# Hack.lu 2013: ELF

We encountered a drunk human which had this binary file in his possession. We do not really understand the calculation which the algorithm does. And that is the problem. Can you imagine the disgrace we have to suffer, when we robots, based on logic, can not understand an algorithm? Somehow it seems that the algorithm imitates their masters and behaves …. drunk! So let us not suffer this disgrace and reverse the algorithm and get the correct solution.

This was a weird one. The binary takes a parameter, and tells you if it is a correct flag. Opening the file in IDA, it seemed straightforward enough, a couple of reversible transformations on the input string mostly XORing in constants or different bytes together, a sleep(1s) here and there, and a check at the end if the result matched a couple of hardcoded numbers.

In a number of operations, an integer value was factored in which was set to different static values in the process. There was also an anti debugging function which changed this number if it detected a ptrace or LD_PRELOAD. Skiping that was no problem, but the value still kept incrementing all the time. We found the responsible code with a watchpoint, but at that point we couldn’t figure out where the responsible thread was spawned. We later found out the elf header was manipulated in a way readelf and ida didn’t recognize, but the elf loader did. The challenge author squall published the ElfParserLib library he used for that purpose after the ctf.

Since we didn’t really care about where it was changed from, but only what it was changed to, we traced the values of the variable at each point it was read. We used the pint library to get accurate timings while avoiding the anti-debugging code. Using those traced values, we ended up with our reversed code:

We were fairly certain with our values. Still, the flag this program outputs contained non-printable characters: ^QOeur5brhIOumB^UP. This was especially weird since the unaltered reverse_me binary said this flag was correct even with the non-printable characters, and since all operations were reversible there was no way this could have been a collision. Curiously, our flag did not verify on an older 32 linux.

As it turned out the application used a self-ptrace trick which didn’t work since ubuntu 10.10 and thus the debug/timing variable (we called it modval for some reason) was off.

So first we simplified the algorithm to the following loop, preserving modval as a variable in appropriate places:

This leaves us with three values for modval[i] and the key for bruteforcing. The key is the result of the first two debug values xored. We used the following tool to find all valid [A-Za-z0-9] inputs that would be valid for some time value sequence.

There were a couple hundreds of such outputs with one class of notable ones:

After some shifting (from 4voidsectionsld to ld4voidesctions), one of those outputs was the right one.