PABE Exercise Sheet 2

General Information

All solutions must be created with Python 3. If you are new to Python 3 have a look online… there are many good resources to get started such as this course, this blog post and this slide deck. Feel free to post other resources to the mailing list to help other PABE students.

Please keep in mind that you should:

• read the task description carefully

• push all your changes to the GitLab repository (master branch) before the deadline. Make also sure that the file permissions are set correctly! If you are new to Git check out this site!

• make sure that your solution (also) runs on the virtual machine (and not just your local machine); this also means that you must install all additional packages yourself from within the solution script (e.g., os.system("pip install --user -r requirements.txt"))

• make sure that the solution is an executable script named solution (chmod +x ./solution) with a working shebang line at the top (e.g., #!/usr/bin/env python3) so that it can be executed like this: ./solution (do not name your script solution.py, Solution, solution.sh, … just solution)

• the final solution string, and only that, must be written to stdout and could be a number, a string, a string with the format FLAG{some letters and digits here}, depending on the specific task

• describe what you are doing using detailed comments for all your solution scripts! For example, use Docstrings (link) or inline comments:

  1 2 3 4 5 6 7 8

  def check_input_length(input_string): """ The input string must have a length greater than 42 and must also be even. """ length = len(input_string) # the final check happens here return (length > 42) and (length % 2 == 0)

  This helps us to find out if you really understood the task and you are not just brute-forcing some solutions. Please do not leave any commented code (i.e., code that is not needed to solve the task) in your solution files!

• make sure that your solution executes within 10 seconds (this is a hard timeout on our server)

• violating any of the points above might lead to reduced final points for the specific task!

The deadline for this sheet is Tuesday, 2020-12-08 23:59:59

Task 6 – Key Checker (2 Points)

The program check_key needs a valid key as an input. Find out how to provide the key to the program and how the key checking algorithm works (use a disassembler such as IDA Pro 7, radare2, binary ninja or use a debugger, such as gdb). The final task is to write a Python script as solution that is able to generate valid keys and print 500 of them to stdout (unique keys).

Your solution could, for example, look like this:

1
2
3
4
5
6

./solution
key1
key2
key3
...
key20

where keyX is a valid key.

Note: Do not brute-force all solutions by executing the binary check_key and checking its output. It’s a Reverse Engineering Task ;-)

Task 7 – In-memory decryption (2 Points)

Have a look at the binary xor. When you run the binary it seems that nothing happens… If you have a look at the disassembly (e.g. with objdump or any other disassembler) you can see that there is a string within the binary that gets decrypted during runtime. The decrypted string only exists during the execution but will not be printed to stdout.

Your task is to write a gdb script in Python (link) that sets a breakpoint at the correct address (when the string is finally decrypted), runs the program and outputs the string to stdout. This time your solution can be a Bash script that calls gdb with the Python script as an argument (gdb --command=<your Python script>) . Make sure that only the decrypted string is printed to the final stdout (e.g., Bash’s stdout).

Your solution could, for example, look like:

1
2

$ ./solution
abcdefg

Task 8 – Broken Header (2 Points)

Oh no! Our binary broken is causing segmentation faults. What is happening here? There could be something wrong with the header…

Your task is to write a Python script that patches and executes the binary broken.

Your solution could, for example, look like:

1
2

$ ./solution
FLAG{some letters and digits here}

Hint: You should check the header of a working binary (e.g. /bin/ls) and compare it to the broken binary.

Task 9 – Broken Code (2 Points)

Oh no again! Another binary also called broken is not printing the flag. I think the evil wizard of three-mistakes has corrupted it. Can you help us? Before this incident the binary printed a flag and exited with return code 42!

Your task is to write a Python script that patches the binary broken so that it runs as expected.

Your solution could, for example, look like:

1
2

$ ./solution
FLAG{some letters and digits here}

Hints:

• The broken code can be found in the function _start.
• You can use the pwntools command line tool asm to get the opcodes for a specific assembler instruction:

  1 2	$ asm "mov eax, 0x1" b801000000

  1

Task 10 – Unicorn Engine (4 Points)

Unicorn Engine is a CPU emulator that supports many different architectures (link) CPU emulator means that you won’t have any support from the operating system and have to work very low level. This is especially true for memory mapping.

We provided you a solution file with some Python code. When you run the code (i.e. ./solution) you will notice that you get an error ERROR: Invalid memory read (UC_ERR_READ_UNMAPPED).

Your task is to:

• understand the Python and assembly code
• find out why the error messages occur
• fix the Python code so that the emulation runs correctly

If I remember correctly the value 0x1337 was stored at the address 0x31337 (mov eax, [0x31337])

With the code tracing hook in place engine.hook_add(UC_HOOK_CODE, hook_code) you will also see the currently executed instruction via stdout.

Your final solution could, for example, look like:

1
2
3
4
5
6

$ ./solution
...
eax = 0x1234
ebx = 0x1234
ecx = 0x1234
edx = 0x1234

We will check the last 4 lines to see if the results are correct. Do not modify the simple_asm code.

Hints:

• How can you catch illegal memory accesses?
• Must the memory you map be aligned somehow?