EBCTF Finals 2013 – Bin300

We’re given a 64-bit ELF file with debug information for this challenge. Opening it up in IDA, we see that it is just a wrapper for embedded Lua. There’s a very simple decryption routine that is run on a “content_2593″ array and this code is run into luaL_loadbuffer. The operators say it was intended to be compiled Lua bytecode which I was initially expecting. I didn’t have a 64-bit Linux VM at the time of the CTF(which would be a very quick solve, just breakpoint where the code is decrypted), so I wrote this C++ implementation of the asm decryption loop:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#include <stdio.h>
unsigned char content[] = {0x26,0x62,0x13,0x3A,0x33,0xC6,0xEF,0xFB,0x87,0x92,0xBD,0x4D,0x6C,0x35,0x1E,0x17,0x36,0x37,0xD8,0xE9,0xF4,0x83,0x94,0x80,0x1F,0x0D,0x60,0x4D,0x54,0x7B,0x8A,0x8F,0xFE,0xE0,0xEB,0xF4,0xF2,0x17,0x2C,0x6A,0x4F,0x4D,0x7B,0x88,0xC6,0xA2,0xDF,0xD9,0xE5,0xF5,0x01,0x28,0x22,0x08,0x3E,0x28,0xDF,0xE8,0xA7,0xD5,0x88,0xF4,0x12,0x1F,0x25,0x2A,0x06,0x33,0x0C,0x82,0xBF,0xB9,0xC5,0xD5,0xE1,0x08,0x02,0x6F,0x57,0x45,0x38,0x70,0x8B,0xBB,0xA2,0x9A,0xB7,0x80,0x1F,0x04,0x6E,0x49,0x52,0x60,0x97,0x84,0xB1,0xEC,0xC2,0xFF,0xE8,0x5A,0x2E,0x2B,0x45,0x51,0x79,0x95,0x94,0xB6,0x97,0x8A,0xE8,0xBF,0x4E,0x69,0x74,0x12,0x6A,0x62,0x93,0x8C,0xC4,0x9A,0x86,0xB2,0x5E,0x1A,0x24,0x2B,0x40,0x6E,0x2E,0xD0,0x89,0xB8,0xD9,0xCC,0xE9,0x5B,0x44,0x7B,0x34,0x0A,0x36,0x22,0xCE,0xA8,0xA3,0xC6,0xEB,0xF8,0x18,0x42,0x7E,0x30,0x43,0x7C,0x9A,0xE0,0xDC,0xB4,0x8E,0xA7,0xA6,0x15,0x54,0x2B,0x5A,0x52,0x66,0x9B,0xC6,0xEF,0x9E,0x88,0xA6,0xB3,0x5C,0x69,0x72,0x07,0x28,0x3D,0xCE,0xDB,0xAF,0xD8,0xC5,0xF6,0x1B,0x0C,0x74,0x48,0x48,0x75,0x74,0xD2,0xB2,0xA5,0xD9,0xD2,0xAE,0x47,0x57,0x7E,0x0D,0x18,0x36,0x66,0x81,0xD0,0xE6,0x92,0xBE,0xAA,0x00,0x42,0x73,0x1A,0x50,0x32,0xD4,0xCA,0xB1,0xC8,0x8E,0xBA,0xA6,0x52,0x28,0x6A,0x0B,0x02,0x78,0xDA,0xC3,0xF2,0xCE,0xA0,0xB6,0xA2,0x4E,0x7A,0x34,0x12,0x23,0x2A,0x80,0xC2,0xEB,0x9A,0x97,0xA4,0x74,0x4A,0x76,0x62,0x0E,0x7D,0x69,0x9D,0xBA,0xEA,0x8B,0x82,0xFD,0x0E,0x14,0x3B,0x50,0x4D,0x38,0x71,0x9B,0xB8,0xEE,0xD3,0xF2,0xFA,0x1E,0x03,0x62,0x48,0x0D,0x23,0xD2,0x98,0xFD,0xF3,0x87,0x90,0xA6,0x52,0x7E,0x6A,0x5F,0x44,0x2E,0x9D,0x89,0xBD,0xDA,0x8A,0xE8,0xBF,0x4E,0x29,0x32,0x40,0x77,0x64,0x91,0xCC,0xBD,0xCF,0xC4,0xBA,0x0E,0x0B,0x25,0x31,0x59,0x75,0x74,0x96,0xF2,0xA6,0xD9,0xCD,0xFE,0x56,0x0A,0x3D,0x51,0x5A,0x3F,0x22,0x9A,0xB2,0xA3,0xDC,0x94,0xAA,0x56,0x42,0x6E,0x1A,0x06,0x32,0xDE,0x9A,0xA4,0xAB,0xC0,0xEE,0xAE,0x50,0x09,0x38,0x59,0x4C,0x69,0xDB,0xC4,0xFB,0xB4,0x8A,0xB6,0xA2,0x4E,0x7A,0x66,0x12,0x3E,0x78,0x93,0x96,0xBB,0xC8,0xC8,0xB2,0x4E,0x60,0x76,0x62,0x0E,0x3A,0x63,0x9C,0xBA,0xC0,0xD3,0xCC,0xEA,0x70,0x16,0x20,0x57,0x44,0x62,0x2A,0xCC,0x8D,0xA3,0xDE,0xF2,0xAA,0x12,0x0D,0x20,0x5F,0x0A,0x32,0x8A,0x82,0xB3,0xE2,0xC8,0xF6,0xE7,0x15,0x7E,0x23,0x45,0x18,0x2E,0x9F,0x84,0x91,0xEA,0xEC,0xED,0xA0,0x40,0x74,0x36,0x53,0x6D,0x79,0x81,0x8D,0xBC,0xDE,0x88,0xBC,0x5C,0x17,0x74,0x6B,0x24,0x37,0x2B,0xD2,0xB8,0xFA,0x84,0x90,0xBD,0x49,0x07,0x31,0x5F,0x1E,0x2E,0x31,0xD7,0xEB,0xF4,0x86,0xFB,0xEF,0x40,0x04,0x28,0x5B,0x11,0x24,0xC8,0xD2,0xEE,0xF1,0xCD,0xAE,0xB1,0x17,0x54};
int main() {
int counterb = 86;
for(int i=0;i<=486;i++) {
unsigned char cur = content[i];
asm(".intel_syntax\n"
"sar %1, 31\n"
"shr %1, 24\n"
"add %2, %1\n"
"and %2, 0xFF\n"
"sub %2, %1\n"
"mov %0, %2\n"
".att_syntax\n"
: "=c" (counterb)
: "0" (counterb)
, "d" (counterb)
);
content[i] = (counterb^content[i]);
printf("%02x ", content[i]);
counterb += 236;
}
return 0;
}

Decryption loop in binary

The end result is this Lua, with the flag at the bottom:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
p = 54111037
g = 56321
io.write("Enter your password: ")
io.flush()
password=io.read()
if string.len(password) ~= 32 then
print("Wrong!")
return 0
end
v = g
alpha = "0123456789abcdef"
for loop =1,32 do
v = v * g
v = v % p
r = v % 16
good = string.sub(alpha,r+1,r+1)
if good ~= string.sub(password,loop,loop) then
print("Wrong!")
return 0
end
end
print("Well done, the flag is: ebCTF{"..password.."}")
-- f02233aca4839124ee6ffa766883c47e