Tags: web 

Rating: 5.0

**Category: Web Points: 700**
> crackme! http://95.85.55.168/vmctf.html

## Writeup
**The first step is to deobfuscate the variable names**
Script: fix_coco.py
Output: `vmctf2.html`

As you can see in `vmctf2.html` the functionality that processes the password is vmed
`GetFlag.var_20_` represents the bytecode
![](https://gyazo.com/45e3c6d6fa92ff94fc0b703a8bcc4d3b.png)

`var_19_.var_5_()` represents the method to fetch 1 instruction byte
`var_19_.var_28_()` dispatches the byte code to the corresponding handler
![](https://gyazo.com/27b07a44aeee412b8cd98db2f17a414c.png)

Each handler represents an x86 instruction
![](https://gyazo.com/3fca3bcbe6c044de2bb6817e7e6f94d7.png)

**Log the behavior in every handler to obtain a better understanding**
Script: `trace.js`
Output: `runtrace.txt`
Variables and classes are renamed in trace.js for the sake of visual aid
![](https://gyazo.com/962b41e3ee15bbb7ac3b1b098699b980.png)

**Create another script that disassembles the vmed code from top to bottom by not executing JMPs**
Script: `disasm.js`
Output: `disasm.txt`
![](https://gyazo.com/621918897c7279cf0abd29f3ec7b9499.png)

Note that in order to get an accurate disassembly, the constructor of class `Memory` has to be modified to
save the registers and offsets of the operand for later reference.

**Rewrite the disassembly to C++**
Output: `decompile.cpp`
![](https://gyazo.com/aa4f8b8e6314ad2efdf3375f3d1c2ad6.png)

As seen in `decompile.cpp`, `func_4C7` creates a hash-like value of the password and if it matches with 0x33E5AE40,
the flag is generated and returned to the user

Creating an inverse function of `func_4C7` is not feasible.
However, we do know that the flag starts with `"KLCTF"` according to the ctf homepage and
we also know that it's derived from the password with a simple xor with a fixed key(`func_0.key`).
Therefore the first 5 characters of the password can be computed by XORing `func_0.key` and `"KLCTF"`.
The 3rd parameter in `func_4C7` representing the number of iterations is 8 implying the password length.
This leaves us with 3 characters and 100^3 different combinations which can be easily bruteforced.

Zubek – Oct. 8, 2017, 7:32 p.m.

Can you will make a youtube video or a details explanation for this problem....its a little bit confusing...i am not understanding...