[go: up one dir, main page]

Blog Archive

Wednesday, December 7, 2011

The Making of MalCon CTM-2011 Challenge.

Well, it was declared last year itself after the first malcon that we'll be having our own version of an online challenge for the world to compete over.We called it the CTM. Which stood for 'Capture the Mal' challenge. Nothing much happened after that though. We all got busy with the rest of our work until about 3 months before the event, when we realized that we promised a CTM & had completely forgotten about it. As usual, when it comes to technical stuff @MalCon, am the SPOC.

So, I was left with a mammoth task.Its not that I've never designed a CTF contest before.. infact I do that for all my workshops & training sessions. But this one was different. We do malcon every year not because it earns us something.. or because we get perks for doing it. Infact, we make no money out of it at all. We do it because it was our dream. We've learnt about 90% of what we know by reading 'tuts' n textfiles on the internet, created by generous & highly talented people. We wanted to do our bit too. Malcon is not about spreading malwares. Its about generating proactive research by good people to build secure systems.


Well, so here I was, with no idea at all about how am gonna design this CTM thingy. And then it happened. :) I have this weird 'moment' once in a while where I get bombarded with loads of crazy ideas. Thats how the idea of creating a Virtual-Machine based challenge came to my mind. But there were 2 major problems.

1. I had no experience in creating a VM manually.
2. I wanted it to be simple enough so that even a common man can attempt it.

At first, I had to create a VM myself to prove that its possible. I know that there are thousands of articles on that available but this one had to be simple. The idea was to create a VM architecture that was as simple as possible so that the ones attempting it do not end up getting demoralized. While, the VM-Code or the 'Bootrom' as I call it, can be complex enough to deliver the quality & standards that we at malcon are fanatic about.

The good part was, I have considerable understanding & experience with programming as well as reverse-engineering. I've got past experience with creating some really complex & effective anti-reversing routines too. So, I figured out that this one wont be as tough as I thought it would be, initially. How wrong was I. :D

To begin with, I named my Abstract Processor as 'Aod8'. Then, I tried to design it similar to the intel-processors am comfortable with. Although, I figured out that I dont need more than 15 Instructions in my instruction-set to create a complex CTM, I thought that maybe someone, someday might wanna write some cool program for it & thats the only reason why I endedup having about 40 instructions in all. Once the design part of it was over & I was almost sure that I had the required instructions in there, it was time to code the processor.My first choice was 'PERL'. Its easy to program in, robust with REGEX & more importantly I didnot have to mess with variable types.Ah, I think I forgot to mention that in order to keep the CTM easy to attempt, I designed the processor to work with 'Byte' sized instructions & data. Most people are not comfortable with handling data at 'bit' level.So, that was the reason behind this super simplistic Aod8 Architecture design.

Well, the PERL idea was disastrous. Initially I struggled a little with type conversion. Then again...I never write the entire code at one stretch, ever. :P I write some..then test it thoroughly & then go further. When am trying a new idea or a theory, I am totally impatient to see if it works or not. :) So obviously, the first instructions I implemented in my Aod8 processor were the ones that'll allow me to print a character on the screen.. so that if it works as expected, I can jump up & down & celebrate victory. But but but... the way I've designed it, I can only print one character at a time.That too, if I send the 'output' opcode, it'll fetch the byte at the current location of the stack-pointer on the stack & print it.Now, lets say I want to print 'A' on the screen. For that, I'll have to first push its ascii code onto the stack. :D As you can see, I cannot directly push data onto the stack either.For that, I'll have to move the ascii code to a GPR like 'A' or 'B', then push it onto the stack, then call the 'output' instruction. In essence, the set of instructions to print a char 'A' on the screen in Aod8 Assembly would be:

mov a,65
mov [sp],a
output
halt

[ Well, I've already uploaded all the Tools, source-codes & everything related to my Aod8 project on GitHub & you can find them here: https://github.com/Aodrulez/Aod8 ]

Below is the output on my terminal when I compile this code using my Aod8 Assembler written in PERL just to give you an idea of how the entire thing works.


