chtis's staple
| Download staple.tar.gz, 6 kb This is Linux only!! Tested with 3.16. Later versions should be ok.
Difficulty: 3 - Getting harder | Send a message to chtis » View profile of chtis » |
Solutions
Solution by acruel, published 20. oct, 2016; download (2 kb), password: crackmes.de or browse.
acruel has not rated this crackme yet.
Discussion and comments
| acruel 07. Sep, 09:38 | Found the secret code without knowing the password. Will post a solution later ;) |
|---|---|
| RobertoTuS 09. Sep, 03:43 | <a href=http://apcalis.club>apcalis</a> |
| fdjkf 15. Sep, 09:03 | I traced the execute file to the key point of printing the secret code, but didn't find any algorithm about how the encrypted codes is encrypted. Did we need us to brute-force it? |
| acruel 15. Sep, 13:07 | I think brute-force is a viable option, but not necessary. |
| fdjkf 18. Sep, 01:45 | what I meaned is that, there are some encrypted codes which may include the secret code, and if we input the correct password, the programe will produce the key to decrypt the encrypted code. But, I didn't see the algorithm that how the decrypting key is produced; So, I imagined that the decrypted code may begin with push ebp (0x55) mov esp,ebp (0x89,0xe5) ,and compared with the first three byte of encrypted codes I guess the first three bytes of the key is 0xXXXXXX , so what I needed to brute-forced was the last byte (0x00-0xff). It means that key may be 0x00XXXXXX-0xffXXXXXX, but unluckily after trying 256 times, the tries all failed, and the result is it occured 9 times that the crackme went into a endless-loop, and 247 times printing "incorrect password". The result told me that the right decryted codes will not begin with push ebp move ebp,esp. This is just my thought about this programe, and I wait other one to give their right method to crack this, and I am interested with this crackme, Thank you. |
| acruel 18. Sep, 13:57 | You're almost there. I chose almost the same approach as you, but using a fixed string instead of the function prologue (push ebp, etc.). |
| fdjkf 20. Sep, 01:42 | Thank you. I have some new thoughts about that. But I am so busy these days, I will try it later. |
| fdjkf 26. Sep, 01:02 | unluckily, I failed again. Sorry for your help, I will try again later. |
| daryl 26. Sep, 01:29 | I've successfully reverse engineered the staple binary and wrote a brute forcer that correctly re-produced some "obfuscated data" inside the staple program. Using the recovered data I was able to unpack the zip file. My solution zipfile contains my brute forcer and the staple disassembly with my comments. As with Acruel, I produced the secret code before knowing the password. Even though the password is in the zip file, the value produced by my brute forcer would likely allow me to write another program that reproduces the password. |
| fdjkf 30. Oct, 13:58 | Thank acruel. This programe indeedly doesn't give any hints about which value the key used to decrypt the encrypted data should be. I used another 4-bytes string(0x0804xxxx) to recover the key, but failed. |
| acruel 30. Oct, 22:55 | @fdjkf endianness is crucial |
| daryl 08. Nov, 02:14 | My solution was rejected by andrew.us. Apparently he can't or is unwilling to grok a 60 line C file solution, 20 lines of which are comments explaining how the executable works as a solution. He rejection states "need better solution/explanation". Regardless, here's my working solution if anyone's interested. I bother to paste it because I spent a significant amount of time working on it and it may be helpful to someone. I realize a lot of solutions posted by newcomers are probably garbage, but if the moderators can't be bothered to do more than reject in four words a perfectly correct and functional solution I spent many hours working on, then I won't be bothered to spend any more of my time here. Farewell. -Daryl #include <stdio.h> #include <string.h> /* * Solution by Daryl * * This guy brute forces the xor'ed code section in the 'staple' binary * and searches for the string "ecret ". When that string is found it * outputs the xor argument (edx in instruction 'xor eax, edx' at file * offset 0x647). It also writes out to the specified file the opcodes * (and other data) from the xor'ed portion, all 0x88 bytes worth. * * Also in my solution tarball can be found the disassembly with my * comments that I used in producing this solution. * * This program takes a couple minutes to run and will eventually * produce the correct argument: 0xcdc40493. The disassembly output * file contains, well, the disassembled section of code that is * originally obsfuscated. That section contains, of course, the * password for the zip. */ int main(int argc, char *argv[]) { char orig[0x88]; char tmp[0x88]; unsigned int x, y; int idx; FILE *fd; if(argc != 3) { printf("Usage: bruter <staple binary> <disassembly output file>\n"); return 1; } fd = fopen(argv[1], "r"); if(fseek(fd, 0x54a, SEEK_SET) != 0) { printf("blew up\n"); return 2; } fread(orig, 1, 0x88, fd); fclose(fd); for(x = 1; x != 0; ++x) { for(idx = 0; idx < 0x88; idx += 4) { y = *((unsigned int *)(orig + idx)); y ^= x; *((unsigned int *)(tmp + idx)) = y; } for(idx = 0; idx < 0x83; ++idx) { if(tmp[idx] == 'e') { if(memcmp(tmp + idx, "ecret ", 6) == 0) { printf("Func32() output: 0x%x\n", x); fd = fopen(argv[2], "w"); fwrite(tmp, 1, 0x88, fd); fclose(fd); return 0; } } } } printf("Couldn't find correct value\n"); return 0; } |
You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.