How much does it take to hack a mobile network?
Is electronic government secure
in the era of WikiLeaks and Anonymous?

Is SCADA hacking a Hollywood fiction
or the nowadays reality?
Internet banking: is there any chance to win
over the fraudsters?

Cyber-crimes, cyber-espionage, cyber-war: where do we draw a borderline?

Pages

Monday, June 17, 2013

"Best Reverser" at PHDays III — Developer's Overview

When we put hand to the contest, we wanted to make it interesting, difficult and feasible at the same time.

We believe that a good reverser should be able to read computer code, convert it to a clear algorithm, find mistakes and flaws of this algorithm, and, if possible, to exploit them. Besides the code provided for analysis should be close to true software code.

The 64-bit Windows version was chosen as a platform, because Hex-Rays Decompiler for x86 makes everything easier and there are no decompilers for x64. And 64-bit applications have become common anyway.

So a small program with Qt (and static libraries) was developed. And the executable file was almost 10 MB. But is it unbearable for a talented reverser? Though, according to feedback, the file size scared some participants. On the other hand, Qt leaves a lot of useful information, and a reverser must know how to separate the wheat from the chaff...

The program required two dynamic libraries (msvcp110.dll and msvcr110.dll) for startup. Some of the participants complained that their program ended with exception. The other participants either had proper settings or were better motivated.

A username and key were requested at the first stage. The program verified data and reported on success or failure. Except for Base64 decoding (which was easily determined by the alphabet string), the main check was written with OpenSSL. The library is useful for a reverser, because it provides source code so that to quickly define almost any function name.

The check function looked as follows in the source code:

phdInt checkDSAsig (BIGNUM *h, BIGNUM *r, BIGNUM*s) {
BN_CTX *ctx = BN_CTX_new();
BIGNUM *g = BN_bin2bn(El_g, sizeof(El_g), NULL);
BIGNUM *p = BN_bin2bn(El_p, sizeof(El_p), NULL);
BIGNUM *y = BN_bin2bn(El_y, sizeof(El_y), NULL);
BIGNUM *v1 = BN_new();
BIGNUM *v2 = BN_new();
BIGNUM *t1 = BN_new();
BIGNUM *t2 = BN_new();
phdInt rc = 0;

if (BN_mod_exp(v1, g, h, p, ctx) && BN_mod_exp(t1, y, r, p, ctx) && BN_mod_exp(t2, r, s, p, ctx) && BN_mod_mul(v2, t1, t2, p, ctx) && 0 == BN_cmp (v1, v2)) rc = 1;

BN_clear_free(t2);
BN_clear_free(t1);
BN_clear_free(v2);
BN_clear_free(v1);
BN_clear_free(y);
BN_clear_free(p);
BN_clear_free(g);
BN_CTX_free(ctx);
return rc;

Some knowledge in cryptography allows identifying that it is the digital signature check by the ElGamal algorithm. The size of the El_p module used for operations is 500 bits and such a signature is considered strong. So there is no direct way to acquire the key.

A specific code branch verified if the key consisted of 6 characters, calculated SHA1, and compared the first 8 bytes with the sequence {0xEE,0xD1,0xAC,0xA8,0xD0,0xCC,0xA3,0x3F}. 6-character strings composed of the Base64 alphabet are only 236 options. If going through all of them (it was unnecessary — one only needed to fix the transition condition), then the Easter egg "PHDays" appeared.

After the egg activation, the program started to do something very actively, but it was hardly possible to see the result. A huge number, the value of which did not exceed El_p, was generated within each iteration, multiplied by El_y modulo El_p, and the result should be 313373. If it happened, the generated number could be used as an encryption key for the RC4 algorithm, and this key was used to decrypt the string with code containing the correct ElGamal signature. In theory, a random number generator would once generate such a byte sequence that would be the necessary RC4 key, but the sun would sooner fall from heaven than this would happen. So we supposed that the participants would obtain the necessary RC4 key by calculating the algebraic complement using the extended Euclidean algorithm.

