QUALS_NDH 2k15 | Mass Surveillance Software 300 [WRITEUP]

For this funny challenge, a .exe was given.

• In the first place, we check for packers by using Protection iD :

Actually we don’t need to unpack it as we’ll just attach Ollydbg to the process.
Then we put a memory breapoint at 0x400000, then just move the window to trigger the breakpoint. (Do not forget to remove the breakpoint then.)
We land in the middle of our target, we can see an interesting call by just scrolling up :

• Everywhere in the crackme, there is this trick :
  

You just need to press F7 to get the clear assembly.
You’ll see ecx, eax and edx being set to some values :

• Then two loops :

– Loop for 0x401000 function :

Then the result is moved to ebx.

– Loop for 0x40116E function :

Then the result is moved to ecx.

• We get some conditional jumps :

---

So, now we know that :

– The serial is 0xe characters.
– Start with M
– ‘d’ in 8th
– 6 characters which gave use 0x8AD3629B through 0x401000
– 6 characters which gave use 0x25B978C2 through 0x40116e

Let’s BF our two missing parts:

0x401000 :

 
#include <stdio.h>
#include <stdlib.h>


unsigned long lrotl(unsigned long value,unsigned char rotation)
{
return (value<<rotation) | (value>>(32- rotation));
}
unsigned long lrotrl(unsigned long value,unsigned char rotation)
{
return (value>>rotation) | (value<<(32- rotation));
}



int main()
{

	int sortir=0;
	char chaine[10] = {0};
	while(!sortir)
	{
		int ecx=5;
		unsigned int eax=0xC1AC0FF3;
		unsigned int edx=0xBADB0155;
		
		int read = fread(chaine,1,7,stdin);
		if(read!=7)
			sortir=1;
		for(;ecx>=0;ecx--)
		{
			unsigned char al =  eax amp; 0xFF;
			al^=*(unsigned char*)(chaine+ecx);
			int tempeax= eax amp; 0xFFFFFF00;
			eax = tempeax + al; // XOR AL,BYTE PTR DS:[ECX+403009]
			eax=lrotl(eax,7); // ROL eax,7
			eax*=edx;
			eax=~eax;
			eax*=edx;
			eax=lrotrl(eax,2);
		}
		if(eax==0x8AD3629B)
			printf(quot;%squot;,chaine);
	}


}

0x40116E :

 
#include <stdio.h>
#include <stdlib.h>



unsigned long lrotl(unsigned long value,unsigned char rotation)
{
return (value<<rotation) | (value>>(32- rotation));
}
unsigned long lrotrl(unsigned long value,unsigned char rotation)
{
return (value>>rotation) | (value<<(32- rotation));
}



int main()
{

	int sortir=0;
	char chaine[10] = {0};
	while(!sortir)
	{
		int ecx=5;
		unsigned int eax=0x17A5F4CC;
		unsigned int edx=0x0B194553;
		
		int read = fread(chaine,1,7,stdin);
		if(read!=7)
			sortir=1;
		for(;ecx>=0;ecx--)
		{
			unsigned char al =  eax amp; 0xFF;
			al^=*(unsigned char*)(chaine+ecx);
			int tempeax= eax amp; 0xFFFFFF00;
			eax = tempeax + al; 
			eax=lrotrl(eax,2); 
			eax*=edx;
			eax=~eax;
			eax=lrotl(eax,7);
		}
		if(eax==0x25B978C2)
			printf(quot;%squot;,chaine);
	}



}

We use http://sourceforge.net/projects/crunch-wordlist/ to generate combinations.

./crunch 6 6 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ| ./soluce
bqXVdd
einHan <=
eGsZCm
fSYDes
tJluIA
wLkbna
DaJnzm
[...]

We have selected this collision among others because it makes « MeinHand ».

Handy is a cellphone and it was making sense with the challenge statement.
So we can get a more optimized bruteforce for the second part :

./crunch 6 6 -t y,@@@@ | ./soluce2
yKaput

That gives us the valid serial MeinHandyKaput

Enjoy.
— Tishrom