Showing posts from September, 2020

Tokyo Westerns CTF 2020 - writeups.

    [+] (Rev - 126 pts) Reversing iS Amazing
    [+] (Rev - 224 pts) Tamarin

Our Team Invaders ended up at 21th position
in `Tokyo Westerns CTF 2020` conducted by `TokyoWesterns team`.

[Rev] Reversing iS Amazing It is a warmup chall, Given a rsa file, a 64 bit executable.
Decompiled the executable with ghidra. As the binary is dynamically linked, we still have the external library function calls.
BIO_new_mem_buf d2i_PrivateKey_bio EVP_PKEY_get1_RSA RSA_private_encrypt Those are openssl library API calls, by going through the documentation and code.
in the binary it has an EVP key, Cipher text.
The binary is creating a RSA private key from EVP Key , then encrypting our input and checking with cipher text.
Dumped the EVP Key, Cipher text from the binary. Written a decrypting code with same api calls (as we have private key).
$ gcc rsa-reverse.c -o rev -lssl -lcrypto $ ./rev -----BEGIN PRIVATE KEY…

Alles CTF 2020 Writeups

    [+] (Rev - 137 pts) Flag Service Revolution
    [+] (Rev - 113 pts) prehistoric mario

Our Team Invaders ended up at 21th position
in `Alles CTF - 2020` conducted by `Alles team`.

The Reverse challs are interesting
First one is Nintendo GameCube file, second one is a Apk game

[Rev] Flag Service Revolution Given a boot.dol file, a Nintendo GameCube file. Opened it with the dolphin-emu. Then searched how we can disassemble the .dol files and found this used ghidra

This is a stripped and statically linked binary, it's hard to trace the functions.
Searched for strings appearing on app -> `Cross References` - `main function FUN_8003d4c4`.

The decompiled code of ghidra is too messy with the stripped func names, var names.
Anyway gone through the code and renamed `variables` and the `functions` based on arguments, codef…