Tags: web 

Rating: 5.0

**Category: Web Points: 700**
> crackme! http://95.85.55.168/vmctf.html

## Writeup
**The first step is to deobfuscate the variable names**
Script: fix_coco.py
Output: `vmctf2.html`

As you can see in `vmctf2.html` the functionality that processes the password is vmed
`GetFlag.var_20_` represents the bytecode
![](https://gyazo.com/45e3c6d6fa92ff94fc0b703a8bcc4d3b.png)

`var_19_.var_5_()` represents the method to fetch 1 instruction byte
`var_19_.var_28_()` dispatches the byte code to the corresponding handler
![](https://gyazo.com/27b07a44aeee412b8cd98db2f17a414c.png)

Each handler represents an x86 instruction
![](https://gyazo.com/3fca3bcbe6c044de2bb6817e7e6f94d7.png)

**Log the behavior in every handler to obtain a better understanding**
Script: `trace.js`
Output: `runtrace.txt`
Variables and classes are renamed in trace.js for the sake of visual aid
![](https://gyazo.com/962b41e3ee15bbb7ac3b1b098699b980.png)

**Create another script that disassembles the vmed code from top to bottom by not executing JMPs**
Script: `disasm.js`
Output: `disasm.txt`
![](https://gyazo.com/621918897c7279cf0abd29f3ec7b9499.png)

Note that in order to get an accurate disassembly, the constructor of class `Memory` has to be modified to
save the registers and offsets of the operand for later reference.

**Rewrite the disassembly to C++**
Output: `decompile.cpp`
![](https://gyazo.com/aa4f8b8e6314ad2efdf3375f3d1c2ad6.png)

As seen in `decompile.cpp`, `func_4C7` creates a hash-like value of the password and if it matches with 0x33E5AE40,
the flag is generated and returned to the user

Creating an inverse function of `func_4C7` is not feasible.
However, we do know that the flag starts with `"KLCTF"` according to the ctf homepage and
we also know that it's derived from the password with a simple xor with a fixed key(`func_0.key`).
Therefore the first 5 characters of the password can be computed by XORing `func_0.key` and `"KLCTF"`.
The 3rd parameter in `func_4C7` representing the number of iterations is 8 implying the password length.
This leaves us with 3 characters and 100^3 different combinations which can be easily bruteforced.

Zubek – Oct. 8, 2017, 7:32 p.m.

Can you will make a youtube video or a details explanation for this problem....its a little bit confusing...i am not understanding...


Meyters – Aug. 2, 2018, 10:16 a.m.

Motivation is the component which we will do anything so it is verify that with assist of our will we do many splendid things. Many specialists do work to provide an explanation for reviews about employers motivation in element to the people. We want such motivations to do paintings in our existence and to make something for us and for others..


Meyters – Aug. 7, 2018, 6:20 a.m.

While we are making a website and in this website you can think more for our working. This working is showing us positive reaction then it was good for the people and also for their publicity of their assignmentgeek dissertation work so that was a true way which is providing us some new pages.


mandiken000 – Aug. 27, 2018, 10:48 a.m.

This become a book that turned into preserved with the aid of risk, as opposed to by advantage. One individual decided to be writer/illustrator/kind setter/different jobs that might be treated Online Assignment Help via experts now. maybe he wasn't any right at the ones jobs?


sheerazmir1597 – Sept. 13, 2018, 2:46 p.m.

Hi to everybody, here everyone is sharing such knowledge, so it’s fastidious to see this site, and I used to visit this blog daily Weight Loss Herbs


sheerazmir1597 – Sept. 13, 2018, 2:59 p.m.

Thanks for sharing this information. I really like your blog post very much. You have really shared a informative and interesting blog post with people.. Zinc Food Source


sheerazmir1597 – Sept. 13, 2018, 3:23 p.m.

I’ve read some good stuff here. Definitely worth bookmarking for revisiting. I surprise how much effort you put to create such a great informative website. Protein Food Source


sheerazmir1597 – Sept. 13, 2018, 3:47 p.m.

They're produced by the very best degree developers who will be distinguished for your polo dress creating. You'll find polo Ron Lauren inside exclusive array which include particular classes for men, women. Egg York


sheerazmir1597 – Sept. 15, 2018, 11:35 a.m.

I want you to thank for your time of this wonderful read!!! I definately enjoy every little bit of it and I have you bookmarked to check out new stuff of your blog a must read blog! Health Benefits


sheerazmir1597 – Sept. 15, 2018, 6:58 p.m.

I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well.. Hummus


sheerazmir1597 – Sept. 16, 2018, 7:48 a.m.

I’ve read some good stuff here. Definitely worth bookmarking for revisiting. I surprise how much effort you put to create such a great informative website. Kombucha


seoservice225 – Sept. 16, 2018, 11:09 a.m.

We are really grateful for your blog post. You will find a lot of approaches after visiting your post. Great work Coffee