So yea, that works perfectly! when the bootrom is executed by the Aod8 Emulator/Virtual Machine or Abstract Processor implementation..which ever way you like to call it, it does print 'A' on the screen. \m/ But let me remind you that at that time... I never had an assembler! :) So, to see that output, I had to manually construct a bootrom using a Hex-Editor by inserting opcodes & data in hex. The moment I saw it print 'A' on the screen, I was in trance :D That was it! It proved my theory of a crazy CTM to be practically possible & from that point onwards... it was a mad rush to complete the processor implementation as soon as possible. Well, I wrote it entirely in PERL first. But after constructing bootrom manually, I wasnt getting expected results. Thats when I found out that I made some major 'Type Conversion' errors here & there. This was awefully painful. Either I could spend another day fixing the perl implementation which was starting to get me frustrated or I can switch to c/c++ & wind it up asap. I opted for the second option for two reasons.

1. I know c/c++ very well.
2. It'll prove my theory that the ctm can be played by anyone who can implement the Processor, in any language he likes.

So that was it.I got the processor written top-to-bottom in less than 2hrs. Now, I knew that I've implemented the Design perfectly, it was time to test each & every instruction. Initially I enjoyed the geek-feeling it gave to construct bootroms out of hex-editors manually but pretty soon.. I was having severe head-aches. :D Thats when I decided its time to write an 'Assembler' for this Architecture. In the mean time, I had my PERL implementation too sorted out by comparing the output of my 'c' implementation.

I didnot even realize when this became an obsession. I was working on my office related work all day & working on this CTM all nite! In a few day's time, I had a very crude Assembler than can convert asm code to bootroms, 2 implementations of the Aod8 processor & a slightly tweaked version of the 'c' implementation acting like a debugger/tracer. It was time to learn the basics of programming something that I created. :D Yea, it sure sounds easy but it was not.Just when I started to try serious programming, I realised that in my obsession with keeping the design simple, I had seriously limited the programming possibilities of the architecture. The design was so simplistic that I couldnot even implement self-modifying code. Because, the ROM was as the name suggests, Read-Only. The Aod8 processor was designed to fetch instructions & execute them & the stack was provided solely to store temporary data.It was impossible to modify the code during execution. This meant that everything that was part of the CTM challenge had to be put up in a clearly-visible form inside the bootrom.Anyone with a code tracer would end up dumping all the important data off the bootrom.

Another limitation was the 'byte' implementation. :) The only Flow-control instructions that were used in the CTM were cmp,je,jne,jle,jmp & loop. As you can see, every other jmp instruction requires a parameter.This parameter specifies the location to jump/execute from now on. The catch here though is that, the Aod8 Architecture can only have data upto the size of a 'byte'.The biggest number in a single byte is 255 which meant that theoretically I would have been limited to a bootrom of size 255 bytes as I couldnot access a higher number because of the limitation in the design. Thats when I decided to tweak the design a little bit & partially bypass the limitation yet keeping the design simple. You'll understand what I did if you observe the way I've implemented the 'jmp/loop' instructions. :)

So far, so good.Now that I had some crude tools & thorough understanding of the programming details, it was time to begin creating the CTM. Somewhere near that time a huge tragedy struck. Steve Jobs passed away & we were all in shock. That was when I decided that am going to do my bit for him. Thats the reason you'll see a brief text right in the beginning of the CTM challenge when you boot it. It was my way of thanking him for all that he has done. :) Well, at first, I wanted to have challenges appearing back to back as the Aod8 Architecture was seriously limited but once I had the first level done, it looked so very boring! It was time to push it up a few notches & be artistic! That was when I realised that my Assembler was seriously crude. :D Spent another day adding support for 'Labels' in my Assembler so that I can write code like "jmp label_beginning" instead of "jmp 134".That was one helluva experience in itself.At the end of the day, I had a sophisticated Assembler which made it much much easier to code things.

