-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
80 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
|
|
||
|
|
||
|
|
||
| # Behind the Scenes | ||
| After struggling to secure our secret strings for a long time, we finally figured out the solution to our problem: Make decompilation harder. It should now be impossible to figure out how our programs work! <br> | ||
| https://app.hackthebox.com/challenges/Behind%2520the%2520Scenes <br> | ||
|
|
||
|
|
||
| ## Obfuscation with UD2 instructions | ||
| UD2 is an illegal assembly instruction, which generates a SIGILL signal, which results in the program being terminated. <br> | ||
| UD2 instructions are added, between function calls, which stops disassemblers like Ghidra from disassembling the file further. <br> | ||
| A Signal handler is created to ignore SIGILL signals generated by the UD2 instructions. <br> | ||
| Simply replace the UD2 instructions with NOP instructions in the disassembly to bypass the obfuscation. <br> | ||
|
|
||
| Then look up the flag string in the hexview located at the address referenced by first strncmp() call. <br> | ||
|
|
||
| deobfuscated pseudo code from Ghidra disassembler: | ||
| ```C | ||
| undefined8 main(int argc, char **argv) | ||
| { | ||
| int32_t iVar1; | ||
| undefined8 uVar2; | ||
| int64_t iVar3; | ||
| int64_t in_FS_OFFSET; | ||
| char **var_b8h; | ||
| int var_ach; | ||
| sigaction *ptr; | ||
| undefined auStack_a0 [128]; | ||
| int64_t var_20h; | ||
| int64_t var_10h; | ||
|
|
||
| var_10h = *(int64_t *)(in_FS_OFFSET + 0x28); | ||
| memset(&ptr, 0, 0x98); | ||
| sigemptyset(auStack_a0); | ||
| ptr = (sigaction *)segill_sigaction; | ||
| var_20h._0_4_ = 4; | ||
| sigaction(4, &ptr, 0); | ||
| if (argc == 2) { | ||
| iVar3 = strlen(argv[1]); | ||
| if (iVar3 != 0xc) { | ||
| do { | ||
| invalidInstructionException(); | ||
| } while( true ); | ||
| } | ||
| iVar1 = .plt.sec(argv[1], 0x201b, 3); | ||
| if (iVar1 != 0) { | ||
| do { | ||
| invalidInstructionException(); | ||
| } while( true ); | ||
| } | ||
| iVar1 = .plt.sec(argv[1] + 3, 0x201f, 3); | ||
| if (iVar1 != 0) { | ||
| do { | ||
| invalidInstructionException(); | ||
| } while( true ); | ||
| } | ||
| iVar1 = .plt.sec(argv[1] + 6, 0x2023, 3); | ||
| if (iVar1 != 0) { | ||
| do { | ||
| invalidInstructionException(); | ||
| } while( true ); | ||
| } | ||
| iVar1 = .plt.sec(argv[1] + 9, 0x2027, 3); | ||
| if (iVar1 != 0) { | ||
| do { | ||
| invalidInstructionException(); | ||
| } while( true ); | ||
| } | ||
| printf("> HTB{%s}\n", argv[1]); | ||
| uVar2 = 0; | ||
| } else { | ||
| puts("./challenge <password>"); | ||
| uVar2 = 1; | ||
| } | ||
| if (var_10h != *(int64_t *)(in_FS_OFFSET + 0x28)) { | ||
| uVar2 = __stack_chk_fail(); | ||
| } | ||
| return uVar2; | ||
| } | ||
| ``` |