Tags: reversing 

Rating: 5.0

We were given video file bbb.ogg where were hexadecimal numbers burned into first minute of the video. After last number there were also md5 checksum which clearly indicated you must use numbers together.

Each number was displayed every second and lasts there half of it(15fms). I decided to convert video to individual frames so I used

` ffmpeg -i bbb.ogg -vf fps=1 frm%04d.jpg`

What grabs each 30th frame (video had 30fps)

Unfortunately it gaved me error during conversion so I've used other tool to finish that. Once I had those images I manualy rewrite numbers to computer. It was 60 hex bytes in total.

When I disassembled this code I get this:

xor rsi,rsi
push rsi
mov rdi,0x67676f2e626262 #bbb.ogg
push rdi
mov rdi,rsp
mov al,0x2
mov r8,rax
xor rdi,rdi
mov edx,0x5
mov esi,0x74656579 #yeet
xor r9,r9
mov r10b,0x2
mov al,0x9
inc rax
mov ebx,DWORD [rax+0x2]
cmp ebx,esi
jne loop
call rax

To be able to continue I compiled above code to binary. It was clear it uses source video again.

So I run proggie again with bbb.ogg file in same directory and then I got this prompt

`Please enter the 16 byte password (not the flag u dummy)`

After further examination I've found it reads the file, looks for string "yeet" and then jumps to another part of program hidden inside this video.

Unfortunately program itselfs doesn't check password correctness so it won't be that easy to find it right away.

I need to see what second part does so I've diassembled it

jmp short loc_7FC4D1E9F77E
; ---------------------------------------------------------------------------
db 79h ; y
db 65h ; e
db 65h ; e
db 74h ; t
; ---------------------------------------------------------------------------

loc_7FC4D1E9F77E: ; CODE XREF: bbb.ogg:00007FC4D1E9F778↑j
lea rax, unk_7FC4D1E9F8C5
**mov rdi, 796C6C6962706972h #ripbilly**
dec rax

loc_7FC4D1E9F792: ; CODE XREF: bbb.ogg:00007FC4D1E9F79B↓j
inc rax
mov rbx, [rax]
cmp rbx, rdi
jnz short loc_7FC4D1E9F792
add rax, 8
push rax
mov eax, 1
mov edi, 0
lea rsi, aPleaseEnterThe ; "Please enter the 16 byte password (not "...
mov edx, 38h
syscall ; LINUX - sys_write
sub rsp, 10h
mov eax, 0
mov edi, 1
mov rsi, rsp
mov edx, 10h
syscall ; LINUX - sys_read
mov rbp, rsp
sub rsp, 8
mov eax, 16h
mov rdi, rsp
syscall ; LINUX - sys_pipe
mov eax, 39h
syscall ; LINUX - sys_fork
test rax, rax
jnz short loc_7FC4D1E9F846
mov eax, 21h
mov edi, 0
mov edi, [rsp]
mov esi, 0
syscall ; LINUX - sys_dup2
mov rdi, 'b/=LLEHS'
mov rax, rsp

loc_7FC4D1E9F810: ; CODE XREF: bbb.ogg:00007FC4D1E9F819↓j
inc rax
mov rbx, [rax]
cmp rbx, rdi
jnz short loc_7FC4D1E9F810
mov rdx, rsp

loc_7FC4D1E9F81E: ; CODE XREF: bbb.ogg:00007FC4D1E9F827↓j
inc rdx
mov rbx, [rdx]
cmp rbx, rax
jnz short loc_7FC4D1E9F81E
mov eax, 3Bh****
push rdx
lea rdi, aPleaseEnterThe+38h ; "/usr/bin/mpv"
push 0
lea rsi, unk_7FC4D1E9F8C3
push rsi
push rdi
mov rsi, rsp
syscall ; LINUX - sys_execve

loc_7FC4D1E9F846: ; CODE XREF: bbb.ogg:00007FC4D1E9F7ED↑j
mov edi, 0
mov edi, [rsp+4]
add rsp, 8
pop r15
pop r14
mov r12, [rsp]
mov rsi, rsp
mov rsi, [rsp]
xchg rsp, rsi

loc_7FC4D1E9F865: ; CODE XREF: bbb.ogg:00007FC4D1E9F87C↓j
pop r13
xor r13, r15
mov [rsi], r13
xchg r15, r14
mov edx, 8
mov eax, 1
syscall ; LINUX - sys_write
jmp short loc_7FC4D1E9F865

Two things attracted my attention.

mov rdi, 796C6C6962706972h #ripbilly

and "/usr/bin/mpv"

Because word "ripbilly" isnt 16 bytes long it can not be right password. I searched it in file and found it here

00007FC4D23A4760 27 0D 79 1D 33 CE A5 C2 C1 5C 24 44 72 69 70 62 '.y.3Υ ..\$Dripb <--- ripbilly
00007FC4D23A4770 69 6C 6C 79 6A 24 BB C7 68 6E 67 62 72 65 61 74 illyj$...ngbreat
00007FC4D23A4780 31 FE EE 73 32 96 E5 65 2B 9C E6 66 30 96 E0 63 1...............
00007FC4D23A4790 31 FA EB 05 15 03 09 26 EE EF 63 20 F7 E4 63 73 1......&... ....
00007FC4D23A47A0 20 F8 08 73 70 61 64 64 4D F1 B6 73 3F FE 15 2B ..spaddM......+
00007FC4D23A47B0 4F 35 D4 F9 23 CA E0 71 20 C7 01 31 DE E4 84 26 O5..#..q ..1...&
00007FC4D23A47C0 C8 F4 3C D9 F4 77 30 CA 02 3D CB E0 73 46 2C D0 ..<..w0..=..sF,.
00007FC4D23A47D0 FF 2B C4 F6 62 35 A7 03 3A C2 E5 63 AB 28 DA E6 .+..b5..:..c.(..
00007FC4D23A47E0 20 D3 EB 6E 23 DA 0F 37 C5 ED 43 FC B6 89 60 6B ..n#..7..C...`k
00007FC4D23A47F0 73 78 6F 72 70 FB 64 64 69 6E 67 62 72 65 61 6B sxorp.ddingbreak
00007FC4D23A4800 73 78 6F 72 70 61 64 64 69 6E 67 62 72 65 61 6B sxorpaddingbreak

Instantly I saw another interesting string **sxorpaddingbreak **. As it's name says it is xor string used for encryption and because it has 16bytes it was used also as our password

It must be spelled like paddingbreaksxor

Next I googled for mpv which appeared to be Open source media player[ https://mpv.io/] so I've installed it.

On next run another video was played which includes our flag inside of it.

**The flag is WPI{Shoutout2Simpleflips}**

I must say I enjoyed this challenge very much!