Thanks to Aleksey and Phn1x for dealing with my constant stream of questions while reversing this. You’d think it was the first time I opened a debugger!
The level 1 challenge was a binary that asked for input and, if your input was correct, printed out an e-mail address you could use to get the level 2 binary. The Khallenge is a contest of speed, so the first person to get to and beat level 3 wins. Unfortunately, I solved level 1 after the contest ended and the level 2 and 3 binaries aren’t online yet, so no prizes and no info on those.
The first thing I did was open the binary is a disassembler and try to get a general feel for it. This would help me develop an attack strategy. In IDA, you can easily identify that your input is being XOR’d almost a dozen times and with a global variable somewhere. It quickly overwhelmed me, so I took out a pen and paper and started writing things down. I also had lots of problems identifying exact addresses and byte offsets in IDA (I haven’t used it much before), so I switched to Immunity Debugger at this point.
The first set of instructions your input needs to pass through are at addresses
69001081 to 6900108F, and it turns out they are a compiler-optimized strlen function. Pseudocode for these addresses looks like this:
if(strlen(input) != 4)
fail();
else
...
The XORs start immediately after this check. After staring at it for a while, you will figure out that your input is being used as a key to decrypt a global variable located at 0×690030D0. This global variable becomes the answer e-mail. I wrote out the encrypted e-mail in a column and mapped the XOR’d input bytes to it. Here is that table (encompasses addresses 69001095 to 690010F6):
e-mail @ 0x690030D4 input @ 69003100 e-mail[0]: 0x07 XOR input[0] e-mail[1]: 0x2E XOR input[1] e-mail[2]: 0x35 XOR input[2] e-mail[3]: 0x29 XOR input[3] e-mail[4]: 0x70 XOR input[0] e-mail[5]: 0x20 XOR input[1] e-mail[6]: 0x76 XOR input[2] e-mail[7]: 0x68 XOR input[3]
After all the XOR’s, the application starts to check the final values of 4 select bytes in the e-mail buffer.
e-mail[4]: 0x70 XOR input[0] == 0x32 e-mail[1]: 0x2E XOR input[1] == 0x61 e-mail[6]: 0x76 XOR input[2] == 0x30 e-mail[3]: 0x29 XOR input[3] == 0x79
If you do the XOR in reverse, you can find out the input they are looking for:
0x70 XOR 0x32 = input[0] = 0x42 = B 0x2E XOR 0x61 = input[1] = 0x4F = O 0x76 XOR 0x30 = input[2] = 0x46 = F 0x29 XOR 0x79 = input[3] = 0x50 = P
Run the executable, put BOFP into the prompt, all the XORs happen, all the checks pass, and the e-mail buffer decrypts to “Easy2o08.” Done!
Thanks again Aleksey and Phn1x!
I’ve only recently started to look at reversing and I found this first challenge a fantastic learning experience.
I started looking at Khallenge 2, but then got sucked back into work and haven’t had a chance to continue. I really liked your summary, and whilst I’m hoping that you do one up for level 2, I’m also hoping that I don’t accidentally read it because it might spoil the surprise.
Nice work!
-C
Awesome job. If I get to second one I’ll let you know.
Also, check out T206-CHALLENGE.EXE from http://www.t2.fi/challenge/ (t208 might be coming out soon!). I never had the time to do it and it quite advanced. Its got the same idea – enter the password to get the email address. Solve it to get a free Helsinki Finland conference pass