NuitDuHack 2012 Prequals – executable1.ndh

Meanwhile, we got
fresh news from our mystery guy. He came along with an intersting binary file.
It just looks like an executable, but it is not ELF nor anything our experts
would happen to know or recognize. Some of them we quite impressed by your skills
and do think you may be able to succeed here. I attached the file, if you discover
anything, please send me an email entitled “Strange binary file”.

This will be rewarded, as usual. By the way, your account has just been credited
with $100.

executable1.ndh
NDH Virtual Machine

Summary: simple crackme on NDH VM

Here we have a binary for NDH VM. Let’s run it:

$ ./vmndh -file executable1.ndh 
Sciteek protected storage #1
Enter your password: test
Bad password

Let’s trace it:

0x83ff > syscall (r0 = 0x0003 - read)
TEST
[SYSCALL output]: 5
0x8400 > mov r0, r2
0x8404 > call 0xfee0
0x82e8 > mov r7, r0
0x82ec > movl r6, #0x840d
0x82f1 > call 0xfd0e
0x8003 > push r1
0x8006 > push r2
0x8009 > movl r1, #0x0
0x800e > movl r2, #0x0
0x8013 > mov r1, [r0]
0x8017 > test r1, r1
0x801a > inc r2
0x801c > inc r0
0x801e > jnz 0xfff2
0x8013 > mov r1, [r0]
0x8017 > test r1, r1
0x801a > inc r2
0x801c > inc r0
0x801e > jnz 0xfff2
...
0x8013 > mov r1, [r0]
0x8017 > test r1, r1
0x801a > inc r2
0x801c > inc r0
0x801e > jnz 0xfff2
0x8021 > dec r2
0x8023 > mov r0, r2
0x8027 > pop r2
0x8029 > pop r1
0x802b > ret
0x82f5 > cmpb r0, #9  <- length compare
0x82f9 > jz 0x05
0x82fc > call 0xffd4

It’s easy to see that the length of the input is compared to 9. So the password’s length is 8 (plus one for “\n” char):

$ ./vmndh -file executable1.ndh -debug
[Console]#> bp 0x82f5
Breakpoint set in 0x82f5
[Console]#> run
...
0x83ff > syscall (r0 = 0x0003 - read)
testtest
...
 
[BreakPoint 1 - 0x82f5]
0x82f5 > cmpb r0, #9
[Console]#> 
0x82f9 > jz 0x05
[Console]#> 
0x8301 > mov r0, [r7]
[Console]#> 
0x8305 > mov r1, [r6]
[Console]#> dis 8301:100
0x8301: mov r0, [r7]
0x8305: mov r1, [r6]
0x8309: xor r0, r1
0x830d: cmpb r0, #78   <--- 1
0x8311: jz 0x0005 //8319
0x8314: call 0xffbc //82d4
0x8318: end
0x8319: inc r7
0x831b: inc r6
0x831d: mov r0, [r7]
0x8321: mov r1, [r6]
0x8325: xor r0, r1
0x8329: cmpb r0, #44   <--- 2
0x832d: jz 0x0005 //8335
0x8330: call 0xffa0 //82d4
0x8334: end
0x8335: inc r7
0x8337: inc r6
0x8339: mov r0, [r7]
0x833d: mov r1, [r6]
0x8341: xor r0, r1
0x8345: cmpb r0, #73   <--- 3
0x8349: jz 0x0005 //8351
0x834c: call 0xff84 //82d4
0x8350: end
0x8351: inc r7
0x8353: inc r6
0x8355: mov r0, [r7]
0x8359: mov r1, [r6]
0x835d: xor r0, r1
0x8361: cmpb r0, #6b   <--- 4
0x8365: jz 0x0005 //836d
0x8368: call 0xff68 //82d4
0x836c: end
0x836d: inc r7
0x836f: inc r6
0x8371: mov r0, [r7]
0x8375: mov r1, [r6]
0x8379: xor r0, r1
0x837d: cmpb r0, #61   <--- 5
0x8381: jz 0x0005 //8389
0x8384: call 0xff4c //82d4
0x8388: end
0x8389: inc r7
0x838b: inc r6
0x838d: mov r0, [r7]
0x8391: mov r1, [r6]
0x8395: xor r0, r1
0x8399: cmpb r0, #3e   <--- 6
0x839d: jz 0x0005 //83a5
0x83a0: call 0xff30 //82d4
0x83a4: end
0x83a5: inc r7
0x83a7: inc r6
0x83a9: mov r0, [r7]
0x83ad: mov r1, [r6]
0x83b1: xor r0, r1
0x83b5: cmpb r0, #6e   <--- 7
0x83b9: jz 0x0005 //83c1
0x83bc: call 0xff14 //82d4
0x83c0: end
0x83c1: inc r7
0x83c3: inc r6
0x83c5: mov r0, [r7]
0x83c9: mov r1, [r6]
0x83cd: xor r0, r1
0x83d1: cmpb r0, #5e   <--- 8
0x83d5: jz 0x0005 //83dd

Here two strings are xored and the result is checked with a hardcoded string. Let’s see them:

[Console]#> info regs
[r0]: 0074	[r4]: 0000
[r1]: 0002	[r5]: 0000
[r2]: 7fda	[r6]: 840d
[r3]: 001f	[r7]: 7fda
 
[bp]: 7ffa	[zf]: 0001
[sp]: 7fd8	[af]: 0000
[pc]: 8309	[bf]: 0000
[Console]#> x/x 840d:10
0x840d: 02 05 03 07 08 06 01 09 53 63 69 74 65 65 6b 20 
[Console]#> x/x 7fda:10
0x7fda: 74 65 73 74 74 65 73 74 0a 00 00 00 00 00 00 00
        t  e  s  t  t  e  s  t  \n

So, the key is

"\x02\x05\x03\x07\x08\x06\x01\x09"
xor
"\x78\x44\x73\x6b\x61\x3e\x6e\x5e"
---
"zApli8oW"

Connect to the server:

$ nc sci.nuitduhack.com 4001
Sciteek protected storage #1
Enter your password: zApli8oW
<PSP version="1.99">
<MOTD>
<![CDATA[
Welcome on SciPad Protected Storage.
 
The most secure storage designed by Sciteek. This storage protocol
allows our users to share files in the cloud, in a dual way.
 
This daemon has been optimized for SciPad v1, running SciOS 16bits
with our brand new processor.
]]>
</MOTD>
<FLAG>
ea1670464251ea3b65afd624d9b17cd7
</FLAG>
<ERROR>
An unexpected error occured: PSP-UNK-ERR-001> application closed.
</ERROR>
</PSP>

The flag is: ea1670464251ea3b65afd624d9b17cd7

4 comments

Skip to comment form

  1. Hi, team MoreSmokedLeetChicken

    i contact your team about your recent qualification for the final challenge for the Nuit Du Hack, waiting to deliver to you the entrance to the event, i want to know if you will be at the event (Disneyland Paris) the June 23th,

    I can help you for any informations about hotels or travel, transport in the city, visas ect….

    you can contact me on @tif0x or by mail at tifox@hackerzvoice.net

    sorry for contacting you by this way, but you doesn’t respond by mail.

    for information, all expenses are your responsibility.

    cordialy Joris ‘Tifox’ Boquet

    1. Hello, Tifox!

      Sorry for not responding, we are thinking of who will be able to visit the event :)
      We will email you shortly.

      Thanks

      1. Hi,

        no mail from you :'(

  2. okay, thx for the reply :)

    cordialy Tifox

Leave a Reply

Your email address will not be published.