The valid ElGamal signature is not the solution of the first stage, because the name, for which the signature had been generated, contained zero bytes: "|<33p y0ur pr1v473 $3cr37\0\0\0". And such a string cannot be input as a name — zero bytes will be skipped.

Attentive cryptographers should have been immediately noticed that signature check code lacks the check described in the algorithm (0 < r < El_p). For this case, the Handbook of Applied Cryptography (section 11.66.iv) provides an attack, which allows calculating a signature for any message with only one valid signature available. This attack results in a signature for any name considered a program.

As for the second stage, the key was not linked to a username. Base64 decoded the key, then some peculiar operations were carried out over it, and finally they should have received the set of bytes with the substring "PHDays III validator ;)\0". At first, we planned the substring to be found in any location, but because of a code error (developers are human as well), the compliance was checked only at the beginning of the output byte set.

The task was difficult because cryptography elements with open keys were also used, but they were implemented independently and in a disguised format. In fact, the key was exponentiated modulo big (1000 bit) number, which was the result of two prime numbers multiplied by each other. And this is the mathematics, which lies as the basis of the RSA cryptosystem. Exponentiation was implemented via the Montgomery reduction, and the input number should have been converted using the Montgomery algorithm.
The public exponent was 5 and, if the check was correctly implemented, the input secret calculation would have requested 1000-bit number factorization, which is hardly possible. However, due to the fact that only a 24-bit substring was checked, the 5th root of the necessary result could be calculated (not mudulo), then converted according to the Montgomery algorithm, encoded by Base64, and finally the key for the second part could be obtained.

The third part was uncommon from the point of view of usual crackme tasks, which can be solved mathematically. However, everything is in due order. The key check algorithm decoded input data to the buffer of the size sizeof(El_p)*2+1024 according to the Base64 algorithm. If decoded data was larger than sizeof(El_r), such a key was invalid. Then the SHA-3 hash of the decoded data was compared to the string "ESETESETESETESETESETESETESETESET". Even the task author did not know the right input value, which should have been motivated the participants to find an alternative solution.

An attentive reader has already noticed that the vulnerability of the first part allows selecting El_r of such a length that it will be possible to overflow the buffer, in which the decoded data was copied. And this buffer is located on the stack. The stack was not secured and the load base was fixed, it allowed using the ROP technique to exploit the vulnerability and bypass the task check function.

The task solution check looked as follows: it checked 3 bits (each bit per each task part) in the global variable and, if all the bits were submitted, it displayed a congratulation message. It means that to solve the task one only needed to find ROP gadgets, which allowed writing 7 at the global variable address and ending the check function of the third part. The congratulation message was displayed after it.

According to the contest results, the victory stand looks as follows:

1st place
Victor Alyushin 

2nd place
Mikhail Voronov, Denis Litvinov

3rd place
Anton Cherepanov 

Congratulations!

11 comments:

