This post I will be covering my solution I used for the csaw2013reversing2.exe binary which was the binary for Reverse Engineering 200 challenge. Along with the name of the binary, the challenge had a decision which was “We got a little lazy so we just tweaked an old one a bit”.
If you are interested in looking up last year’s challenge, my writeup for last years event can be found here.
Getting back to this years challenge, when the binary is ran a message box is open containing a string of unreadable characters. Next step was to open the PE binary in IDA to get a better understanding of binary execution flow and a possible solution for the challenge.
For due diligence I ran the commands “file” and “strings” on the file, in case strings could pick-up the flag or anything else unexpected.
file csaw2013reversing2.exe csaw2013reversing2.exe: PE32 executable (console) Intel 80386, for MS Windows
Looking at the main function, the program comes to a branch in execution with the decision being determined by a JNZ (Jump Not Zero) instruction which will jump of the Z flag is not set to “0”. So I need to force the to “loc_401096”, in this section of program there is a call to a subroutine “sub_40100”, once the program returns from this function the program exits. This means I need to look at the “sub_401000” subroutine.
We can see this function contains 2 loops and a branch in execution and then returns back to the main function. The last loops seems to be decrypting loop, which means I needed to direct the execution to this point.
So I placed a breakpoint in the following locations:
- On the “jnz short loc_401096” instruction in the main function.
- On the “jmp short loc_4010E” instruction after the “call sub_401000” instruction in the main function.
- On the “jz short loc_40102” instruction in the “sub_401000” function.
- On the “pop edi” instruction in the “sub_401000” function.
These points allow me to control the flow of execution and inspect the registers for the value after the loops in the “sub_401000” function.
After the loop was successfully passed, I inspected the EDX register which contained the flag for this challenge.