Tuesday, August 6, 2013

ebCTF 2013 :: BIN200 (200 points)

The challenge for BIN200 is to uncover the hidden file contained within the given executable.

Step 1: Load the executable (ebCTF_BIN200.exe) in OllyDbg, run it and you will be prompted by the executable for a secret key. Looking through the codes reveal the executable was generated using 'Perl2Exe' - a command line utility for converting perl scripts to exe files. An interesting keyword found within the executable is '-p2x_debug', which shall be used later.

Step 2: View the events captured by OllyDbg. In OllyDbg, go to View > Log (Alt+L). There is an entry of a DLL file dumped in the AppData Temp folder. Examination of the DLL file reveals it is packed using UPX packer. Unpack the DLL using UPX unpacker.

Example:
 Address=28000000
 Message=Module C:\Users\Braeburn\AppData\Local\Temp\p2xtmp-4484\p2x5123.dll

Step 3: Rerun the executable in OllyDbg with '-p2x_debug' as the argument and debug information will be displayed in the command prompt. It's clear now the hidden file is '_main.pl'.

P2X: Debug mode enabled - V090508
P2X: Expanded module filename = C:\Users\Braeburn\Downloads\ebCTF_BIN200.exe
GetTempDir: returning C:\Users\Braeburn\AppData\Local\Temp/p2xtmp-4484
ISEXT_Init: filename = p2x_stub.lib
ISEXT_Init: filename = p2x_header.pm
ISEXT_Init: filename = p2x_pre_exec_message
ISEXT_Init: filename = p2x_trial_message
ISEXT_Init: filename = p2x_exec_command
ISEXT_Init: filename = p2x_info.pm
ISEXT_Init: filename = _main.pl
ISEXT_Init: filename = P2XDLL/p2x5123.dll
P2X: ISEXT_Init done
P2X: OpenScript: C:\Users\Braeburn\Downloads\ebCTF_BIN200.exe FOUND IN PERL2EXE_STORAGE

[*] ebCTF BIN 200
      No comment...

[*] What is the secret?

Step 3: Load the unpacked DLL in IDA Pro and search for the location where the string "ISEXT_Init: filename = " will be referenced. It will be located at address 0x280AC503. After examining the flow graph from that location onwards, it is clear a different path is needed in order to dump the files to the tmp folder.

Step 4: Re-run the executable, change the instruction at address 0x280AC52E from JNZ to JZ before EIP reaches address 0x280AC503 and you will find the perl script in the tmp folder.

The secret key and the flag to this challenge will be found within the perl script.

Secret key: "Sup3RSeCr3tStuFf!"
Flag: ebctf{ededb03c7998fa751be21d1364a58600}


Flag captured! 200 points in the bag!! Yay!!!

Cheers,
Braeburn Ladny 

No comments:

Post a Comment