본문 바로가기

CTFs/Plaid 2014

[Plaid 2014] forensic : bbos

bbos

1
2
3
4
5
6
Forensic : bbos
-----------------------------------------------------
You have traveled back in time, but look, hunting The Plague is tough. You're really just going back to relax for a while
without having to worry about all that nonsense. As you walk in the park you stumble across someone's BlackBerry. 
Wow, people still use BlackBerry phones (time travel gets so confusing)? You figure you should return it to the owner, 
but you have a hard time getting inside. Figure out what's on the phone, and maybe we'll be able to return it to the rightful owner.
cs

And BlackBerry simulator is given. So I just run that and i can see the screen what i expected. "Enter Password"

% you can run simulator by just running 9930.bat. %


Then, let's find out what the password is.


First i have no idea so i just attach "ida" to fledge.exe process. Then, i found some useful functions that related to Password.


- RimVerifyPasswordAPI

- RimVerifyPasswordsAPI

- RimGetPasswordFailureCountAPI


And RimVerifyPassword~ Functions point to 0x10013dd0 ( named Verify_Password )

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
int __cdecl Verify_Password(int a1, int a2)
{
  int v2; // eax@1
  int result; // eax@2
  char v4; // [sp+0h] [bp-80h]@1
 
  v2 = (unk_104FD0B0)(0x2801&v4, 128);
  if ( v2 )
  {
    result = (unk_10013C50)(v2, a1, a2, 1);
  }
  else
  {
    (unk_104FCF72)(&unk_68037B);
    result = 0;
  }
  return result;
}
cs

Few instructions later, i reached below function which copies some processed data, which has 20 bytes length.

i guess this 20 bytes length data may be "SHA-1 hash" because password would be compared with hashed data. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
signed int __usercall custom_memcpy@<eax>(_BYTE *a1@<edi>int a2) {  
    unsigned int len; // eax@1  
    _BYTE *v3; // ecx@1
 
    len = 0;  
    v3 = a1;  
    while ( v3[a2 - a1] == *v3 ) {    
        ++len;   
        ++v3;    
        if ( len &gt;= 0x14 )
            return 1;  
    }  
    sub_104FCF48(&amp;unk_680304, len, *(len + a2), a1[len]);  
    return 0;
}
cs

And 'some processed data' what i found is... ( google that hash and u got the plain text )

1
SHA-1 Hash : 3E270F54C6EB3175B4EF8B20080795EF2EE15589 -> fuckfuckfuckyouhahaha
cs

Enter That Password and we can see the flag on Contact

So, The flag is fuckfuckfucky0uh4h4h4


P.S : u could find that data on 9930-nv.dmp.

'CTFs > Plaid 2014' 카테고리의 다른 글

[Plaid 2014] pwnable : ezhp  (0) 2016.08.27
[Plaid 2014] reversing : hudak  (0) 2016.08.27
[Plaid 2014] forensic : zfs  (0) 2016.08.27
[Plaid 2014] forensic : rsa  (0) 2016.08.27
[Plaid 2014] forensic : curlcore  (0) 2016.08.27