  1. MY NAME IS Mariam Baurice FROM SOUTH AFRICA...I SAW THIS COMMENT ON POSITIVE BLOGS AND I WILL LOVE TO TELL EVERY BODY HOW MY STATUS CHANGES TO NEGATIVE, AND AM NOW A LIVING WITNESS OF IT AND I THINK ITS A SHAME ON ME IF I DON'T SHARE THIS LOVELY STORY WITH OTHER PEOPLE INFeCTED WITH THIS DEADLY VIRUS...,HIV HAS BEEN ONGOING IN MY FAMILY... I LOST BOTH PARENTS TO HIV,. AND IT IS SO MUCH PAIN IVE NOT BEEN ABLE TO GET OVER.. AS WE ALL KNOW MEDICALLY THERE IS NO SOLUTION TO IT..AND MEDICATION IS VERY EXPENSIVE..SO SOMEONE INTRODUCED ME TO A NATIVE MEDICAL PRACTITIONER IN AFRICA..I HAD A JOB THERE TO EXECUTE SO I TOOK TIME TO CHECK OUT ON HIM.I SHOWED HIM ALL MY TESTS AND RESULTS.. I WAS ALREADY DIAGNOSED WITH HIV AND IT WAS ALREADY TAKING ITS TOWL ON ME.. I HAD SPENT THOUSANDS OF DOLLARS SO I DECIDED TO TRY HIM OUT...I WAS ON HIS DOSAGE FOR 6MONTHS. ALTHOUGH I DIDNT BELIEVE IN IT, I WAS JUST TRYING IT OUT OF FRUSTRATION... AND AFTER 2 WEEKS, I WENT FOR NEW TESTS... AND YOU WONT BELIEVE THAT 5 DIFFERENT DOCTORS CONFIRMED IT THAT AM NEGATIVE..IT WAS LIKE A DREAM,,I NEVER BELIEVE AIDS HAS CURE..AM NOW NEGATIVE,,AM A LIVING WITNESS..I DONT KNOW HOW TO THANK THIS MAN... I JUST WANT TO HELP OTHERS IN ANY WAY I CAN..HAVE JOINED MANY FORUMS AND HAVE POSTED THIS TESTIMONIES AND ALOT OF PEOPLE HAS MAIL AND CALLED THIS MAN ON PHONE AND AFTER 2 WEEKS THEY ALL CONFIRMED NEGATIVE..BBC NEWS TOOK IT LIVE AND EVERY.. HOPE HE HELPS YOU OUT.. EVERYBODY SAW IT AND ITS NOW OUT IN PAPERS AND MAGAZINES THAT THERE'S NATIVE CURE FOR HIV AND ALL WITH THE HELP OF THIS MAN,,HAVE TRIED MY OWN PARTS AND ALL LEFT WITH YOU,,IF YOU LIKE TAKE IT OR NOT..GOD KNOWS HAVE TRIED MY BEST.ABOUT 97 PEOPLE HAVE BEEN CONFIRMED NEGATIVE THROUGH ME..AND THEY SEND MAILS TO THANKS ME AFTER THEY HAVE BEEN CONFIRMED NEGATIVE,,THIS MAN IS REAL..DON'T MISS THIS CHANCE,,HIV IS A DEADLY VIRUS,,GET RID OF IT NOW..
    case there is anyone who has similar problem and still

    looking for a way out, and he those cast all kind of spell like ::
    Love Spells
    Luck, Money Spells
    Health, Well Being
    Protection, Healing
    Curses, Hex, Breakups
    NEW! Combo Spells
    High Priestess Spells
    Vampire Spells
    Authentic Voodoo Spells
    Custom, Other Spells
    Business spells
    Health/Healing spells
    Curse removal
    Job spells
    Healing from all kind of diseases
    Love binding
    Barrenness(need a child)
    Need love
    Lottery Spells
    Promotions
    Success
    Money rituals
    winning court case
    Divorce spells
    Low sperm count
    Infertility in women
    Breast enlargement/reduction
    Penis enlargement/reduction
    YOU CAN CONTACT HIM HERE AS (spirituallighthealing101@live.com) if you need any question contact me via here as mariambaurice@gmail.com

    ReplyDelete
  2. Hi
    my name is Joyce from England, I want to thank Dr Ekpiku for helping me Getting Rid of my HIV Virus disease. I was Diagnosed of this Virus for 3 years but after the Usage of Dr Ekpiku Herbal Medicine, I was Cured and up till now, The Symptoms of the HIV Virus is completely Gone.. So anyone who wants to reach Dr Ekpiku should do that by emailing him ekpikuspellhomeofgrace@gmail.com or ekpikuspellhomeofgrace@hotmail.com or call him +2347055029151.God we Bless You.

    ReplyDelete
  3. My name is MARY from USA .I am here to give a testimony on how I got my ex boyfriend back. My ex left me for no reason 3 years ago. He moved in with another woman, I felt like killing myself, my life became very bitter and sorrowful. Then 1 day, a friend of mine told me about a great spell caster that is very good to help my problem and, my friend also said that the spell caster gave him some lucky numbers that he played in a lottery and he won. I didn't believe it because I've worked with so many of them and it didn't work. He begged me further so I decided to try this great spell caster called DR SALOBA. I still didn't believe. but I used the spell he gave me and the next day I received a call from my darling boyfriend Thomas last week. He apologized and came back to me. He even gave me 10,000USD as a means of compensating me. I'm very happy now. Thank you DR SALOBA, You can reach DR SALOBA ON via email: salobaspiritualtemple@gmail.com OR you can call my DR SALOBA on +2349036493771. He can solve any problem like,
    (1) If you want your ex back.
    (2) you need a divorce in your relationship.
    (3) You want to be promoted in your office.
    (4) You want women & men to run after you.
    (5) If you want a child.
    (6) You want to be rich.
    (7) You want to tie your husband & wife to be yours forever.
    (8) If you need financial stance.
    (9) He can make you pregnancy.
    (10) He can cure you from any diseases.
    (11) HIV CURE.
    (12) Do you have a low sperm count?
    contact: salobaspiritualtemple@gmail.com

