Mga Pahina

Saturday, January 27, 2024

inBINcible Writeup - Golang Binary Reversing

This file is an 32bits elf binary, compiled from go language (i guess ... coded by @nibble_ds ;)
The binary has some debugging symbols, which is very helpful to locate the functions and api calls.

GO source functions:
-  main.main
-  main.function.001

If the binary is executed with no params, it prints "Nope!", the bad guy message.

~/ncn$ ./inbincible 
Nope!

Decompiling the main.main function I saw two things:

1. The Argument validation: Only one 16 bytes long argument is needed, otherwise the execution is finished.

2. The key IF, the decision to dexor and print byte by byte the "Nope!" string OR dexor and print "Yeah!"


The incoming channel will determine the final message.


Dexor and print each byte of the "Nope!" message.


This IF, checks 16 times if the go channel reception value is 0x01, in this case the app show the "Yeah!" message.

Go channels are a kind of thread-safe queue, a channel_send is like a push, and channel_receive is like a pop.

If we fake this IF the 16 times, we got the "Yeah!" message:

(gdb) b *0x8049118
(gdb) commands
>set {char *}0xf7edeef3 = 0x01
>c
>end

(gdb) r 1234567890123456
tarting program: /home/sha0/ncn/inbincible 1234567890123456
...
Yeah!


Ok, but the problem is not in main.main, is main.function.001 who must sent the 0x01 via channel.
This function xors byte by byte the input "1234567890123456" with a byte array xor key, and is compared with another byte array.

=> 0x8049456:       xor    %ebp,%ecx
This xor,  encode the argument with a key byte by byte

 The xor key can be dumped from memory but I prefer to use this macro:

(gdb) b *0x8049456
(gdb) commands
>i r  ecx
>c
>end
(gdb) c

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x12 18

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x45 69

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x33 51

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x87 135

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x65 101

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x12 18

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x45 69

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x33 51

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x87 135

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x65 101

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x12 18

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x45 69

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x33 51

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x87 135

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x65 101

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x12 18

The result of the xor will compared with another array byte,  each byte matched, a 0x01 will be sent.

The cmp of the xored argument byte,
will determine if the channel send 0 or 1


(gdb) b *0x0804946a
(gdb) commands
>i r al
>c
>end

At this point we have the byte array used to xor the argument, and the byte array to be compared with, if we provide an input that xored with the first byte array gets the second byte array, the code will send 0x01 by the channel the 16 times.


Now web have:

xorKey=[0x12,0x45,0x33,0x87,0x65,0x12,0x45,0x33,0x87,0x65,0x12,0x45,0x33,0x87,0x65,0x12]

mustGive=[0x55,0x75,0x44,0xb6,0x0b,0x33,0x06,0x03,0xe9,0x02,0x60,0x71,0x47,0xb2,0x44,0x33]


Xor is reversible, then we can get the input needed to dexor to the expected values in order to send 0x1 bytes through the go channel.

>>> x=''
>>> for i in range(len(xorKey)):
...     x+= chr(xorKey[i] ^ mustGive[i])
... 
>>> print x

 G0w1n!C0ngr4t5!!


And that's the key :) let's try it:

~/ncn$ ./inbincible 'G0w1n!C0ngr4t5!!'
Yeah!

Got it!! thanx @nibble_ds for this funny crackme, programmed in the great go language. I'm also a golang lover.


Related posts


  1. Hacker Tools Linux
  2. Pentest Tools Website
  3. Hacks And Tools
  4. Pentest Tools Port Scanner
  5. World No 1 Hacker Software
  6. Pentest Tools Website
  7. Hacker Techniques Tools And Incident Handling
  8. Hacks And Tools
  9. Best Pentesting Tools 2018
  10. Hacker Tools List
  11. Pentest Tools Github
  12. Hacker Techniques Tools And Incident Handling
  13. Hacking Tools For Windows Free Download
  14. Hacking Tools Software
  15. Pentest Tools For Mac
  16. Pentest Tools Website
  17. Top Pentest Tools
  18. Hacks And Tools
  19. Hack Tools
  20. Tools Used For Hacking
  21. Hacking Tools Free Download
  22. Pentest Reporting Tools
  23. Pentest Tools
  24. Wifi Hacker Tools For Windows
  25. How To Install Pentest Tools In Ubuntu
  26. Hacker Tools Apk
  27. Pentest Tools Android
  28. Wifi Hacker Tools For Windows
  29. Hacker Tool Kit
  30. Hacking Tools Kit
  31. Tools For Hacker
  32. Pentest Tools Find Subdomains
  33. Pentest Tools Linux
  34. Install Pentest Tools Ubuntu
  35. What Are Hacking Tools
  36. Hacker Tools Github
  37. Pentest Tools Website Vulnerability
  38. Hacking Tools For Windows Free Download
  39. Wifi Hacker Tools For Windows
  40. Hacker Tools Apk Download
  41. Hacker Tools 2019
  42. Hacking Tools Hardware
  43. Hacker Tool Kit
  44. Hacker Tools 2020
  45. Hacker Tools Online
  46. Hacking Tools For Pc
  47. Pentest Tools Android
  48. Pentest Tools Android
  49. Hack Tools For Games
  50. Hack Rom Tools
  51. Hacking App
  52. Hacking Tools Usb
  53. Best Hacking Tools 2019
  54. Hacking Tools Github
  55. Hacker Tools Free Download
  56. Hacker Tools Apk
  57. Pentest Tools Online
  58. Hacking Tools 2019
  59. Pentest Tools Windows
  60. Pentest Tools Free
  61. Pentest Tools Subdomain
  62. Hack Apps
  63. Hacking Tools Online
  64. Hacker Tools Windows
  65. Pentest Automation Tools
  66. Pentest Tools For Mac
  67. Pentest Tools Apk
  68. Hack Tools Download
  69. Tools 4 Hack
  70. Game Hacking
  71. Hacking Tools Kit
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)