Sunday, 7 February 2016

CTF Writeup - Sharif University CTF 2016 - SRM (RE 50)


  • Name - SRM
  • Category - Reverse Engineering
  • Points - 50
  • Description - The flag is : The valid serial number
  • Binary - Download here

Yep it's a Windows binary! It's not everyday we encounter a Windows binary in a CTF. Run it:


Looks like a keygen. Inputting garbage in both fields pops up the following message box:


In IDA we notice that the validation logic resides in the DialogFunc() function. The first check is done on the email address.


The functions accept any valid email address so test@test.com will do (for now ?). The error message now is different:


Next is the Serial Number validation. The code is quite simple:
if ( strlen(v11) != 16
  || v11[0] != 67
  || v23 != 88
  || v11[1] != 90
  || v11[1] + v22 != 155
  || v11[2] != 57
  || v11[2] + v21 != 155
  || v11[3] != 100
  || v20 != 55
  || v12 != 109
  || v19 != 71
  || v13 != 113
  || v13 + v18 != 170
  || v14 != 52
  || v17 != 103
  || v15 != 99
  || v16 != 56 )
{
  sub_4030C7(&Text, 256, &v28);
}
else
{
  sub_4030C7(&Text, 256, &v25);
  sub_403121(&Text, 256, v11);
}

The serial number has to be 16 characters long (line 1). The checks are not sequential but they do follow a pattern: 1st, last, 2nd, 2nd to last, 3rd, 3rd to last, etc. At this point either go through it step by step or order the variables: v11[0], v11[1], v11[2], v11[3], v12, v13, .., v23. Converting from decimal to ASCII we get CZ9dmq4c8g9G7bAX. Input the email and serial number:

No comments:

Post a comment