Sunday, 25 June 2017

Trend Micro CTF Reversing 100 Writeup

Here is the writeup for Reversing 100 challenge in Trend Micro CTF 2017.

We are given an archive file called pocket. This in turn has a RAR file inside it called biscuit.

When we extract the contents of the RAR file, biscuit, we get the following 2 files:

biscuit1 - A PE32 executable
biscuit2 - A password protected RAR archive.

So, we need to use biscuit1 to find the password for the RAR archive, biscuit2.

When we execute biscuit1 from command line, we get the following text:

"Please find sweets name starting from m for biscuit2."

Now, we can debug the binary, biscuit1 to identify the hidden text.

After analyzing the subroutine at address: 0x00401532, we can observe that it uses the charset: "abcbdef" and the base Unicode String: "fedabnorm" to construct a new string "macaron" as shown in the screenshot below:

Based on the previous message displayed by the binary, we can see that this is the password for the RAR archive, biscuit2.

Once we extract the biscuit2 RAR archive contents, we have 3 files inside it:

biscuit3 - A JPG file
biscuit4 - A text file which provides a hint about the format of the flag. It says, the flag needs to be in the format: TMCTF{biscuit3_ biscuit5}
biscuit5 - A PE32 binary

So, we know that there are 2 more flag parts hidden inside biscuit3 and biscuit5.

By debugging the binary, biscuit5, we can see in the subroutine at address: 0x0040150b that it uses the following for calculating the new string:

1. First 5 characters of the string: "biscuit".
2. The offsets: [0x1, 0x19, 0x16, 0x12, 0x3]
3. The charset: "abcdefghijklmnopqrstuvwxyz"

We get the new string as: "choux" as shown in the screenshot below:

So, we have the first part of the flag.

For the second part of the flag, we need to analyze the JPG file. This was easy. We can check with binwalk that there is a ZIP archive hidden inside JPG file at offset: 0x37AD. We can extract this archive using binwalk as well.

Inside the ZIP archive is a file called: biscuit.txt with the text "cream"

Now we have both the parts of the flag and we need to put them together to get TMCTF{cream_choux}

But when you submit this flag, it is not accepted.

We need to put the parts of the flags together in reverse order. This might be a hint at the usage of Little Endian in x86 processors :)

The correct flag is: TMCTF{choux_cream}