Posted on by and filed under CSAW 2012.

After downloading the executable, we use file to get some information:

>$ file csaw2012reversing
csaw2012reversing: ELF 64-bit LSB executable, x86-64, ...


A quick run of the program prints the target key, but it’s encrypted. No command line arguments are accepted, therefore this problem requires a patch.

>$ ./csaw2012reversing
Encrypted Key: Å×


Fire up gdb and start snooping around in the binary. To our luck, the ELF still has debugging symbols, so all of the function calls have obvious names:

(gdb) disas main
Dump of assembler code for function main:
0x000000000040062e <+0>: push rbp
0x000000000040062f <+1>: mov rbp,rsp
0x0000000000400632 <+4>: sub rsp,0x40
...snip...
0x0000000000400694 <+102>: lea rax,[rbp-0x20]
0x0000000000400698 <+106>: mov rdi,rax
0x000000000040069b <+109>: call 0x4005c9 <encrypt>
...snip...
0x00000000004006be <+144>:    call   0x4005b4 <done>
...snip...
0x00000000004006c3 <+149>: lea rax,[rbp-0x20]
0x00000000004006c7 <+153>: mov rdi,rax
0x00000000004006ca <+156>: call 0x4005f3 <decrypt>
...snip...
0x0000000000400707 <+217>: ret


The only three non library calls are encrypt, decrypt, and done. There are no branching instructions switching between calling encrypt and decrypt, so everything after <done> is dead code (as done doesn’t return).

So instead of patching the binary, which would be tough with gdb, it is decided to modify its state at runtime. We set a breakpoint on the call to encrypt and run the program. It hits and we change RIP (not EIP, this is 64 bit) to the call of decrypt.

(gdb) b *0x40069b
Breakpoint 1 at 0x40069b: file csaw2012reversing.c, line 31.
(gdb) run
Starting program: /home/ubuntu/csaw/csaw2012reversing
Breakpoint 1, 0x000000000040069b in main (argc=1, argv=0x7fffffffe718, env=0x7fffffffe728) at csaw2012reversing.c:31
31 in csaw2012reversing.c
(gdb) set $rip = 0x4006ca
(gdb) cont
Continuing.
Decrypted Key: csawissohard__:(


This problem had the same solution to Reversing 100, except it was an ELF binary instead of an EXE. All that is left is to turn in the key{csawissohard__:(}

Credit: Grant Hernandez