CSAW CTF Qual 2014 – csaw2013reversing2.exe Writeup

This post I will be covering my solution I used for the csaw2013reversing2.exe binary which was the binary for Reverse Engineering 200 challenge. Along with the name of the binary, the challenge had a decision which was “We got a little lazy so we just tweaked an old one a bit”.

If you are interested in looking up last year’s challenge, my writeup for last years event can be found here.

Getting back to this years challenge, when the binary is ran a message box is open containing a string of unreadable characters. Next step was to open the PE binary in IDA to get a better understanding of binary execution flow and a possible solution for the challenge.

For due diligence I ran the commands “file” and “strings” on the file, in case strings could pick-up the flag or anything else unexpected.

file csaw2013reversing2.exe 
csaw2013reversing2.exe: PE32 executable (console) Intel 80386, for MS Windows


Screenshot of the main function in IDA.

Looking at the main function, the program comes to a branch in execution with the decision being determined by a JNZ (Jump Not Zero) instruction which will jump of the Z flag is not set to “0”. So I need to force the to “loc_401096”, in this section of program there is a call to a subroutine “sub_40100”, once the program returns from this function the program exits. This means I need to look at the “sub_401000” subroutine.


Screenshot of the sub_401000 function in IDA.


We can see this function contains 2 loops and a branch in execution and then returns back to the main function. The last loops seems to be decrypting loop, which means I needed to direct the execution to this point.

So I placed a breakpoint in the following locations:

  • On the “jnz short loc_401096” instruction in the main function.
  • On the “jmp short loc_4010E” instruction after the “call sub_401000” instruction in the main function.
  • On the “jz short loc_40102” instruction in the “sub_401000” function.
  • On the “pop edi” instruction in the “sub_401000” function.

These points allow me to control the flow of execution and inspect the registers for the value after the loops in the “sub_401000” function.


The flag was successfully decrypted and found.

After the loop was successfully passed, I inspected the EDX register which contained the flag for this challenge.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s