Friday, May 2, 2014

re300 sources

Because you guys found this keygen-me very hard and interesting (thanks!) during the game we've decided to publish the sources of re300 task which was one of the challenges in the teaser organised by us this year. In fact this crack-me is a bit large (if it's not so visible in compiled version you can check the sources) and the main idea behind was to give you some fun in front of disassembler and debugger and enforce you to catch some patterns and recognise structures which were used without decompiling all of the code. In fact, the original one was a stripped mach-o binary that was found to be a bit too challenging ;) and about 24h before the CTF it appeared that it'll be elf64 binary with the symbols included. For win-reversers: I can promise that next time it will be something for you too! And finally here are the sources.

warning: spoilers below!

So in few words: the big trouble here, without questions, was the RE part - but it could by a bit bypassed by setting the right breakpoints and dumping the code. In fact the very good results could be achieved by disassembling only virtual machine instructions and than use some semi-automatic approach and dump the instruction with its arguments when the breakpoint was hit. Having the code (you can find nice emulator here, good work smola) the next step was to understand that it's not reversible (it is a version of a serpent encryption and decryption) and to brute force it. But bruteforcing 48bit hash could be a little bit slow as for 36h CTF, so the great performance boost could be achieved using birthday attack to crack the password and the token both at the same time. For those interested in practical solution: the sources of keygen.