I needed to start designing the CTM again from scratch. phew! But now am so glad that I did. This time around wanted to create a Linux-like feeling to it. Getting the initial UI until you hit 'run' took about 2 days to code. It was amazing yet I felt something was just not right. I thought that if I put-up an Easter-Egg in the section where the general UI resides, chances are people wont find it out that easily. Thats when I thought, why not create a 'Brainfuck Interpreter' for this architecture? :D It'll be piece of A.R.T. And guess what? it took more time than creating the rest of the CTM itself.

If you want to see the first Easter-Egg, boot the CTM challenge & when it says "Press ENTER to boot AoDOS-Trial from this Bootrom.", type '^' & hit enter. :)




Well, its a full-fledged Brainfuck interpreter written entirely in Aod8 Assembler. You can try most of the brainfuck programs in it. This was when my boss asked me to report the progress I made with the CTM. :D It took me some time to explain what I've done & although he understood the beauty of it, he was worried that maybe not many will be able to solve it. Thats when we decided that we keep it as simple as possible so that most of the people who attempt it, can crack it. I was already done with 3 levels by this time. I had some major plans for level-4 & level-5 when we had this discussion & thats when I decided to completely drop the idea of Level-5.

I also re-wrote level-3 to have a very simple algorithm that can be easily reversed. Level-4 is basically a crackme that I wrote in Brainfuck, being emulated on my Aod8 Brainfuck Interpreter. Again, I re-wrote a simpler version of the Brainfuck crackme so that its do-able. It was not designed for the Uber-Reversers at all. :) It was for noobs & for people who are majorly into programming. Just by looking at the design I can think of funny ways to defeat all the levels. The weakest point of the design being the "Stack". An emulator that dumps stack contents would have ended the game right away! And frankly, we wanted winners. Its amazing that I spent 1 whole month re-writing the CTM to make it simpler!

We had officially 2 winners this time. Aseem & Dhanesh. They did a wonderful job. :) But trust me, I've received more mails with compliments & evident eagerness from people who were just attempting it. For most, the part when they got the Emulator done & when the bootrom displayed the initial message was an achievement in itself! And for each mail that I received, I won once. :)

Now, let me give a brief idea of what the CTM contained. It was about 130kb in size. I managed to squeeze in 4 levels, 2 Easter-Eggs, Entire asm code of the CTM except Level-4, Aod8 Processor implementation in C as well as PERL, a real-virus code, complete 3-pass Assembler for Aod8 & a sample asm file to explain the usage. Now, thats pure Art. :)

But, it took me close to 2 months ( yea, I have a very hectic day-job where I work on ten thousand things at a time. :P ) to complete it, out of which I spent one whole month re-designing it to be simple. I wrote the CTM almost 3 times from scratch. Tested it on windows, linux & even on my iPod to be sure that it works. The Brainfuck Interpreter was a test of my patience & persistence. :D I wrote that right from scratch almost 34 times until I got it right! Infact, I wrote the Aod8 Asm code for it on paper manually about 4 times. I designed each level separately & finally when it was time to combine all of them into one single bootrom, it just wont work! Spent another whole week going through about 1,29,918 lines of code & debugging every single jump & loop instruction until I got it fixed. I guess its not patience after all, am just plain adamant :)

Overall, for me it was a huge learning curve. More than that, it has been a personal milestone in many ways. I've always wanted to give back to the community & this one gave me a platform to reach a wide range of people. I hope that everyone who attempted the MalCon CTM this year had a good time. Special Thanks to Shantanu Gawade for being my Beta-Tester. :)

#Nirvana-Achieved.

