Rating:

Problem:
RrEeGgEeXx(rev, 75 points)

"State-of-the-art on authentication mechanisms."

Attachment
rev75_79816641bfd11577.zip

Solution:
This reversing problem was quite challenging. If we take a look at it in IDA, we see a bunch of regex checks. If the check fails it branches to loc_AD, which prints the error message "IMPOSTOR".



By searching the program we see that there's no flag to be printed via file or otherwise, so the string we use to pass all these checks is more than likely our flag. One thing we can do is re-implement this in a higher level to see exactly where we fail the check if we do. As we can see with how detailed our binary is, this is C# .NET. So I started a new console application in visual studio and used the following code:

private static bool checkRegex(string regex, string input){
    Regex r = new Regex(regex, RegexOptions.None);
    Match match = r.Match(input);
    return match.Success;
}

static void Main(string[] args){
    for (; ; )
    {
        System.Console.Write("Password: ");
        string inPswd = System.Console.ReadLine();

        if (inPswd == "q")
            break;

        // Check each regex rule, print if failure   
        if (!checkRegex("^.{40}$", inPswd))
            System.Console.WriteLine("Failed at check A");
        if (!checkRegex("\\w{3}\\{.*\\}", inPswd))
            System.Console.WriteLine("Failed at check B");
        if (!checkRegex("_s.*e_", inPswd))
            System.Console.WriteLine("Failed at check C");
        if (!checkRegex("\\{o{2}O{2}o{2}", inPswd))
            System.Console.WriteLine("Failed at check D");
        if (!checkRegex("O{2}o{2}O{2}\\}", inPswd))
            System.Console.WriteLine("Failed at check E");
        if (!checkRegex("sup3r_r3g3x_challenge", inPswd))
            System.Console.WriteLine("Failed at check F");

        // Finish
        System.Console.WriteLine("Finished! Enter 'q' in next prompt to quit");
    }
}

I then just decided to try and match all the regex expressions. We know we're to use strictly 40 characters, no more and no less. Our string must include "{ooOOoo", "OOooOO}", "sup3r_r3g3x_challenge", and there must be an "_s" with a string in between followed by a "e_", and we can have a three letter word before our first bracket. Well, we know a flag follows EKO{}, so we can start with that. We then know "ooOOoo" must follow the opening brace, and we by throwing in "_sup3r_r3g3x_challenge_", we satisfy both the need of having "sup3r_r3g3x_challenge" and the "_s.*e_" regex pattern. Then finally we need "OOooOO}".

Putting this together, we get our flag that's exactly 40 characters. We can test that it's right by running it through our program that we created from the lower-level byte code, and it passes all the checks.

<span>Flag: EKO{ooOOoo_sup3r_r3g3x_challenge_OOooOO}</span>

Original writeup (http://specterdev.blogspot.ca/2016/10/write-up-ekoparty-2016-ctf-reverse.html).