32C3 CTF - ey_or

We have a large (24MB) x86_64 ELF executable. It’s very difficult to reverse engineer this size. Instead, one of the printable strings looked interesting.

$ strings ey_or
    (...)
] ==secret
] ==f
 secret len ==l
 [ ] ==buffer
 0 ==i
 0 ==j
 "Enter Password line by line\n" sys .out .writeall
  #str .fromArray secret bxor
  txt .consume .u
  =j
[ buffer _ len dearray j ] =buffer
[ secret _ len dearray j eq { } { 1 sys .exit } ? * ] =secret
  i 1 add =i
  i l eq {
  buffer f bxor str .fromArray sys .out .writeall
 0 sys .exit
} { } ? *
} sys .in .eachLine
"ey_or" sys .freeze

Read more

32C3 CTF - blobberry

We made this new Raspberry Pi OS, check it out!

1. Inspect image

The problem contains an image file (blobberry.img) and a link to install instruction. The instruction is about installing an OS on real Raspberry Pi device, which we don’t have. So we decided to run it on qemu. We followed this instruction.

$ file blobberry.img
blobberry.img: x86 boot sector
$ fdisk -l blobberry.img

Disk blobberry.img: 68 MB, 68157440 bytes
87 heads, 4 sectors/track, 382 cylinders, total 133120 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x2fa1ab6c

        Device Boot      Start         End      Blocks   Id  System
blobberry.img1   *        8192      139263       65536    c  W95 FAT32 (LBA)
$ sudo mount blobberry.img -o offset=4194304 /mnt
$ ls /mnt
bootcode.bin UART.TXT
$ file /mnt/bootcode.bin
bootcode.bin: data

Everything went well until we saw that the image contains only two files. The image supposed to contain /etc/ld.so.preload file, but it didn’t. UART.TXT is just a funny text file explaining where is UART port. And bootcode.bin seemed to be our task. After some googling, we’ve found that bootcode.bin is “secondary boot loader” that runs on Raspberry Pi’s GPU.

Read more

안드로이드 앱 패킷 캡쳐하기

디버깅이나 리버싱을 하기 위해 앱에서 나가거나 앱으로 들어오는 패킷을 봐야 할 때가 있다. 그럴 때 tcpdump와 socat을 사용하면 앱과 서버 사이에 오가는 HTTP, HTTPS 패킷을 볼 수 있다.

준비물

• 안드로이드 폰 (루팅 필요 없음) or 에뮬레이터
• 우분투 서버 (루트 권한 필요)

Read more

SECCON CTF 2015 - Hardware 2

We’ve found an encoder board using double 74HC161s along with a binary file.
Please help us to decode it.

The problem can be downloaded at https://github.com/SECCON/SECCON2015_online_CTF/tree/master/Binary/500_Reverse-Engineering%20Hardware%202.

1. Reverse hardware

Read more

SECCON CTF 2015 - APK2

Given an APK file.

1. Run anyway

I first installed this app in my Android phone. It has three screens.

• Login with email + password
• Register email + name + password
• Show user info (name) when logged in

2. Reverse app

It’s time to decompile the app. Use apktool, dex2jar, jad as usual. My tool apkext came in handy.

2.1. The standard way

From AndroidManifest.xml, we find that the entry point activity is kr.repo.h2spice.yekehtmai.MainActivity. The program is obfuscated via name substitution.

Read more