &&
+ ((char)(local_88[9] - local_88[35]) == 'D')))))) &&
+ ((((byte)(local_88[53] ^ local_88[51]) == 1 && ((byte)(local_88[34] ^ local_88[57]) == 0xd))
+ && ((((char)(local_88[11] - local_88[28]) == -0x15 &&
+ (((((char)(local_88[23] + local_88[24]) == -0x67 &&
+ ((char)(local_88[24] + local_88[13]) == -0x6b)) &&
+ (((char)(local_88[12] - local_88[0]) == -0x17 &&
+ (((((char)(local_88[34] + local_88[31]) == '`' &&
+ ((char)(local_88[5] + local_88[53]) == -0x6a)) &&
+ ((char)(local_88[49] * local_88[42]) == '`')) &&
+ (((char)(local_88[48] * local_88[21]) == '\x14' &&
+ ((char)(local_88[27] - local_88[52]) == '\x03')))))))) &&
+ ((char)(local_88[57] + local_88[20]) == -0x6b)))) &&
+ ((((char)(local_88[10] * local_88[53]) == -0x26 &&
+ ((char)(local_88[1] + local_88[41]) == -0x3c)) &&
+ (((char)(local_88[47] - local_88[1]) == '\v' &&
+ (((local_88[43] == local_88[19] && ((char)(local_88[39] + local_88[47]) == -0x6d)) &&
+ ((char)(local_88[12] * local_88[58]) == 'Q')))))))))))))) &&
+ (((((char)(local_88[8] * local_88[26]) == 'A' && ((char)(local_88[46] - local_88[31]) == 'E'))
+ && ((char)(local_88[7] + local_88[37]) == 'h')) &&
+ (((((char)(local_88[36] + local_88[4]) == -0x44 &&
+ ((char)(local_88[31] + local_88[32]) == -0x5e)) &&
+ (((char)(local_88[25] + local_88[5]) == 'e' &&
+ ((((char)(local_88[43] * local_88[29]) == -0x13 &&
+ ((byte)(local_88[13] ^ local_88[45]) == 0x10)) &&
+ ((char)(local_88[48] - local_88[12]) == ';')))))) &&
+ (((((char)(local_88[23] - local_88[8]) == '\t' &&
+ ((byte)(local_88[7] ^ local_88[42]) == 0x41)) &&
+ ((char)(local_88[5] - local_88[43]) == -3)) &&
+ (((((byte)(local_88[60] ^ local_88[18]) == 0x1a &&
+ ((byte)(local_88[1] ^ local_88[3]) == 0x2f)) &&
+ (((char)(local_88[17] - local_88[39]) == '+' &&
+ (((((char)(local_88[8] + local_88[20]) == -0x2d &&
+ ((char)(local_88[11] * local_88[53]) == -0x28)) &&
+ ((char)(local_88[27] + local_88[6]) == -0x2e)) &&
+ (((char)(local_88[5] + local_88[3]) == -0x55 &&
+ ((char)(local_88[35] - local_88[47]) == -0x2e)))))))) &&
+ ((byte)(local_88[16] ^ local_88[33]) == 0x10)))))))))) {
+ puts("Freedom at last!");
+ }
+```
+
+Now I promised myself to get more familiar with `angr` and tools as such before the contest, however I didn't have time. Reversing challenges that are solved with symbolic exeuction/SAT solving are somewhat popular I would say, still I had the pleasure of solving this by hand.
+
+Because this is a flag, we know that the first four characters are `HTB{`.
+Then we can look for conditions where we know on side of the check, and try to see if there's a singular solution to the condition e.g `<known value> <some opeartion> <unknown value> == <constant>`.
+
+Turns out there are quite some characters for which this is the case. As we start resolving more and more symbols this becomes easier. And finally get the flag.
+
+HTB{H0p3_u_d1dn't_g3t_th15_by_h4nd,1t5_4_pr3tty_l0ng_fl4g!!!}
+
+And the flag even jokes about my solution to the problem. For my next CTF I'll definitely read up on and practice with the intended method.

