hacktracking: # CSCamp CTF Quals 2k13: Reversing

# CSCamp CTF Quals 2k13: Reversing - Challenge (dotnet)

# file challenge.exe
challenge.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

Run challenge.exe:
. Username = Cookie
. Serial Number = Monsters
. Check
> Authentication failed!

Attach to the process using windbg:

> * Load SOS and symbols
> .loadby sos mscorwks; .symfix; .reload
> * Show all threads
> ~
   0  Id: 3180.39b0 Suspend: 1 Teb: 7ffdf000 Unfrozen
   1  Id: 3180.30a8 Suspend: 1 Teb: 7ffde000 Unfrozen
   2  Id: 3180.3ad8 Suspend: 1 Teb: 7ffdd000 Unfrozen
   3  Id: 3180.3a6c Suspend: 1 Teb: 7ffdc000 Unfrozen
.  4  Id: 3180.38e0 Suspend: 1 Teb: 7ffdb000 Unfrozen
> * Show all managed threads
> !threads
ThreadCount: 2
UnstartedThread: 0
BackgroundThread: 1
PendingThread: 0
DeadThread: 0
Hosted Runtime: no
                                      PreEmptive   GC Alloc           Lock
       ID OSID ThreadOBJ    State     GC       Context       Domain   Count APT Exception
   0    1 39b0 0015b1b8      6020 Enabled  00000000:00000000 001653f8     0 STA
   2    2 3ad8 0015ec68      b220 Enabled  00000000:00000000 001653f8     0 MTA (Finalizer)
> * Switch to thread 0 (new current thread)
> ~0s
eax=03370088 ebx=013d8740 ecx=00001f40 edx=001a2c58 esi=01400ed0 edi=014322f4
eip=7c91e514 esp=0012ed8c ebp=0012ee20 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCallRet:
7c91e514 c3              ret
> * View the stack
> !clrstack
OS Thread Id: 0x39b0 (0)
ESP       EIP
0012ed98 7c91e514 [InlinedCallFrame: 0012ed98] System.Windows.Forms.UnsafeNativeMethods.WaitMessage()
0012ed94 7b1d8e78 System.Windows.Forms.Application+ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(Int32, Int32, Int32)
0012ee30 7b1d8967 System.Windows.Forms.Application+ThreadContext.RunMessageLoopInner(Int32, System.Windows.Forms.ApplicationContext)
0012ee84 7b1d87b1 System.Windows.Forms.Application+ThreadContext.RunMessageLoop(Int32, System.Windows.Forms.ApplicationContext)
0012eeb4 7b195921 System.Windows.Forms.Application.Run(System.Windows.Forms.Form)
0012eec8 00de5498 (System.Windows.Forms.Form)
0012eecc 00de1eee StarwareCTF_DotNetChall.Program.Main()
0012f148 79e71b4c [CustomGCFrame: 0012f148]
0012f110 79e71b4c [GCFrame: 0012f110]
0012f12c 79e71b4c [GCFrame: 0012f12c]
0012f310 79e71b4c [HelperMethodFrame_1OBJ: 0012f310] System.RuntimeMethodHandle._InvokeMethodFast(System.Object, System.Object[], System.SignatureStruct ByRef, System.Reflection.MethodAttributes, System.RuntimeTypeHandle)
0012f380 792d5608 System.RuntimeMethodHandle.InvokeMethodFast(System.Object, System.Object[], System.Signature, System.Reflection.MethodAttributes, System.RuntimeTypeHandle)
0012f3d0 792d540f System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo, Boolean)
0012f40c 792d529e System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo)
0012f42c 00de0294 CompressShell.Main(System.String[])
> * Show objects on the heap (MT = MethodTable)
> !dumpheap -type StarwareCTF_DotNetChall
 Address       MT     Size
013d7cf4 00a0732c      348
total 1 objects
Statistics:
      MT    Count    TotalSize Class Name
00a0732c        1          348 StarwareCTF_DotNetChall.MainForm
Total 1 objects
0012f688 79e71b4c [GCFrame: 0012f688]
> * Show what methods the object exposes
> !dumpmt -md 00a0732c
EEClass: 00df38d8
Module: 00a03d94
Name: StarwareCTF_DotNetChall.MainForm
mdToken: 02000009  (StarwareCTF_DotNetChall, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null)
BaseSize: 0x15c
ComponentSize: 0x0
Number of IFaces in IFaceMap: 15
Slots in VTable: 379
--------------------------------------
MethodDesc Table
   Entry MethodDesc      JIT Name
7b176338   7afe8338   PreJIT System.Windows.Forms.Form.ToString()
79286ac0   79104968   PreJIT System.Object.Equals(System.Object)
79286b30   79104998   PreJIT System.Object.GetHashCode()
7a575e40   7a460c00   PreJIT System.ComponentModel.Component.Finalize()
...
7b7220b0   7afe83e0   PreJIT System.Windows.Forms.Form.OnResizeEnd(System.EventArgs)
00a0c320   00a072a0      JIT StarwareCTF_DotNetChall.MainForm..ctor()
00a0c744   00a072ac      JIT StarwareCTF_DotNetChall.MainForm.checkButton_Click(System.Object, System.EventArgs)