Thursday, September 1, 2011

Detailed Analysis of My Brainfuck Crackme

The Code :

Aodrulez's Brainfuck Crackme V1
# -------------------------------------------------
# (Its very Easy)
>++++++++++[>++++++++>++++++++++>+++++++++++>++++++
+++++>++++++++++>+++++++++++>+++>++++++>+++><<<<<<<
<<<-]>+++>+>++++>----->--->-->++>-->++><<<<<<<<<<>.
>.>.>.>.>.>.>.>.>,>,>,>,>,>,<[>-<-]#>[>+++>++++++>+
+++>+++>+++++++>+++++++++++>+++++++++++>++++++++++>
+++++++++++>++++++++++>++++++++++++>++++++++++++>++
+++++++++>++++++++++>++++++++++++>+++++++++++>+++++
++++++>+++++++++++>++++++++++++>+++++>+++><<<<<<<<<
<<<<<<<<<<<<<-]>++>-->+>++>--->+>>+++>++++>--->----
>--->-->--->---->----->+>>----->---->++><<<<<<<<<<<
<<<<<<<<<<<>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.

Lets split it into interesting parts.

As we know, in brainfuck input is taken by the ','
character & output is given by the '.' character.
If you've compiled & tried the crackme..it simply
asks for a "Serial : ". Based on what you enter...it'll
decide if it is correct or not. Great...so lets locate
the part where it accepts our serial. :)

Analysis

In the 4th line of the code, we can see that its takin
6 bytes of input.

>,>,>,>,>,>,

Prior to that.. the code is :

>.>.>.>.>.>.>.>.>.

Which obviously is printing "Serial : " 9 bytes exactly.

Lets see what happens after the input.

<[>-<-]

Remember that the memory pointer is still pointing to the
last character of input.So, a "<" will make it point to the
second last character.Now, after that "[]" represents a while
loop where the varible's memory address to be monitored
is pointed to by the PC register..in this case... the ASCII
value of the second last char.

Lets analyse the while loop.

[>-<-]

> == point to the next memory location. (last char)
- == decrement the value at that location
< == point to the previous mem location (second last char)
- == decrement the value at that location.

The last part inside while loop is important..
which is "<-" because the the while loop will continue as long
as the value at that memory location is not 0.

Phew! so in short.. the crackme takes input & substracts
the ascii code of the last character by the ascii code of the
second last character.

Then what?
Now..lets see...do u like patterns? :) When was the last time
you found matching ones? ;) Lets analyze the first part of
the code..the part where it prints "Serial : "

This here is the code that does that..

>++++++++++[>++++++++>++++++++++>+++++++++++>++++++
+++++>++++++++++>+++++++++++>+++>++++++>+++><<<<<<<
<<<-]>+++>+>++++>----->--->-->++>-->++><<<<<<<<<<>.
>.>.>.>.>.>.>.>.

DOnt believe me? No worries..try running it in a Brainfuck
interpreter online..right here :

http://www.iamcal.com/misc/bf_debug/

Am sure the above code prints "Serial : ". Now lets analyse the
above code..

> = increment the memory pointer.
++++++++++ = put 10 at that location.
[] = run this loop ten times.
What the loop does is that it'll put the ascii codes of the
characters you want to print in consecutive memory locations.

>+++>+>++++>----->--->-->++>-->++><<<<<<<<<<

Fine-tuning the values there & pointing to start of the
buffer.

>.>.>.>.>.>.>.>.>.

Print the string.

Now lets look at the last part of the crackme's code... where
it obviously has to print a good-boy string.

Starting from the end of its code...

>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.

Print the good boy string.

>++>-->+>++>--->+>>+++>++++>--->----
>--->-->--->---->----->+>>----->---->++><<<<<<<<<<<
<<<<<<<<<<<

Fine tuning the strings & pointing to its beginning.

[>+++>++++++>+
+++>+++>+++++++>+++++++++++>+++++++++++>++++++++++>
+++++++++++>++++++++++>++++++++++++>++++++++++++>++
+++++++++>++++++++++>++++++++++++>+++++++++++>+++++
++++++>+++++++++++>++++++++++++>+++++>+++><<<<<<<<<
<<<<<<<<<<<<<-]

While loop that puts the ascii code numbers into the
right memory locations.