reversing/hunting_license.md

@@ -0,0 +1,89 @@
+# Hunting license (easy)
+First the binary asks us if we are up for the challenge, and we need to reply with `y`
+
+Then the first password is asked, let's see how to get it:
+In ghidra we look into the `exam` function and find
+
+```c
+ local_10 = (char *)readline(
+ "Okay, first, a warmup - what\'s the first password? This one\'s not ev en hidden: "
+ );
+ iVar1 = strcmp(local_10,"PasswordNumeroUno");
+```
+
+Okay, so we know that the first password is *PasswordNumeroUno*
+
+Then for the second password we have the following fragment:
+
+```c
+ reverse(&local_1c,t,0xb);
+ local_10 = (char *)readline("Getting harder - what\'s the second password? ");
+ iVar1 = strcmp(local_10,(char *)&local_1c);
+```
+
+First `t` is reversed, then it is checked against the user input.
+
+Therefore we take `t` convert it to ASCII and revers it to get *P4ssw0rdTw0*
+
+For the third password the following code is executed:
+```c
+ xor(&local_38,t2,0x11,0x13);
+ local_10 = (char *)readline("Your final test - give me the third, and most protected, password: ")
+ ;
+ iVar1 = strcmp(local_10,(char *)&local_38);
+```
+
+Here we see that the `xor` function is called on `t2` and then the result will need to be equal to our password.
+
+```c
+void xor(long param_1,long param_2,ulong length,byte param_4)
+
+{
+ int local_c;
+ 
+ for (local_c = 0; (ulong)(long)local_c < length; local_c = local_c + 1) {
+ *(byte *)(param_1 + local_c) = *(byte *)(param_2 + local_c) ^ param_4;
+ }
+ return;
+}
+```
+
+An this is the xor function, so we see that `local_38` is the destination and `t2` is the input.
+
+The first `0x11` bytes are going to be xored with `0x13`.
+
+After performing the above operations on `t2` we get *ThirdAndFinal!!!*
+
+Now the actual solution to the challenge is answering some interactive question on a docker instance, so let's do that:
+
+> What is the file format of the executable?
+elf
+
+> What is the CPU architecture of the executable?
+x86_64
+
+> What library is used to read lines for user answers? (`ldd` may help)
+readline
+
+> What is the address of the `main` function?
+0x401172
+
+> How many calls to `puts` are there in `main`? (using a decompiler may help)
+5
+
+> What is the first password?
+PasswordNumeroUno
+
+> What is the reversed form of the second password?
+0wTdr0wss4P
+
+> What is the real second password?
+P4ssw0rdTw0
+
+> What is the XOR key used to encode the third password?
+0x13
+
+> What is the third password?
+ThirdAndFinal!!!
+
+> [+] Here is the flag: `HTB{l1c3ns3_4cquir3d-hunt1ng_t1m3!}`

reversing/needle_in_a_haystack.md

@@ -0,0 +1,7 @@
+# Needle in a haystack (very easy)
+The classic reverse engineering challenge solution.
+
+```shell
+➜ rev_needle_haystack strings haystack | grep HTB
+HTB{d1v1ng_1nt0_th3_d4tab4nk5}
+```

