27.11.16

[Writeup] KPMG 2016 - re2 Japan

Here is some explaination on re2_8dbeee84fa0ec05fadda075508c13be0.exe on KPMG Security Challenge 2016. I didn't manage to solve it on the competition day, unlucky me.

 So its packed with UPX, easy right? just unpack it.
Ok successfully unpack, no worries. Try run it.
 Oh no! stopped working. try load in IDA if we see something in it.

 Looks like we see something like we run the original binary, from here you can get the algo which is compared part by part from memory with our input
we can also see that our input is calculated and check to matching 32 char sting, if not you get the sayonara.

So the trick is either manual unpacking the upx or attached it to the debugger to get the answer from memory, my way is attaching the binary, run first and attached it.
run it and put 32 char string to the input and attach to the debugger and the press enter then observe it in debugger.


Bear in mind, this binary have several anti-debug trick, like IsDebuggerPresent, just patch it or use plugin.

You need to step until you find re2 module like I circle in red, then you can see the original code, you can dumped the code and rebuild the PE file or just debug the code.

 It compared first 8 char one by one.

Here we can see the register which compared our first 8 char with first 8char of the flag. Just copy and edit our input to the same one and you good to go for another part of the flag, doing it until you get the whole flag.

The binary check again at the last part to make sure you not edit the input during debug, just skip or edit the input in memory

Try it with the whole flag and the you get the flag!

Congratulations! It is correct... The flag is KPMG{S`/C&0^X3660rkv,5wJ+Ce@(fa-s*m9f}

EDIT: Thanks to master jani for pointing out to remove ASLR before doing "upx -d" to prevent crashes after unpacking.
5 najashark.net: [Writeup] KPMG 2016 - re2 Japan Here is some explaination on re2_8dbeee84fa0ec05fadda075508c13be0.exe on KPMG Security Challenge 2016. I didn't manage to solve it on ...

6 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. remove ASLR flag before "upx -d" kalau xnak crash

    ReplyDelete
  3. can you provide writeup for re1?

    ReplyDelete
    Replies
    1. sure, can check here http://blog.najashark.net/2016/12/writeup-kpmg-2016-re1-poland.html

      Delete

Post Comment

< >