Hacking Series Part 10

Challenge: reverse_cipher

Category: reverse engineering

We are given a binary named “rev” and a text file named “rev_this”. If you look at the contents of rev_this, you can see the output of rev, or an encoded flag. When I opened rev in IDA, I saw that two files were needed in order for rev to run: “flag.txt” and “rev_this”.

Flag.txt is opened in read mode, and rev_this is opened in append mode, which confirms that the output of rev is stored in rev_this each time it is run. The binary takes the original flag in flag.txt, encodes it, then appends it. After this, there are a few assembly instructions that deal with error handling if any of these files are missing. If they happen to be missing, the program exits.

Next, a block of assembly reads 24 characters from flag.txt, then sets a counter from 0 to 7.

This initiates a loop. A single character is appended to rev_this without any encoding, then the counter increments and execution is sent back to the beginning of the loop. This happens for a total of 8 times. Judging by this loop, these first 8 characters are likely the beginning of the flag, and are unmodified in order to preserve flag format. Next, another counter is initiated and set from numbers 8 to 22.

If this counter reaches 23, it appends the last character of the flag format, the “}”. If less than or equal to 22, it stores the counter in eax, then preforms a bitwise and operation on it. If the result of the and operation is not 0, then it jumps to loc_126F, and if it is 0, execution continues.

If you and any even number with 1, the result will be 0. If you and any odd number with 1, the result will be 1. So essentially, the characters of all odd numbers of the counter go to loc_126F, and the even number characters go to the next instruction. If the number is even, the corresponding character will be added to by 5, as seen in the above loop. If the number is odd, the corresponding character will be subtracted by 2.

Then, the character will be appended to rev_this. This whole process serves as an encoding scheme, but is very easy to reverse since we know what’s happening to each character. If you look at the given encoded flag, you subtract the first encoded char by 5 (at index 9), then add to the next char by 2, then subtract the next char by 5, and so on. This goes on until you decipher the original flag.

picoCTF{r3v3rs37ee84d27}