CTF writeups

RC3 CTF – GoReverseMe

November 21, 2016

We were given a 64-bit ELF file and as the file name suggests, it was a compiled Go file. The file does not need any runtime hence there are too many functions which makes reversing difficult.
I was looking for some pointer or obvious place to start with; After running the file, I saw the message “Specify the file to package as argv1, will overwrite, existing”.
I tried searching the strings with no success, so I looked for a function that handles output and I found it: ‘fmt_Println’.
Search for functions that call ‘fmt_Println’ led me to the address 0x40120C; I scrolled up and found ‘main_step1’, ‘main_step2’, ‘main_step3’ and ‘main_step4’. I set a breakpoint at the beginning of the function and ran the file; The following picture shows the argument check after the breakpoint is triggered:

go-1Continuing the debug by checking ‘main_step1’ :,

go-2This function reads a part of memory and Xors it with 0x69 and generates ‘golang-or-bust’; Later I found out that it’s the password for the protected Zip file.
Most of the work is done in the ‘main_step2’: it reads the input file, encrypts it and compresses it into a Zip file. By tracing ‘github_com_alexmullins_zip___FileHeader__SetPassword’ function, I found out that the password is ‘golang-or-bust’. Also the exact code used in the program is copied from “github.com/alexmullins.zip”
Finally it’s time to review ‘main_step4’ (ignoring the ‘main_step3’); Here’s the algorithm used in this function:
1- Take the first and second byte
2- Subtract the first byte from the second
3- Replace the first byte with the result from step 2
4- Do it until the end of the file.

We have to reverse the above procedure: from the end of the file to the beginning. Here’s a quick script:

f = open('flag.enc', 'rb').read()
b = bytearray(f)
i = len(b)-1
o = ''
while i>0:
	res = [1]b[i]) + (b[i-1] 
	b[i-1] = [2](b[i]) + (b[i-1] & 255)
	o += chr(res & 255)
	i-=1
open('flag.zip', 'wb').write(o[::-1])

The output Zip file needs repair, so I used WinRAR to fix it and got the flag with the password we acquired earlier on:
RC3-GOLANG-BESTLANG-5435

Though I found the flag, it was late and we lost the 250 points because of less than a minute of being late 🙁

References

References
1 b[i]) + (b[i-1]
2 (b[i]) + (b[i-1]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.