reversing/shattered_tablet.md

@@ -0,0 +1,29 @@
+# Shattered tablet (very easy)
+I loaded the binary into ghidra and saw a bif `if` statement
+
+```c
+ printf("Hmmmm... I think the tablet says: ");
+ fgets(local_48,0x40,stdin);
+ if (((((((((local_48[31] == 'p') && (local_48[1] == 'T')) && (local_48[7] == 'k')) &&
+ ((local_48[36] == 'd' && (local_48[11] == '4')))) &&
+ ((local_48[20] == 'e' && ((local_48[10] == '_' && (local_48[0] == 'H')))))) &&
+ (local_48[34] == 'r')) &&
+ ((((local_48[35] == '3' && (local_48[25] == '_')) && (local_48[2] == 'B')) &&
+ (((local_48[29] == 'r' && (local_48[3] == '{')) &&
+ ((local_48[26] == 'b' && ((local_48[5] == 'r' && (local_48[13] == '4')))))))))) &&
+ (((local_48[30] == '3' &&
+ (((local_48[19] == 'v' && (local_48[12] == 'p')) && (local_48[33] == '1')))) &&
+ (((local_48[27] == '3' && (local_48[17] == 'n')) &&
+ (((local_48[4] == 'b' && ((local_48[32] == '4' && (local_48[9] == 'n')))) &&
+ (local_48[16] == ',')))))))) &&
+ (((((((local_48[8] == '3' && (local_48[6] == '0')) && (local_48[23] == 't')) &&
+ ((local_48[15] == 't' && (local_48[24] == '0')))) &&
+ ((local_48[14] == 'r' && ((local_48[37] == '}' && (local_48[21] == 'r')))))) &&
+ (local_48[22] == '_')) && ((local_48[18] == '3' && (local_48[28] == '_')))))) {
+ puts("Yes! That\'s right!");
+ }
+```
+
+Basically check if we have entered the correct flag.
+
+To get the flag I have copied the conditions into a separate python script and replaced `==` with `=`

reversing/she_shells_c_shells.md

@@ -0,0 +1,42 @@
+# She shells C chells (very easy)
+I started by loading the binary into ghidra.
+
+The binary mimics a shell and we can use the *help* command to list all valid commands.
+
+I was obviously interested in the *getflag* command, however there was a password requirement.
+
+This command is handled in the `func_flag` function in ghidra.
+
+```c
+ fgets((char *)&local_118,0x100,stdin);
+ for (local_c = 0; local_c < 0x4d; local_c = local_c + 1) {
+ *(byte *)((long)&local_118 + (long)(int)local_c) =
+ *(byte *)((long)&local_118 + (long)(int)local_c) ^ m1[(int)local_c];
+ }
+ local_14 = memcmp(&local_118,t,0x4d);
+ if (local_14 == 0) {
+ for (local_10 = 0; local_10 < 0x4d; local_10 = local_10 + 1) {
+ *(byte *)((long)&local_118 + (long)(int)local_10) =
+ *(byte *)((long)&local_118 + (long)(int)local_10) ^ m2[(int)local_10];
+ }
+ printf("Flag: %s\n",&local_118);
+ uVar1 = 0;
+ }
+```
+
+So first our input is xored with bytes in `m1`, then we check if the result is same as bytes `t`
+Then the flag is retrieved by xoring the result with `m2`.
+
+However since `t` is the result, we can get the flag by xoring `t` with `m2`, both are present in the binary.
+
+```python
+t = b'\x2c\x4a\xb7\x99\xa3\xe5\x70\x78\x93\x6e\x97\xd9\x47\x6d\x38\xbd\xff\xbb\x85\x99\x6f\xe1\x4a\xab\x74\xc3\x7b\xa8\xb2\x9f\xd7\xec\xeb\xcd\x63\xb2\x39\x23\xe1\x84\x92\x96\x09\xc6\x99\xf2\x58\xfa\xcb\x6f\x6f\x5e\x1f\xbe\x2b\x13\x8e\xa5\xa9\x99\x93\xab\x8f\x70\x1c\xc0\xc4\x3e\xa6\xfe\x93\x35\x90\xc3\xc9\x10\xe9'
+
+m2 = b'\x64\x1e\xf5\xe2\xc0\x97\x44\x1b\xf8\x5f\xf9\xbe\x18\x5d\x48\x8e\x91\xe4\xf6\xf1\x5c\x8d\x26\x9e\x2b\xa1\x02\xf7\xc6\xf7\xe4\xb3\x98\xfe\x57\xed\x4a\x4b\xd1\xf6\xa1\xeb\x09\xc6\x99\xf2\x58\xfa\xcb\x6f\x6f\x5e\x1f\xbe\x2b\x13\x8e\xa5\xa9\x99\x93\xab\x8f\x70\x1c\xc0\xc4\x3e\xa6\xfe\x93\x35\x90\xc3\xc9\x10\xe9'
+
+l = []
+for x in range(0, 0x4d):
+ l.append(chr(t[x] ^ m2[x]))
+
+print(''.join(l))
+```