NTU Computer Security HW2

# NTU Computer Security HW2 ###### tags: `NTU` ## dropper * it loads API by ```gs:0x60``` but not regular ways ![](https://i.imgur.com/Yukabfo.png) * use xor & not operation to encrypt library strings and API strings ![](https://i.imgur.com/dEGS0bY.png) ![](https://i.imgur.com/enUyQ4R.png) * initialized crypto context then encrypt string in data, then write result to ```HKLM\CS_2022``` ![](https://i.imgur.com/ZbDrAZv.png) * just patch the sleep instruction and execute the binary again then you will see the flag in registry ![](https://i.imgur.com/pr265UI.png) ## ooxx * use xref to find main logic with strings on the title and console ![](https://i.imgur.com/BrHX3zc.png) * inside main logic, it use xor cipher to decrypt ```MessageBoxA``` ![](https://i.imgur.com/PUcwZ8C.png) ![](https://i.imgur.com/0q4wKyL.png) * invert the comparison operator to makes ```O Win!``` ![](https://i.imgur.com/qKUlPRH.png) * execute the executable then will see the flag ![](https://i.imgur.com/n64okyl.png) ## pwn_myself * it has a stack-based buffer overflow in main function which will result in return to ```0x668BF``` in main function * buffer size: 24 ![](https://i.imgur.com/05SCDGX.png) * overflow location: write 56 bytes ![](https://i.imgur.com/ioaEJKS.png) * 0x66B51 - 658 = 0x668bf ![](https://i.imgur.com/SZuwEyz.png) ![](https://i.imgur.com/yvXu0UG.png) * the function will keep reading keyboard input. after receive 44 key input, it will use it doing some calculation later ![](https://i.imgur.com/cSA1J3Q.png) ![](https://i.imgur.com/5soEWex.png) ![](https://i.imgur.com/8SX1Wgu.png) * to recognize what function it acutally use, we can create our openssl 3.0.2 flirt signature with ida sigmake tool * ref: * https://www.freebuf.com/articles/endpoint/235070.html * discussion with [oalieno](https://github.com/oalieno) * functions can be recover with our self-created signature and exception messages near ```ERR_new``` ![](https://i.imgur.com/6zVwCki.png) * after recover back the logic, we know that the server use our user input to encrypt then compare to to some bytes in memory. if the comparison goes true, it will then decrypt something and send back with socket ![](https://i.imgur.com/XEfp6pE.png) ![](https://i.imgur.com/7yAUouy.png) ![](https://i.imgur.com/lckMxPZ.png) ![](https://i.imgur.com/C6sREPs.png) * as a result, we can simply patches the check and the items to be decrypted, and we can obtain the flag with wireshark ![](https://i.imgur.com/5bxDGuh.png) ## trace * it firstly drop a binary to ```/tmp/cs_2022_fall_ouo``` ![](https://i.imgur.com/sGkguTN.png) * then it will fork out and execute with debugging mode ![](https://i.imgur.com/63tXAaW.png) ![](https://i.imgur.com/Ifjzk38.png) * after fork out, child process will start running with single step mode. if the next instruction bytes is ```0xE8CBCCDEADBEEFE8```, parent process will patch them with ```nop```s ![](https://i.imgur.com/nXVezI2.png) ![](https://i.imgur.com/gHOyQda.png) ![](https://i.imgur.com/v6rc4bb.png) * as a result, we can craft a patched binary will all occurance ```0xE8CBCCDEADBEEFE8``` patched with ```nop```s. then we can easily see the xoring flag decryption logic with IDA ![](https://i.imgur.com/bCvmhYJ.png) * decrypt the memory back then we will obtain the flag ![](https://i.imgur.com/i0N1gra.png) ## trojan * it opens a tcp socket on localhost ![](https://i.imgur.com/ClNzrR8.png) ![](https://i.imgur.com/oIkx7OD.png) * after service is up, it will try to recv first * then send back a magic string * after that, it will send a int to indicate the payload size * then send the payload with xoring encryption ![](https://i.imgur.com/vleiylv.png) ![](https://i.imgur.com/MUyCVWx.png) * to solve this, we can extract the payload and xor with ```0vCh8RrvqkrbxN9Q7Ydx``` then we will obtain the flag as png ![](https://i.imgur.com/ZDABAE1.png)