Friday, January 26, 2024

inBINcible Writeup - Golang Binary Reversing

This file is an 32bits elf binary, compiled from go language (i guess ... coded by @nibble_ds ;)
The binary has some debugging symbols, which is very helpful to locate the functions and api calls.

GO source functions:
-  main.main
-  main.function.001

If the binary is executed with no params, it prints "Nope!", the bad guy message.

~/ncn$ ./inbincible 
Nope!

Decompiling the main.main function I saw two things:

1. The Argument validation: Only one 16 bytes long argument is needed, otherwise the execution is finished.

2. The key IF, the decision to dexor and print byte by byte the "Nope!" string OR dexor and print "Yeah!"


The incoming channel will determine the final message.


Dexor and print each byte of the "Nope!" message.


This IF, checks 16 times if the go channel reception value is 0x01, in this case the app show the "Yeah!" message.

Go channels are a kind of thread-safe queue, a channel_send is like a push, and channel_receive is like a pop.

If we fake this IF the 16 times, we got the "Yeah!" message:

(gdb) b *0x8049118
(gdb) commands
>set {char *}0xf7edeef3 = 0x01
>c
>end

(gdb) r 1234567890123456
tarting program: /home/sha0/ncn/inbincible 1234567890123456
...
Yeah!


Ok, but the problem is not in main.main, is main.function.001 who must sent the 0x01 via channel.
This function xors byte by byte the input "1234567890123456" with a byte array xor key, and is compared with another byte array.

=> 0x8049456:       xor    %ebp,%ecx
This xor,  encode the argument with a key byte by byte

 The xor key can be dumped from memory but I prefer to use this macro:

(gdb) b *0x8049456
(gdb) commands
>i r  ecx
>c
>end
(gdb) c

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x12 18

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x45 69

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x33 51

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x87 135

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x65 101

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x12 18

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x45 69

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x33 51

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x87 135

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x65 101

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x12 18

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x45 69

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x33 51

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x87 135

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x65 101

 Breakpoint 2, 0x08049456 in main.func ()
ecx            0x12 18

The result of the xor will compared with another array byte,  each byte matched, a 0x01 will be sent.

The cmp of the xored argument byte,
will determine if the channel send 0 or 1


(gdb) b *0x0804946a
(gdb) commands
>i r al
>c
>end

At this point we have the byte array used to xor the argument, and the byte array to be compared with, if we provide an input that xored with the first byte array gets the second byte array, the code will send 0x01 by the channel the 16 times.


Now web have:

xorKey=[0x12,0x45,0x33,0x87,0x65,0x12,0x45,0x33,0x87,0x65,0x12,0x45,0x33,0x87,0x65,0x12]

mustGive=[0x55,0x75,0x44,0xb6,0x0b,0x33,0x06,0x03,0xe9,0x02,0x60,0x71,0x47,0xb2,0x44,0x33]


Xor is reversible, then we can get the input needed to dexor to the expected values in order to send 0x1 bytes through the go channel.

>>> x=''
>>> for i in range(len(xorKey)):
...     x+= chr(xorKey[i] ^ mustGive[i])
... 
>>> print x

 G0w1n!C0ngr4t5!!


And that's the key :) let's try it:

~/ncn$ ./inbincible 'G0w1n!C0ngr4t5!!'
Yeah!

Got it!! thanx @nibble_ds for this funny crackme, programmed in the great go language. I'm also a golang lover.


Related posts
  1. Hacking Tools 2019
  2. Tools 4 Hack
  3. Pentest Tools Linux
  4. Blackhat Hacker Tools
  5. Hacker Tools For Pc
  6. Hacker Techniques Tools And Incident Handling
  7. Beginner Hacker Tools
  8. Beginner Hacker Tools
  9. Pentest Tools For Android
  10. Pentest Tools Online
  11. Hacking Tools For Games
  12. Computer Hacker
  13. Hack Tools For Windows
  14. Hack Tools 2019
  15. Pentest Tools Bluekeep
  16. Pentest Tools Apk
  17. Hack Tools For Pc
  18. Hacker Tools Online
  19. Hacking Tools For Kali Linux
  20. Install Pentest Tools Ubuntu
  21. Blackhat Hacker Tools
  22. Hacking Tools For Games
  23. Hacking Tools For Games
  24. Hack Tools For Ubuntu
  25. Pentest Tools Free
  26. Pentest Tools Subdomain
  27. Hacking Tools 2020
  28. Black Hat Hacker Tools
  29. Hacker Tools
  30. Hacker Tools List
  31. Pentest Tools Website Vulnerability
  32. Hacker Tools Hardware
  33. Pentest Tools
  34. Hacker
  35. Hack Tools For Pc
  36. Hack Tool Apk
  37. Hack Tools For Ubuntu
  38. Hackers Toolbox
  39. Best Pentesting Tools 2018
  40. Pentest Tools Review
  41. Hacker Tools Free Download
  42. Hacker Tools 2019
  43. Hack Apps
  44. Hacker Tools List
  45. Hacker Tools Linux
  46. Pentest Tools Kali Linux
  47. Hacking Tools For Games
  48. Pentest Automation Tools
  49. Underground Hacker Sites
  50. Hacker Search Tools
  51. How To Hack
  52. Hack Tools Online
  53. Pentest Tools Alternative
  54. Android Hack Tools Github
  55. Free Pentest Tools For Windows
  56. Pentest Tools
  57. Hacker Tools For Windows
  58. Hacking Tools Windows 10
  59. Hacking App
  60. Hack Tools Pc
  61. Hacker Tools For Windows
  62. Hack Tools For Ubuntu
  63. Hack Tool Apk
  64. Hacker Tools Linux
  65. Pentest Tools Kali Linux
  66. Hacker Tools 2020
  67. Underground Hacker Sites
  68. Hackrf Tools
  69. How To Hack
  70. Pentest Tools Apk
  71. Pentest Tools Online
  72. Pentest Tools Subdomain
  73. Hacker Techniques Tools And Incident Handling
  74. Hack Tools For Pc
  75. How To Hack
  76. Ethical Hacker Tools
  77. Pentest Tools For Ubuntu
  78. Tools 4 Hack
  79. Pentest Tools For Mac
  80. Hacking Tools Online
  81. Pentest Tools For Android
  82. Termux Hacking Tools 2019
  83. Pentest Tools Download
  84. Hacking Tools For Pc
  85. Best Hacking Tools 2020
  86. What Are Hacking Tools
  87. Hack Website Online Tool
  88. New Hack Tools
  89. Hacker Hardware Tools
  90. Nsa Hack Tools Download
  91. Hacking Tools 2019
  92. How To Install Pentest Tools In Ubuntu
  93. Pentest Tools Framework
  94. Hacking Apps
  95. How To Hack
  96. Pentest Tools Open Source
  97. Pentest Tools Subdomain
  98. Pentest Tools List
  99. Top Pentest Tools
  100. Hack And Tools
  101. Hack Tools For Ubuntu
  102. Hacker Security Tools
  103. Pentest Tools Find Subdomains
  104. Pentest Tools Linux
  105. Github Hacking Tools
  106. Pentest Recon Tools
  107. Hack Tools Online
  108. Hacker Hardware Tools
  109. How To Install Pentest Tools In Ubuntu
  110. Hacking Tools Mac
  111. Hack Tools Download
  112. Hacking Tools For Windows Free Download
  113. Free Pentest Tools For Windows
  114. Hacker Tools Windows
  115. Hacking Tools Usb
  116. Hacker Tools For Mac
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)