Meanwhile, we got
fresh news from our mystery guy. He came along with an intersting binary file.
It just looks like an executable, but it is not ELF nor anything our experts
would happen to know or recognize. Some of them we quite impressed by your skills
and do think you may be able to succeed here. I attached the file, if you discover
anything, please send me an email entitled “Strange binary file”.This will be rewarded, as usual. By the way, your account has just been credited
with $100.
executable1.ndh
NDH Virtual Machine
Summary: simple crackme on NDH VM
Here we have a binary for NDH VM. Let’s run it:
$ ./vmndh -file executable1.ndh Sciteek protected storage #1 Enter your password: test Bad password |
Let’s trace it:
0x83ff > syscall (r0 = 0x0003 - read) TEST [SYSCALL output]: 5 0x8400 > mov r0, r2 0x8404 > call 0xfee0 0x82e8 > mov r7, r0 0x82ec > movl r6, #0x840d 0x82f1 > call 0xfd0e 0x8003 > push r1 0x8006 > push r2 0x8009 > movl r1, #0x0 0x800e > movl r2, #0x0 0x8013 > mov r1, [r0] 0x8017 > test r1, r1 0x801a > inc r2 0x801c > inc r0 0x801e > jnz 0xfff2 0x8013 > mov r1, [r0] 0x8017 > test r1, r1 0x801a > inc r2 0x801c > inc r0 0x801e > jnz 0xfff2 ... 0x8013 > mov r1, [r0] 0x8017 > test r1, r1 0x801a > inc r2 0x801c > inc r0 0x801e > jnz 0xfff2 0x8021 > dec r2 0x8023 > mov r0, r2 0x8027 > pop r2 0x8029 > pop r1 0x802b > ret 0x82f5 > cmpb r0, #9 <- length compare 0x82f9 > jz 0x05 0x82fc > call 0xffd4 |
It’s easy to see that the length of the input is compared to 9. So the password’s length is 8 (plus one for “\n” char):
$ ./vmndh -file executable1.ndh -debug [Console]#> bp 0x82f5 Breakpoint set in 0x82f5 [Console]#> run ... 0x83ff > syscall (r0 = 0x0003 - read) testtest ... [BreakPoint 1 - 0x82f5] 0x82f5 > cmpb r0, #9 [Console]#> 0x82f9 > jz 0x05 [Console]#> 0x8301 > mov r0, [r7] [Console]#> 0x8305 > mov r1, [r6] [Console]#> dis 8301:100 0x8301: mov r0, [r7] 0x8305: mov r1, [r6] 0x8309: xor r0, r1 0x830d: cmpb r0, #78 <--- 1 0x8311: jz 0x0005 //8319 0x8314: call 0xffbc //82d4 0x8318: end 0x8319: inc r7 0x831b: inc r6 0x831d: mov r0, [r7] 0x8321: mov r1, [r6] 0x8325: xor r0, r1 0x8329: cmpb r0, #44 <--- 2 0x832d: jz 0x0005 //8335 0x8330: call 0xffa0 //82d4 0x8334: end 0x8335: inc r7 0x8337: inc r6 0x8339: mov r0, [r7] 0x833d: mov r1, [r6] 0x8341: xor r0, r1 0x8345: cmpb r0, #73 <--- 3 0x8349: jz 0x0005 //8351 0x834c: call 0xff84 //82d4 0x8350: end 0x8351: inc r7 0x8353: inc r6 0x8355: mov r0, [r7] 0x8359: mov r1, [r6] 0x835d: xor r0, r1 0x8361: cmpb r0, #6b <--- 4 0x8365: jz 0x0005 //836d 0x8368: call 0xff68 //82d4 0x836c: end 0x836d: inc r7 0x836f: inc r6 0x8371: mov r0, [r7] 0x8375: mov r1, [r6] 0x8379: xor r0, r1 0x837d: cmpb r0, #61 <--- 5 0x8381: jz 0x0005 //8389 0x8384: call 0xff4c //82d4 0x8388: end 0x8389: inc r7 0x838b: inc r6 0x838d: mov r0, [r7] 0x8391: mov r1, [r6] 0x8395: xor r0, r1 0x8399: cmpb r0, #3e <--- 6 0x839d: jz 0x0005 //83a5 0x83a0: call 0xff30 //82d4 0x83a4: end 0x83a5: inc r7 0x83a7: inc r6 0x83a9: mov r0, [r7] 0x83ad: mov r1, [r6] 0x83b1: xor r0, r1 0x83b5: cmpb r0, #6e <--- 7 0x83b9: jz 0x0005 //83c1 0x83bc: call 0xff14 //82d4 0x83c0: end 0x83c1: inc r7 0x83c3: inc r6 0x83c5: mov r0, [r7] 0x83c9: mov r1, [r6] 0x83cd: xor r0, r1 0x83d1: cmpb r0, #5e <--- 8 0x83d5: jz 0x0005 //83dd |
Here two strings are xored and the result is checked with a hardcoded string. Let’s see them:
[Console]#> info regs [r0]: 0074 [r4]: 0000 [r1]: 0002 [r5]: 0000 [r2]: 7fda [r6]: 840d [r3]: 001f [r7]: 7fda [bp]: 7ffa [zf]: 0001 [sp]: 7fd8 [af]: 0000 [pc]: 8309 [bf]: 0000 [Console]#> x/x 840d:10 0x840d: 02 05 03 07 08 06 01 09 53 63 69 74 65 65 6b 20 [Console]#> x/x 7fda:10 0x7fda: 74 65 73 74 74 65 73 74 0a 00 00 00 00 00 00 00 t e s t t e s t \n |
So, the key is
"\x02\x05\x03\x07\x08\x06\x01\x09" xor "\x78\x44\x73\x6b\x61\x3e\x6e\x5e" --- "zApli8oW" |
Connect to the server:
$ nc sci.nuitduhack.com 4001 Sciteek protected storage #1 Enter your password: zApli8oW <PSP version="1.99"> <MOTD> <![CDATA[ Welcome on SciPad Protected Storage. The most secure storage designed by Sciteek. This storage protocol allows our users to share files in the cloud, in a dual way. This daemon has been optimized for SciPad v1, running SciOS 16bits with our brand new processor. ]]> </MOTD> <FLAG> ea1670464251ea3b65afd624d9b17cd7 </FLAG> <ERROR> An unexpected error occured: PSP-UNK-ERR-001> application closed. </ERROR> </PSP> |
The flag is: ea1670464251ea3b65afd624d9b17cd7
4 comments
Skip to comment form
Hi, team MoreSmokedLeetChicken
i contact your team about your recent qualification for the final challenge for the Nuit Du Hack, waiting to deliver to you the entrance to the event, i want to know if you will be at the event (Disneyland Paris) the June 23th,
I can help you for any informations about hotels or travel, transport in the city, visas ect….
you can contact me on @tif0x or by mail at tifox@hackerzvoice.net
sorry for contacting you by this way, but you doesn’t respond by mail.
for information, all expenses are your responsibility.
cordialy Joris ‘Tifox’ Boquet
Author
Hello, Tifox!
Sorry for not responding, we are thinking of who will be able to visit the event :)
We will email you shortly.
Thanks
Hi,
no mail from you :'(
okay, thx for the reply :)
cordialy Tifox