BKP2016 Unholy and Ashmont writeup

unholy

It was a reverse challenge two files are given main.rb and unholy.so

So we need to reverse is_key_correct from unholy.so. The function method_check_key located at 0xB61 is the one that checks the input.

The function expect a 9 integer inputs it then goes into a loop doing some crypto stuff that I don't recognize, and at the end it does this.

It's calling the python script simplified below

The X matrix is our input it goes through the matrix swapping and summation below and checking if y matrix's elements are similar to those in n array.

I use z3 to solve the constrains and find such input that will result in this comparison success.

We start building the constrains. We first define our knowns and unknowns

Then we convert the summation and swapping loop into a constrain as follows

and finally define the equality part in the final loop

and we solve it, giving us the result of X

X values are casted to c_int. Checking in the original python script

and we get the smiley face :), anyway at this point we have half the solution we need to decrypt the matrix X to get the input used to generate it. I couldn't recognize the crypto used at the beginning of method_check_key nor be able to inverse it, but a friend of mine solarwind recognized that it is an XTEA block cipher and wrote a quick decryptor and decrypted X using the key mentioned there.

giving us BKPCTF{hmmm _why did i even do this}

Ashmont

Another RE challenge was a pain to reverse statically. After some minutes I decided to take another approach by going for a side-channel attack.

I started counting instructions (using pintool) and it seemed to be randomly increasing and decreasing between tests, a quick trace shows that gettimeofday is executing different times between tries, so since this is a dynamic binary I do the LD_PRELOAD and control this function and set tp and tzp values, so we avoid this anti-side-channel attack :)

and the script to do the instruction counting (exportPIN_APP_LD_PRELOAD=env)

run and get the flag a step at a time BKPCTF{S1de_Ch4nnel_att4cks_are_s0_1338}

Proxied content from gemini://0x80.org/gemlog/2016-03-07-bkp-unholy-and-ashmont-writeup.gmi.
Get a proper gemini browser and visit!

Gemini request details:

Original URL
gemini://0x80.org/gemlog/2016-03-07-bkp-unholy-and-ashmont-writeup.gmi
Status code
20
Meta
text/gemini;lang=en-US