    ReplyDelete
  4. I’m giving a testimony about Dr. Ibudu who cured me from HIV/AIDS, someone directed me to dr Ibudu she told me that dr Ibudu helped her cure her GENITAL HERPES but i did not believe at first time until i give a try, when I did the test and I was confirmed positive, I was so confused because my son is just too young and I need to be there for him, so I tried all means to make sure I will be there for him, I contacted Dr. Ibudu through his email and explained my problems to him, and he assured me of healing, he did what he has been doing for other people and I was cured also when he asked me to go for check-up… I’m so happy for what Dr. Ibudu did for me, contact him via email on tinalovespell@yahoo.com I know he can help you too. You can reach his line Call +2348078467513

    ReplyDelete
  5. Am joan hardy from United State Join me celebrate this day which my Lord God has made for using this great and powerful healer called Dr Fara that cured my HERPES SIMPLEX VIRUS disease which has been eating me up for over 4 years now without solutions, i tried looking for solutions online, and through hospital, they keep on giving me orientations about drugs that can extend my years. now since Dr Fara has helped me to cure my disease with the use of herbal remedy and knowledge of his forefathers everything has been going well now, i owe you greatly for healing me so if anybody need is help or you also want to get cured you can also contact him on his email address: drfaraspelltemple@gmail.com THESE ARE THE THINGS Dr.Fara. . HERPES . HIV/AIDS . CANCER .HEPATITIS B

    ReplyDelete

  6. ZIKA DISEASE

    God bless Dr.UKO for his marvelous work in my life, I was diagnosed of ZIKA DISEASES since 2014 and I was taking my medications, I wasn't satisfied i needed to get the ZIKA out of my system, I searched about some possible cure for ZIKA DISEASES i saw a comment about Dr.UKO, how he cured ZIKA DISEASES with his herbal medicine, I contacted him and he guided me. I asked for solutions, he started the remedy for my health, he sent me the medicine through UPS SPEED POST. I took the medicine as prescribed by him and 7 days later i was cured from ZIKA DISEASES, Dr. UKO truly you are great, do you need his help also? Why don't you contact him through ukospelltemple@yahoo.com whatsapp him on

    +2347064650019

    DOCTOR UKO CAN AS WELL CURE THE FOLLOWING DISEASE:-

    1. HIV/AIDS
    2. HERPES
    3. CANCER
    4. ALS
    5. AMOEBIC MENINGOENCEPHALITIS
    6. ANTHRAX
    7. PLAGUE
    8. EBOLA
    9. BRING OF EX LOVER BACK TO LOVE YOU AGAIN

    ukospelltemple@yahoo.com / Website: ukospelltemple.wixsite.com/mysite



    ReplyDelete
  7. I am very happy today because i never thought i would be able to leave up till this day.i am Benson Tanaka from Zimbabwe i was infected with h i v by my wife who later died of it and this disease has been with me for the past 6 years now i have gone to several hospitals to seek for cures but all they give to me are some drugs which has taking almost all my savings i had,i was on Facebook on Saturday morning then there was an health group which i was asked to join by a friend immediately after i joined it i saw some post of people giving tanks to this doctor that he has cured them of their hiv disease i was so surprised about this i collected the doctors contact and i thought of it for about 5 good days then i concluded in giving him a try because there was no harm in trying.when i contacted doctor prince he tolled me he was going to prepare an herbal medicine for me which i was going to take for 2 weeks and after that i should go for a test at any of the hospital,after i did every thing which he asked me to do i received the medicine the next two days from a courier company which i started taking immediately after about a week plus i felt some strange moves in me,i felt like i was getting better when i completed the medicine i went for a test at the Bulawayo Central Hospital were i was tested (-)negative i thought i was dreaming i went for another test at the St anne's hospital it was still the same then i believed i was really free from this disease today i have got-in a new job and i am also married to a beautiful wife all tanks to doctor prince here is his contact details for any one who is passing true any kind of sickness or disease he will be willing to help you too.dr.princearataabraham@gmail.com you can also call or whatsapp him on +2348163241499