00a0cc58   00a072b8      JIT StarwareCTF_DotNetChall.MainForm.ChangeAuthenticationMessage(System.String)
00a0d018   00a072c4      JIT StarwareCTF_DotNetChall.MainForm.ChangeAuthenticationMessageCallback(System.String)
00a0cc00   00a072d0     NONE StarwareCTF_DotNetChall.MainForm.OnAuthentication(StarwareCTF_DotNetChall.AuthenticationResult)
00a0c330   00a072e4      JIT StarwareCTF_DotNetChall.MainForm.InitializeComponent()
> * Method disassemble
> !U 00a072ac
Normal JIT generated code
StarwareCTF_DotNetChall.MainForm.checkButton_Click(System.Object, System.EventArgs)
Begin 00de54b0, size 12a
00de54b0 55              push    ebp
00de54b1 8bec            mov     ebp,esp
00de54b3 57              push    edi
00de54b4 56              push    esi
00de54b5 53              push    ebx
00de54b6 50              push    eax
00de54b7 8bf9            mov     edi,ecx
00de54b9 b98814bf00      mov     ecx,0BF1488h (MT: StarwareCTF_DotNetChall.KeyVerification)
00de54be e859cbc0ff      call    009f201c (JitHelp: CORINFO_HELP_NEWSFAST)
00de54c3 8bf0            mov     esi,eax
00de54c5 8bce            mov     ecx,esi
00de54c7 ff15c014bf00    call    dword ptr ds:[0BF14C0h] (StarwareCTF_DotNetChall.KeyVerification..ctor(), mdToken: 0600002b)
00de54cd 8b8f44010000    mov     ecx,dword ptr [edi+144h]
00de54d3 ff151815bf00    call    dword ptr ds:[0BF1518h] ((System.Object), mdToken: 060000e8)
00de54d9 8bd8            mov     ebx,eax
00de54db 8b8f48010000    mov     ecx,dword ptr [edi+148h]
00de54e1 ff151815bf00    call    dword ptr ds:[0BF1518h] ((System.Object), mdToken: 060000e8)
00de54e7 50              push    eax
00de54e8 8bd3            mov     edx,ebx
00de54ea 8bce            mov     ecx,esi
00de54ec ff156414bf00    call    dword ptr ds:[0BF1464h] (StarwareCTF_DotNetChall.KeyVerification.CheckKey(System.String, System.String), mdToken: 06000029)
...
> * Display one dword (4b)
> dd 0BF1464h L1
00bf1464  00de5960
> * Method disassemble
> !U 00de5960
Normal JIT generated code
StarwareCTF_DotNetChall.KeyVerification.CheckKey(System.String, System.String)
Begin 00de5960, size 39
>>> 00de5960 55              push    ebp
00de5961 8bec            mov     ebp,esp
00de5963 57              push    edi
00de5964 56              push    esi
00de5965 50              push    eax
00de5966 33c0            xor     eax,eax
00de5968 8945f4          mov     dword ptr [ebp-0Ch],eax
00de596b 8bf1            mov     esi,ecx
00de596d 8bfa            mov     edi,edx
00de596f 8b4d08          mov     ecx,dword ptr [ebp+8]
00de5972 ff15242bbf00    call    dword ptr ds:[0BF2B24h] ((System.Object), mdToken: 060000d8)
00de5978 8bc8            mov     ecx,eax
00de597a 8bd7            mov     edx,edi
00de597c 894df4          mov     dword ptr [ebp-0Ch],ecx
00de597f 8bce            mov     ecx,esi
00de5981 ff157014bf00    call    dword ptr ds:[0BF1470h] (StarwareCTF_DotNetChall.KeyVerification.GenerateKeyFromUsername(System.String), mdToken: 0600002a)
00de5987 8bd0            mov     edx,eax
00de5989 8b4df4          mov     ecx,dword ptr [ebp-0Ch]
00de598c ff15042cbf00    call    dword ptr ds:[0BF2C04h] ((System.String, System.String), mdToken: 060000dc)
00de5992 59              pop     ecx
00de5993 5e              pop     esi
00de5994 5f              pop     edi
00de5995 5d              pop     ebp
00de5996 c20400          ret     4
> * Set breakpoint at address
> bp 00de5987
> * Go
> g

. Username = Cookie
. Serial Number = Monsters
. Check

> * Display Unicode chars
> du eax+c
014d1b00  "0C81B9E71D6397203F2B7C73233FC5A4"
014d1b40  "D9C6450D8037BB12BE9415B950AC3E52"
014d1b80  "1EA1B1C42B4ACD482C83FFBBA8212BE2"
014d1bc0  "28A71FE544E463B59C344F1A41A55262"
> * Clear all breakpoints
> bc *
> * Go
> g

> Authentication failed!
. Username = Cookie
. Serial Number = 0C81B9E71D6397203F2B7C73233FC5A4D9C6450D8037BB12BE9415B950AC3E521EA1B1C42B4ACD482C83FFBBA8212BE228A71FE544E463B59C344F1A41A55262
. Check
> Authentication successful. Waiting for flag

Reference

http://blog.botbie.com/2013/11/21/cscamp-ctf-quals-2013-reversing-150-write-up/

# CSCamp CTF Quals 2k13: Reversing - Challenge (dotnet)

No comments: