SharifCTF-2016/hi

From aldeid
Jump to navigation Jump to search
You are here
hi (200 points)

Description

The file (HI2.exe) is a Windows 32 bit executable.

MD5 b40650660cc41ce34bd15530eb666b13
SHA1 8dd906f847bc21078eeb95af69944a4d966eefec
SHA256 c586a82b3cb26fd26b31a1242f0107ca870b1fc485cb7422414ce40f2fbcd597
File PE32 executable (console) Intel 80386, for MS Windows

The description of the challenge says that the executable should be run in a very specific environment:

The Program is registerd for following system specification:
- Processor type: Intel Itanium-based
- Number of processors: 64
- Physical RAM => 128GB
- OS version: 12.2 Build 1200

Running the executable

Ensure you have installed Redistribuable Visual C++ for Visual Studio 2015. When run, the executable shows the following output:

C:\sharifctf>HI2.exe
Your system information is:
  OEM ID: 0
  Number of processors: 1
  Physical RAM => 2GB
  OS version: 6.1 Build 7601
The Program cannot run on this specification!

Analysis

Identify the packer

First of all, we should notice that the file is packed with VMProtect:

  • Very few strings, limited to DLL names
  • Very few imports (LoadLibrary, GetModuleHandle, ...)
  • 8 sections, 2 of which named .vmp* (.vmp0, .vmp1)
  • "The imports segment seems to be destroyed" warning message when loading executable into IDA-Pro

If not impossible to unpack, it seems very complex to reverse engineer VMProtect-ed executables. Rather than trying to unpack it, let's try to hook function calls in order to overwrite values returned by some functions.

We will setup our debugging environment as follows:

Configure OllyDbg and StrongOD as follows:

OllyDbg StrongOD

Identify interesting functions

We know that the program is gathering some information about our environment, likely provided by the following functions:

Pre-requisite Function
Processor type: Intel Itanium-based GetSystemInfo
Number of processors: 64 GetSystemInfo
Physical RAM => 128GB GlobalMemoryStatusEx
OS version: 12.2 Build 1200 GetVersion

Hooking GetSystemInfo

The GetSystemInfo function has the following syntax:

void WINAPI GetSystemInfo(
  _Out_  LPSYSTEM_INFO lpSystemInfo
);

Its parameter is actually a pointer to a SYSTEM_INFO structure, depicted as follows:

typedef struct _SYSTEM_INFO {
  union {
    DWORD  dwOemId;
    struct {
      WORD wProcessorArchitecture;
      WORD wReserved;
    };
  };
  DWORD     dwPageSize;
  LPVOID    lpMinimumApplicationAddress;
  LPVOID    lpMaximumApplicationAddress;
  DWORD_PTR dwActiveProcessorMask;
  DWORD     dwNumberOfProcessors;
  DWORD     dwProcessorType;
  DWORD     dwAllocationGranularity;
  WORD      wProcessorLevel;
  WORD      wProcessorRevision;
} SYSTEM_INFO;

The 2 parameters we want to modify are highlighted in yellow and should have the following values:

Parameter Desired Value Value (hex)
wProcessorArchitecture Intel Itanium-based (PROCESSOR_ARCHITECTURE_IA64) 0x6
dwNumberOfProcessors 64 processors 0x40

Now in OllyDbg, open the executable, press F9 once, then press Ctrl+G to search for GetSystemInfo, press F2 to set a software breakpoint and press F9 to reach the breakpoint.

Here is what it looks like once the breakpoint is reached:

  1. The breakpoint is reached (beginning of the GetSystemInfo function)
  2. Right click on the address of the pointer to the SYSTEM_INFO structure and select "Follow in dump"
  3. This is our structure at the beginning of the function
  4. identify the end of the GetSystemInfo function (RETN) and set a breakpoint here (F2). Press F9 to reach the end of the function.

Now at the end of the function, the structure can be modified as follows:

-----------------------------------------   -------------   --------------
structure                                   initial val.    modified val.
-----------------------------------------   -------------   --------------
typedef struct _SYSTEM_INFO {
    union {
        DWORD  dwOemId;
        struct {
            WORD wProcessorArchitecture;    00 00           06 00
            WORD wReserved;                 00 00           00 00
        };
    };
    DWORD     dwPageSize;                   00 10 00 00     00 10 00 00
    LPVOID    lpMinimumApplicationAddress;  00 00 01 00     00 00 01 00
    LPVOID    lpMaximumApplicationAddress;  FF FF FE 7F     FF FF FE 7F
    DWORD_PTR dwActiveProcessorMask;        01 00 00 00     01 00 00 00
    DWORD     dwNumberOfProcessors;         01 00 00 00     40 00 00 00
    DWORD     dwProcessorType;              4A 02 00 00     4A 02 00 00
    DWORD     dwAllocationGranularity;      00 00 01 00     00 00 01 00
    WORD      wProcessorLevel;              06 00           06 00
    WORD      wProcessorRevision;           03 3C           03 3C
} SYSTEM_INFO;
-----------------------------------------   -------------   --------------

Hooking GlobalMemoryStatusEx

INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Hooking GetVersion

INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Solution

INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Comments

Keywords: sharif 2016 challenge reversing