# Backdoor CTF Practice Arena: RE Challenges Walktrough

Below are the few reverse engineering category’s challenges that I’ve been solved. It was a pretty easy challenge to solve.

# revfun

Step 1:
Run file command on the binary. Now we know that it’s a ELF 64 bit file.

Step 2:
Use strings command to display all the strings on the binary and we can see there is a suspicious string “dlr0w_s1h7_s1_yz4rC”. If we reverse the char string, it said “crazy_is_this_world”.

Step 3:
Try the password on the binary.

Step 4:
Try on netcat, and it will print our flag.

# debug

Step 1: Run file command on the binary. Now we know that it’s a ELF 32 bit file.

Step 2: Try to run the program, and it’s return nothing.

Step 3: Open the program using IDA Pro. We can see on the left side of the IDA program, there is a bunch of function names. After little bit of exploration on the functions, the functions sub_804849B look interesting to me.

It push a strings Printing flag. So, I think this must be a function that print the flag. So, I rename the function sub_804849B to PrintFlag for easy for me to remember which function does the print flag.

Step 4:
Okay all we need now it’s to patch the program that will jump to the PrintFlag function. First thing we must know, every program will start executing something at _start function. So, go to the _start and we can see it will call _libc_start_main.

Let’s patch the program by change the _libc_start_main function to PrintFlag function.

Click on libc_start_main function => Go to edit => Patch program => Assemble

Change the libc_start_main function to _PrintFlag function. Then click OK. Then close.

Step 5:

Save the patch by go to edit => Patch program => Apply patches to input file.

Step 6: After patched the program, just run the binary and it will print the flag.

# bin-easy

Step 1: Run file command on the binary.

Step 2: Run strings command and we got the sha256 of the flag.

# bin-medium

Step 1:
Run file command on the binary.

Step 2: Try execute the program, and input random passphrase and it return a string.

Step 3: By analyzed the binary on IDA, if the input are wrong it will jump to a function that will print the string Thank you, but you aint getting the flag. I renamed the function to WrongPassword for easy for me to remember the function name.

So, all we need now it’s patch the conditional jump jnz WrongPassword to jz WrongPassword.

Save the patched program.

Step 4: Run the program and enter a random passphrase. Now, it will print the sha256 of the flag.

# hiddenflag–easy

Step 1:
Run file command on the binary first.

Step 2:
Execute the binary and it’s return a string.

Step 3:
Issuing strings command and from there we got the sha256 of the flag.

# hiddenflag-medium

Step 1:
Issue file command on the binary.

Step 2:
Reverse engineering it using gdb debugger by run _gdb ./<filename>. After that, display all the functions of the binary by supply “info functions” in gdb debugger. It will list all the functions.

From the list of functions gdb echoed, we can see there is a function name _print flag . That is interesting.

Step 3:
Now all we need is jump to the function _print flag and the program will print the flag.

So, breakpoint to the entry point function which is _start function. Use b_ for breakpoint and address of the function that we want to break. Here the command: b *0x080483a0

Step 4:
After put a breakpoint, execute the program by type run and enter.

Step 5:
Now it will break to the address that we’ve been break which is 0x080483a0.Now all we need is jump to the function “print flag” and the program will print the flag. Type jump <printflag address> and the program will print the sha256 of the flag.

# 2013-bin-500

Step 1:
Run file command on the binary. The file is PE32 file.

Step 2:
Execute the program and it will ask for the registration key. Try some random key and it will print Invalid key.

Step 3:
I try open it using IDA, but the binary seems like have been obfuscated. To detect what packer have been use, open the file using PEiD software.

It display “Microsoft Visual Basic 5.0”.

Googling some Microsoft Visual Basic 5.0 unpacker. It said

“Your program is not packed, but rather compiled as Visual Basic P-code or Visual Basic native code. If it’s VB native code, you can use your favorite debugger (OllyDbg, IDA, etc.) to debug it, and IDA to disassemble it. If it’s VB P-code, you can use VB Decompiler Pro to disassemble/decompile it.”

So compiled as Visual Basic P-code. To decompile we must use VB Decompiler Pro.

Step 4:
Decompile it using VB Decompiler Pro and read the codes. On line loc_404D2E, we can see if text = &H289BC it will print “Thank you… bla bla.. “.

Step 5:
Copy the string, paste it into the text box and click “Submit” and we got the flag.

# 2013-Bin-200

Step 1:
Execute the program and it will ask for the registration key. Try some random key and it will print “Invalid key.”

Step 2:
I try open it using IDA, but the binary seems like have been obfuscated. Open the file using PEiD software.

So, it was compiled as Visual Basic P-code. To decompile we must use VB Decompiler Pro.

Step 3:
Decompile it using VB Decompiler Pro and read the codes. On line loc_404197, we can see if text = “N3f…N3f” it will print “Thank you… bla bla.. “.

Step 5:
Copy the string, paste it into the text box and click “Submit” and we got the flag.

# 2013-Bin-100

Step 1:
Run file command. It’s an ELF 64-bit.

Step 2:
Because it’s a 64-bit binary, open it using IDA 64-bit. After some exploration into the functions, I saw a string “Is The Password. Good job!” being move into esi register. But, before it being move, the program will call a function _Z4passi.

Step 3:
Double click on the function _Z4passi and I saw a lot of mov instruction into the register [rbp+var_xx]. It’s look like a set of char that being move into the rbp(s).

Step 4:
Click on the hexa value, press “R” and it will automatically convert into ascii character. Do it to all values, and we got the secret string!

The flag is Aleph-One

# 2013-Bin-50

Step 1:
Execute the file with some random password, and it’s return a string “Nothing to see here.”

Step 2:
After some exploration into the functions, I saw a lot of mov instruction into the register[rbp+var_xx]. It’s look like a set of characters that being move into the rbps. Click on the hexa value, press “R” and it will automatically convert into ascii character. Do it to all values, and we got the password!

Step 3:
Try the password, and it will print our sha-256 flag.