Nullcon HackIM CTF 2013 – Reverse Engineering 100 Write up

Reverse Engineering 100

We were provided with this highly obfuscated code:

''=~('('.'?'.'{'.('`'|'%').('['^'-').('`'|'!').('`'|',').'"'.('['^'.').('['^'(').('`'|'%').('{'^'[')
.('['^'(').('['^'/').('['^')').('`'|')').('`'|'#').('['^'/').';'.('['^'.').('['^'(').('`'|'%').('{'^
'[').('['^',').('`'|'!').('['^')').('`'|'.').('`'|')').('`'|'.').('`'|"'").('['^'(').';'.('`'|')').(
'`'|'&').'('.'\\'.'$'.'#'.('`'^'!').('{'^')').('`'^"'").('{'^'-').'='.'='.('^'^('`'|','))."\)".'\\'.
'{'.('`'|')').('`'|'&').'('.'\\'.'$'.('`'^'!').('{'^')').('`'^"'").('{'^'-').'['.('^'^('`'|'.')).']'
.'.'.'\\'.'$'.('`'^'!').('{'^')').('`'^"'").('{'^'-').'['.('^'^('`'|'/')).']'.('`'|'%').('['^('*')).
'\\'.'$'.('`'^'%').('`'^'.').('{'^'-').'\\'.'{'."'".('{'^'.').('{'^'(').('`'^'%').('{'^')')."'".'\\'
.'}'.')'.'\\'.'{'.('['^'+').('['^')').('`'|')').('`'|'.').('['^'/').'\\'.'"'.('`'^'&').('`'|(',')).(
'`'|'!').('`'|"'").'='."'".('`'^"'").('`'|'/').('`'|',').('`'|'$').('`'|'%').('`'|'.').('`'^('$')).(
'`'|'!').('['^'"').('['^'(').('`'^'!').('['^')').('`'|'%').('`'^'"').('`'|'!').('`'|'#').('`'|"\+").
"'".'\\'.'"'.'\\'.'}'.'\\'.'}'.'"'.'}'.')');$:='.'^'~';$~='@'|'(';$^=')'^'[';$/='`'|'.';$,='('^"\}";

It looks like a lot of XOR and OR logical operations between characters, plus a bunch of concatenations of strings.
This is probably Perl or PHP code, and since I’m not fluent in any of them I decided to translate it to Python code to better understand it.

So we ended up with the following equivalent Python code (yes, WordPress syntax highlighting sucks):

x = '(' + '?' + '{' + chr(ord('`') | ord('%')) + chr(ord('[') ^ ord('-')) + chr(ord('`') | ord('!')) + chr(ord('`') | ord(',')) + '\x22' + chr(ord('[') ^ ord('.')) + chr(ord('[') ^ ord('(')) + chr(ord('`') | ord('%')) + chr(ord('{') ^ ord('[')) + chr(ord('[') ^ ord('(')) + chr(ord('[') ^ ord('/')) + chr(ord('[') ^ ord(')')) + chr(ord('`') | ord(')')) + chr(ord('`') | ord('#')) + chr(ord('[') ^ ord('/')) + ';' + chr(ord('[') ^ ord('.')) + chr(ord('[') ^ ord('(')) + chr(ord('`') | ord('%')) + chr(ord('{') ^ ord('[')) + chr(ord('[') ^ ord(',')) + chr(ord('`') | ord('!')) + chr(ord('[') ^ ord(')')) + chr(ord('`') | ord('.')) + chr(ord('`') | ord(')')) + chr(ord('`') | ord('.')) + chr(ord('`') | ord("\x27")) + chr(ord('[') ^ ord('(')) + ';' + chr(ord('`') | ord(')')) + chr(ord('`') | ord('&')) + '(' + '\\' + '$' + '#' + chr(ord('`') ^ ord('!')) + chr(ord('{') ^ ord(')')) + chr(ord('`') ^ ord("\x27")) + chr(ord('{') ^ ord('-')) + '=' + '=' + chr(ord('^') ^ (ord('`') | ord(','))) + ")" + '\\' + '{' + chr(ord('`') | ord(')')) + chr(ord('`') | ord('&')) + '(' + '\\' + '$' + chr(ord('`') ^ ord('!')) + chr(ord('{') ^ ord(')')) + chr(ord('`') ^ ord("\x27")) + chr(ord('{') ^ ord('-')) + '[' + chr(ord('^') ^ (ord('`') | ord('.'))) + ']' + '.' + '\\' + '$' + chr(ord('`') ^ ord('!')) + chr(ord('{') ^ ord(')')) + chr(ord('`') ^ ord("\x27")) + chr(ord('{') ^ ord('-')) + '[' + chr(ord('^') ^ (ord('`') | ord('/'))) + ']' + chr(ord('`') | ord('%')) + chr(ord('[') ^ ord('*')) + '\\' + '$' + chr(ord('`') ^ ord('%')) + chr(ord('`') ^ ord('.')) + chr(ord('{') ^ ord('-')) + '\\' + '{' + "\x27" + chr(ord('{') ^ ord('.')) + chr(ord('{') ^ ord('(')) + chr(ord('`') ^ ord('%')) + chr(ord('{') ^ ord(')')) + "\x27" + '\\' + '}' + ')' + '\\' + '{' + chr(ord('[') ^ ord('+')) + chr(ord('[') ^ ord(')')) + chr(ord('`') | ord(')')) + chr(ord('`') | ord('.')) + chr(ord('[') ^ ord('/')) + '\\' + '\x22' + chr(ord('`') ^ ord('&')) + chr(ord('`') | (ord(','))) + chr(ord('`') | ord('!')) + chr(ord('`') | ord("\x27")) + '=' + "\x27" + chr(ord('`') ^ ord("\x27")) + chr(ord('`') | ord('/')) + chr(ord('`') | ord(',')) + chr(ord('`') | ord('$')) + chr(ord('`') | ord('%')) + chr(ord('`') | ord('.')) + chr(ord('`') ^ (ord('$'))) + chr(ord('`') | ord('!')) + chr(ord('[') ^ ord('\x22')) + chr(ord('[') ^ ord('(')) + chr(ord('`') ^ ord('!')) + chr(ord('[') ^ ord(')')) + chr(ord('`') | ord('%')) + chr(ord('`') ^ ord('\x22')) + chr(ord('`') | ord('!')) + chr(ord('`') | ord('#')) + chr(ord('`') | ord("+"))  + "\x27" + '\\' + '"' + '\\' + '}' + '\\' + '}' + '"' + '}' + ')'

print x

After running that program, we got the following output:

(?{eval"use strict;use warnings;if(\$#ARGV==2)\{if(\$ARGV[0].\$ARGV[1]eq\$ENV\{'USER'\})\{print\"Flag='GoldenDaysAreBack'\"\}\}"})

So the flag for Reverse Engineering 100 was: GoldenDaysAreBack.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s