Thanks to Deroko and some ARTeam members to play with CLGT. Below is the write up by Deroko posted on http://www.xchg.info/wiki/index.php?title=CodeGate2012_bin400
Challenge: The Rewolf in Kaspersky
Link to challenge : http://deroko.phearless.org/codegate2012/bin/bin400.zip
So Rewolf vm, is packed with something called KasperSky according toProtectionID (never heard of this packer ). Unpacking is trivial, like with any simple packer. Run to OEP, dump, fix imports:
Here is OEP for ReWolf VM:
And here is OEP for original program (note you need to dump at ReWolf VM, but importrec will work only properly if you use this OEP) :
Once we have file dumped, we might run it to get idea how it actually looks like:
Not much there :( 1st time I pressed some key while program was focused I got an exception:
At first I thought that my dump is broken, so I tried with original application, same thing happened. Hmmm so this is common problem, but challenge is definitely not broken, so we need to see what’s going on, and trace instruction per instruction in ReWolf VM.
After a little bit of tracing I noticed that exception comes after virtualized jcc is executed, because next instruction size is wrong. (From exception you can see thatecx is quite big number which it should not be):
0041D000 50 PUSH EAX <----- start of jcc opcode 0041D001 9C PUSHFD 0041D002 58 POP EAX 0041D003 53 PUSH EBX 0041D004 E8 00000000 CALL test.0041D009 0041D009 5B POP EBX 0041D00A 8D5453 08 LEA EDX,DWORD PTR DS:[EBX+EDX*2+8] 0041D00E 5B POP EBX 0041D00F FFE2 JMP EDX
If jcc is taked edx is set to 1, otherwise edx is 0.
0041D0DE 33D2 XOR EDX,EDX ; test.0041D023 0041D0E0 EB 04 JMP SHORT test.0041D0E6 0041D0E2 33D2 XOR EDX,EDX 0041D0E4 EB 01 JMP SHORT test.0041D0E7 0041D0E6 42 INC EDX 0041D0E7 50 PUSH EAX 0041D0E8 9D POPFD 0041D0E9 58 POP EAX
0041D4AA 5A POP EDX <---- pop EIP (jcc not taken) 0041D4AB 58 POP EAX 0041D4AC ^E9 2CFFFFFF JMP test.0041D3DD 0041D4B1 0FB657 03 MOVZX EDX,BYTE PTR DS:[EDI+3] 0041D4B5 FF7424 08 PUSH DWORD PTR SS:[ESP+8] 0041D4B9 9D POPFD 0041D4BA E8 41FBFFFF CALL test.0041D000 0041D4BF 85D2 TEST EDX,EDX 0041D4C1 ^74 E7 JE SHORT test.0041D4AA 0041D4C3 5A POP EDX 0041D4C4 0357 04 ADD EDX,DWORD PTR DS:[EDI+4] <--- increment EIP (jcc taken) 0041D4C7 034F 04 ADD ECX,DWORD PTR DS:[EDI+4] 0041D4CA 58 POP EAX 0041D4CB ^E9 5AFEFFFF JMP test.0041D32A
[edi+4] = 00000104
0041D32A 8BF2 MOV ESI,EDX 0041D32C 46 INC ESI 0041D32D 8A02 MOV AL,BYTE PTR DS:[EDX] <--- size of next instruction 0041D32F 3242 01 XOR AL,BYTE PTR DS:[EDX+1] <--- xor 1st 2 bytes to get proper sie 0041D332 0FB6C0 MOVZX EAX,AL 0041D335 50 PUSH EAX <--- size of instruction passed to memcpy 0041D336 56 PUSH ESI 0041D337 57 PUSH EDI 0041D338 E8 D8050000 CALL test.0041D915 <--- memcpy
0041DB10 25 93 97 B6 C4 C5 89 8A %“—¶ÄÅ‰Š
Instruction size is calculated as 25 ^ 93 = B6 which is wrong for instruction size in this case.
At this point I decided to try and patch jcc vm handler so jcc will not be taken:
and then I typed something:
And then I just kept pressing keys:
Press OK and you get the key:
So correct key for bin400 is : WonderFul_lollol_!
I would like to say tnx to my ARTeam mates, vnsecurity guys, and of coursesuperkhung for listening to my random blabing on skype during CTF :)
deroko of ARTeam