    ReplyDelete
  8. I have been suffering from (HERPES) disease for the last four years and had constant pain, especially in my knees. During the first year,I had faith in God that i would be healed someday.This disease started circulate all over my body and i have been taking treatment from my doctor, few weeks ago i came on search on the internet if i could get any information concerning the prevention of this disease, on my search i saw a testimony of someone who has been healed from (Hepatitis B and Cancer) by this Man Dr ADE and she also gave the email address of this man and advise we should contact him for any sickness that he would be of help, so i wrote to Dr. ADE telling him about my (HERPES Virus) he told me not to worry that i was going to be cured!! hmm i never believed it,, well after all the procedures and remedy given to me by this man few weeks later i started experiencing changes all over me as the Dr assured me that i have cured,after some time i went to my doctor to confirmed if i have be finally healed behold it was TRUE, So friends my advise is if you have such sickness or any other at all you can email Dr.ADE on : Adespelltemple@gmail.com sir i am indeed grateful for the help i will forever recommend you to my friends!!! with your lovely Email Address Adespelltemple@gmail.com or call He on +2347057375409

    ReplyDelete
  9. I have been suffering from (HERPES) disease for the last four years and had constant pain, especially in my knees. During the first year,I had faith in God that i would be healed someday.This disease started circulate all over my body and i have been taking treatment from my doctor, few weeks ago i came on search on the internet if i could get any information concerning the prevention of this disease, on my search i saw a testimony of someone who has been healed from (Hepatitis B and Cancer) by this Man Dr ADE and she also gave the email address of this man and advise we should contact him for any sickness that he would be of help, so i wrote to Dr. ADE telling him about my (HERPES Virus) he told me not to worry that i was going to be cured!! hmm i never believed it,, well after all the procedures and remedy given to me by this man few weeks later i started experiencing changes all over me as the Dr assured me that i have cured,after some time i went to my doctor to confirmed if i have be finally healed behold it was TRUE, So friends my advise is if you have such sickness or any other at all you can email Dr.ADE on : Adespelltemple@gmail.com sir i am indeed grateful for the help i will forever recommend you to my friends!!! with your lovely Email Address Adespelltemple@gmail.com or call He on +2347057375409

    ReplyDelete
  10. Dr Ero herbal cure is 100% Guarantee percent sure to cure your HEPATITIS B,He is only person that i can boldly say he can cure any types of Disease.i was having HEPATITIS B for more than 5 year when i met Dr Ero online how on how he has cured so many people and how greatly he has helped many individuals online,so i contacted him and explained my situation to him and behold i was cure with his herbal medicine and now we are living happily, so to anyone issue on herpes challenges i advised that you contact dreroherbaltreatment@gmail.com he can also cure any disease such as HIV/AIDS HEPATITIS B,DIABETICS,CANCER,HERPES HE is the great herbalist man called Dr.Ero i must say a big thanks for curing my disease, i owe you in return. Thanks and be blessed sir.his Mobil number +2349077338035

    ReplyDelete
  11. i was having this deadly disease for months i tried everything
    within my power to get rid of this illness all to no avail not
    until i came across a post from a forum about this great Doctor
    that heals people with herbal med( herbs),i cant say much but
    my heart is filled with gratitude and appreciation,
    please if you are suffering from herpes or any other STD
    kindly contact DR Aloha and be rest assured that you will
    get the solution you seek.herbs cure herpes contact
    Dr Aloha through his email Alohaherbalhome@gmail.com

    ReplyDelete