# HW2 Reverse CTF writeup R11922138 CTF Account: eric070021 ### 1. Trace First, I use IDA to open this elf file. I found that it will write a new elf to "/tmp/cs_2022_fall_ouo". After running trace. I get another elf "cs_2022_fall_ouo". When I try to run it up I figure out that it can't be run. I open it up with IDA but there're some blocks that IDA can't recognize. I then look at the trace and found that it runs up the "cs_2022_fall_ouo" and use ptrace to trace it. Ptrace will substitute the bytes strings "0xE8CBCCDEADBEEFE8" in "cs_2022_fall_ouo" to "0x9090909090909090", which is a series of nop operations.  By knowing this, I patch all the bytes strings "0xE8CBCCDEADBEEFE8" in "cs_2022_fall_ouo" to nop operations. Now, IDA can recognize the whole file. There's a function that will xor 0x71 with every char of our input flag. I write a simple python script and I get the flag.  ### 2. ooxx I first run ooxx.exe and notice that it will launch a messagebox. So, I use IDA to open ooxx.exe and directly jump to the function that launches messagebox.  There are three if else statements and I guess that they stand for win, lose, and tie. I use python to decode the text message and find out the second if statement is the win condition.  Next, I patch the assembly letting the first if condition(lose) always return 0, and patch the second if condition(win) always return 1. Then, I run the patched ooxx.exe again and I get the flag.  ### 3. Trojan There's a wireshark packet file in this challenge. I open it and there are some big packets. Later, I open trojan with IDA. I first look at the function in the while loop. It will screenshot the screen and store it in a bitmap handler.  I back to the main function and found the function that send data.  I found that it will first send the data length and then send the data itself. But, the data it sends is encrypted. The encrypted function is as below.  After finding this, I decrypt the 3 packets in the packets file, and I found the head of the packet(since the screenshot is too big, it needs 3 packets to send). I reconstruct the origin packet and use python script to decrypt it and write it into a file named flag.png. The flag is in the png.  ### 4. Dropper The name dropper implies the exe might be wrapped by some wrapper. I use DIE to open it and it was wrapped by UPX, so I use the UPX unwrapper to unwrap it.  I first try to run the exe but the program just stuck after I run, so I guessed the program is stuck in the infinite loop. After using IDA to open the unwarped dropper.exe, the main function consists of lots of char array which will be sent to a function to decrypt. I decrypt some of them and found that those char arrays are dll names and function names. I decrypted all of the functions and found there is a sleep function with a large sleeping time. This is the reason why the program will stuck after I run it. So, I patch the time of sleep to 1.  The main function use malloc to create a memory space and the start pointer is assigned to Block. Then, it will memcpy a series of bytes to Block. Last, it will encrypt the Block. By knowing the main execution flow, I use x86gdb to trace the exe and successfully get the malloc start address(Block). I trace the data in Block and after the encryption, the data in Block turn into flag.