Thursday, September 17, 2020

Brute-Force Flareon2015 Challenge#2 with Qiling

In the previous post we used Qiling to decode strings in Aisuru malware. Qiling's snapshot mode is a cool feature that can be used to take snapshots of the process at critical stages. Qiling can save information about the memory, CPU state, registers state etc. In this post we'll use the snapshot feature of Qiling to brute-force the Flareon 2015 challenge#2.

Running the binary we can see that its is looking for an input.

Looking at the Graph Overview in Cutter we can see that the binary is not very complex, has very few branches.

The binary while run take a input from the user and the input is run against a function at offset 0x00401084. At first the function checks if the user input is at least of length 0x25.

If the length compares correctly the program flow then gets into checking the input. It uses the input against the encoded blob to verify if the input tallies properly. We need not get into the details of this function except for few little bits to get our Qiling script to compute the flag for us.

We would be brute-forcing our way to finding the right input. This means that we need to mutate character by character in the input to find if the program is progressing forward. Checking the function that's responsible for checking our input we can identify that very address that can be used to check if our mutated input character is the right character.

The function does some computation on our input and gets to the decision making phase at address 0x004010ce. If the character in the input tallies we get into the positive branch and continue performing computation on the next character in the input or we get to the bad output where the failure message is displayed.

So this would only mean that if the program gets to address 0x004010d0 we have the right character input in our hands.

 We would be needing the following to get going with the Qiling script,

1. The start and end address of the function that's responsible for checking our input
    •, end=0x004010DE)
2. Hook address to check whether the character in our input is right
    •  ql.hook_address(check_input_chr, 0x004010D0)

3. A way to mutate the character in our input

4. A way to save the correct character in the input, save the registers, memory, CPU state

After knowing what's required we can start writing our Qiling script. The complete Qiling script looks like below,

When the script is run we should be seeing the flag revealing itself character by character yielding the flag -

No comments:

Post a Comment