But wait... something is missing aint it? The memory
location of the variable for the while-loop.

Because prior to this... the only code that exists is
this "#>" & then the part where it substracts the
ascii code values between the last 2 characters..So
what exactly is happening?

">" instruction will again make it point to the last
character.Thus..the number of iterations for the
While loop that prints the good-boy message depends
upon the ascii value of the last character.


If you remember.. usually the correct value for the
while-loop to print is 10.Lets check if our assumption
is right or not.

[>+++>++++++>+
+++>+++>+++++++>+++++++++++>+++++++++++>++++++++++>
+++++++++++>++++++++++>++++++++++++>++++++++++++>++
+++++++++>++++++++++>++++++++++++>+++++++++++>+++++
++++++>+++++++++++>++++++++++++>+++++>+++><<<<<<<<<
<<<<<<<<<<<<<-]>++>-->+>++>--->+>>+++>++++>--->----
>--->-->--->---->----->+>>----->---->++><<<<<<<<<<<
<<<<<<<<<<<>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.

This was the original code.. lets run it in the online
interpreter & see the output.you do get an output but
its gibberish. Now add this to the begining & see what
happens. >++++++++++ (move to the next mem location &
put a value of 10 there.The first part of the crackme's
code itself when it tries to print "Serial : ")

When you try to run that..you get this string :-

" :) Congratulations. " So thats perfect! The algo
is pretty simple & a valid serial should be :

1. 6 chars long
2. The last character's ascii code should be 10 units more
than the second-last character.

For Ex.
aaaaak
bbbbbl
cccccm
abcdeo
ABCDEO

Thats all. :)

(c) Aodrulez.

Zen & The Art of Cracking. (Part 1)

Hola Amigos!
This is a tutorial explaining some old school
+orc inspired reversing/cracking techniques.
Today, our target application is a crackme that
i wrote a few days ago in an esoteric language
named 'Brainfuck'.The code of the crackme can
be found here :

http://aodrulez.110mb.com/crackme.txt

But before we begin our reversing tutorial, let
me show you how to compile this code & make
our crackme application.In my previous post, i've
provided the source code of my 'Brainfuck Pseudo
Compiler'.You can compile this crackme using this
compiler.First of all, compile the 'Brainfuck
Pseudo Compiler' as follows :

aodrulez@pwn4g3:~/muse$ gcc bfc.c -o bfc

Here am assuming you've copied the code of my
compiler into a file named 'bfc.c'.Once this is
done, you should have an executable named 'bfc'
which is our brainfuck compiler.Now lets compile
the crackme.Copy the contents of the above link
to a file named 'crackme.txt'.Then issue this
command :

aodrulez@pwn4g3:~/muse$ ./bfc crackme.txt crackme

That should compile our 'crackme' for you.


Cracking the Code

Before we do any reversing & fire any of our tools,
lets study the crackme first.Lets try running it
& see what happens.

aodrulez@pwn4g3:~/muse$ ./crackme
Serial : aaaaaa
� � ������� �� aodrulez@pwn4g3:~/muse$


Now that doesnt look like a valid serial :D .But one
important thing i observed was that it takes exactly
'6' bytes/characters for the serial. Not a byte less,
not a byte more.How did i know that? Try entering
one character & then hit enter & see what happens..
& keep on doin this until you get an output. :)
(remember that even 'enter' or Line-Feed is a char!)

Now, lets think about it... is there a way to find
out the valid serial without even looking at the
algorithm?? ofcourse there is... the magic word for
you is...'bruteforce'.There are times when the algo
involved is so complicated that its very tough to
reverse it & find a valid serial.In such cases..when
you have no other choice left.. you can always try
bruteforce.

The truth though is that its an ugly way of doing
things.Why? Lemme explain. Lets say we have a serial
the length of which is 1 character.How many possible
values can it have?

