Description:
1
2
Our team wants to use this Really Awesome Console Application, but they don't want to pay
for it. Can you help them crack it and generate a license key for the username John Smith?
We are only given the program as a 32 bit EXE and the IP:Port of the real service.
Static Analysis
I started this challenge the way I start most pwn/reverse problems. Running it to get some idea of “normal operation”.
From this we can see a pretty simple prompt for a name, followed by the license key associated with that name. Based on this and the challenge description it sounds like there must be some relationship between the value of name and the correct key.
After running the application, I moved to static analysis. I ran strings against the binary I was given.
Besides an obvious Rick Roll (nice try) the one thing I noticed was the lack of text. I can see the prompt for Press any key to continue... But I’m not seeing anything about Enter your name or Enter License key. This is something I kept in mind going forward with this challenge. The other piece of information I gained from this was the fact that there appears to be debug detection built in. We can see the string Debugger detected! which presumably would be printed if we attempted to do dynamic analysis with GDB.
Now, I moved on to decompiling and reversing this binary. I threw it into Ghidra to get a basic overview.
I was able to track down the main function and see the prompt for pressing a key to continue. However, that was about it. I didn’t see any instructions that would be prompting for user input or doing any sort of calculation of keys. One thing I did see was a couple calls to system() and remove() with the same local_48 variable. This made me think the program was creating and then removing another separate file. I renamed that local variable and searched for other references to it in the code.
My suspicions were confirmed when I saw a call to tmpnam_s() along with a strcat_s() call that appended .exe to the end of that tmp name. After seeing this I started looking around in Windows for this new tmp file.
I ended up finding the new file in C:\Users\David\AppData\Local\Temp. It had a random temp name and was another 32 bit executable. While the program was running I copied that file out of temp and pulled it into Ghidra for a closer look.
Here I was finally able to see the prompts for input and the correct and incorrect key responses. At first glance I was also able to find a format string that showed the proper formatting for the license keys RA-%d-%s. I spent some time trying to reverse this code by hand and understand what logical operations were being performed on the name to get to the key. However, there were several variables that didn’t get decompiled correctly and I wasn’t able to see their initial values. To get around this, I moved on to dynamic analysis.
Dynamic Analysis
I found an awesome new tool called x64dbg that looked like it would work perfectly for windows based debugging. I downloaded, installed, and loaded the exe into it. On my first several attempts to step through the code it exited immediately. That’s when I remembered the debugger checks that were probably killing the execution right at the start.
After a little bit of searching I was able to find this call to a function that looked like it was checking for debug status. I was able to go into this function call and set a breakpoint right before a specific comparison and change the value of the $eax register in order to pass this check every time.
With that debug check out of the way. I entered John Smith as the name and started stepping through the program. I ended up seeing the generated key in memory right before the program ended with the incorrect key I had entered.
This showed RA-1100-JHRMT as the correctly generated key. I threw that into the service running on the game port and sure enough, I got back the flag!
1
ractf{uhhhh I didn't get a screen shot of the flag oops}
This challenge was a lot of fun and introduced me to a new tool that is going to be my new goto for exe debugging!