If its only alphabets : 26
AlphaNumeric : 36
CaseSensitive Alphanumeric : 26+26+10=62

What do these numbers mean? if the password is just
alphabets... case insensitive... the maximum number of
possible right answers is 26.So, i hope its understood
that if i try all of these 26 possible values, am sure
to get the right password.But, if the password is 2
characters in size, the max possible combination becomes
26*26...or 26^2==676!. Pure Permutation.Now thats pure
bruteforce attempt. Alrighty... now how to implement a
custom bruteforce tool for our particular crackme?

As we know already.. the crackme needs an input..
So lets try this command in a linux terminal:

aodrulez@pwn4g3:~/muse$ echo "aaaaaa" | ./crackme

what this'll do is... it'll first echo "aaaaaa" to the
screen but the redirection symbol "|" tells it to
pipe the output to the command specified...in this
case.. to "crackme" executable.This trick..combined
with some programming skills can be turned into a sort
of bruteforce attack.

So here am providing a very ugly bruteforce-algorithm
that i just wrote...its ugly..not optimized....but sure
as hell works.Here we go :-

Bruteforce COde version 1.0


Try compiling this code & put the executable in the
same directory as 'crackme'.Then execute it & observe
the crude output you get. What this code does is..
it'll craft a 6-character long string with all possible
combinations.Now if you lookup an ASCII table, the
ascii codes from 97-122 is the range for 'a'-'z'.
So, this script is a lower-case-6-character-pattern
generator..whose output is piped to our crackme as
input.Simple & sweet. Try running the above code & observe
the output.. somewhere down the line...you'll see
":) Congratulations" & the corresponding string is
a valid serial. :)


This is a lil better version of the same bruteforce
script as far as output is concerned.

Bruteforce C0de version 1.1


That'll generate you some valid serials. Now remember
that i still hav'nt looked at the code of the crackme
& have no idea how the actual algorithm works.I just
got lucky because a valid serial can be formed by just
entering 6 lowercase alphabets.. if this would'nt have
worked...i would have tried uppercase..alphanumeric..
special characters etc as combination.No matter what..
am sure to get atleast one valid serial because thats
the fundamental idea behind bruteforce.

Hope you learnt something new out of this really long
n boring tutorial.Happy hacking!


Just in case the above Crackme code's link is not
working, here it is :

# Aodrulez's Brainfuck Crackme V1
# -------------------------------------------------
# (Its very Easy)
>++++++++++[>++++++++>++++++++++>+++++++++++>++++++
+++++>++++++++++>+++++++++++>+++>++++++>+++><<<<<<<
<<<-]>+++>+>++++>----->--->-->++>-->++><<<<<<<<<<>.
>.>.>.>.>.>.>.>.>,>,>,>,>,>,<[>-<-]#>[>+++>++++++>+
+++>+++>+++++++>+++++++++++>+++++++++++>++++++++++>
+++++++++++>++++++++++>++++++++++++>++++++++++++>++
+++++++++>++++++++++>++++++++++++>+++++++++++>+++++
++++++>+++++++++++>++++++++++++>+++++>+++><<<<<<<<<
<<<<<<<<<<<<<-]>++>-->+>++>--->+>>+++>++++>--->----
>--->-->--->---->----->+>>----->---->++><<<<<<<<<<<
<<<<<<<<<<<>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.

Sunday, August 28, 2011

Brainfuck Pseudo Compiler

Hola!

Being down with fever has its own fun. Was bored wid my mundane stuff
& there was no way i could go out.Thats when i heard about 'Brainfuck'.
Found it interesting & hence ended up writing a Pseudo compiler for it.
Am calling it a pseudo compiler because this will only parse pure
Brainfuck code to equivalent fully working 'c' code & then it uses gcc to
compile it into an executable.It does no syntax checking as of now & expects
the Brainfuck code to be perfect. Tried & tested..the code is fully functional.
It might be vulnerable to buffer overflow attacks here n there..but right
now am too lazy to fix it. :)