Rating:

# LostKey - Reversing - 350 points

> You know the area around your house at the edge of the world quite well. However, the world is big and its edge is long. To have a look at the other parts of the world's edge, you took one month off and planned a road trip. But you just can't seem to find your car key... Luckily you've left yourself some hints where you might find it, as this is not the first time you forgot where you've put it!
> [Download](./LostKey-c98d722d57033d6463abd405a70d86aa.zip)

Binary is a 32bit ELF. It takes four arguments, then passes each argument to a separate thread in sequence. We first loaded it up in gdb, then used set follow-fork-mode child to ensure threads were debugged too. We set an awatch on the start of the first command line argument in the stack, then ran the program. We got a hit inside the first new thread, at address 0x0804A210. After a bit of study we realized the program executes small code fragments via [ROP](https://en.wikipedia.org/wiki/Return-oriented_programming).

This first sequence of instructions reads the first four characters of argv[1] as an int, XORs with 0x466C7578 and checks if the answer equals 0x210D191E. If true, it reads the next four characters, XORs with 0x78756C46 and checks if the answer equals 0x4B1D383D. If both are true, it copies the argument into a buffer which is printed at the end of the program. Inverting the two XORs gives us the first part of the flag, flag{Th3.

We struggled a lot with trying to get the watchpoint on the second argument to trigger - not sure if it was our setup or gdb itself, but it seemed to lose track of breakpoints/watchpoints once the first thread returned. The solution became to set a breakpoint in the main thread right before thread creation, then only using set follow-fork-mode child and setting break/watchpoints right before we enter the thread we're interested in examining.

The second sequence of instructions iterates over each character in argv[2], doing some bit manipulation then XORing with the next character in the sequence. The final result is then compared with the values set at offset 0x08049ADC in the code. Again, this is easy enough to invert, and gives us our second part of the flag - _key_1s_in_th3_secret_com.

The third sequence seems to just call a hash function - the result from the function was 0b4e7a0e5fe84ad35fb5f95b9ceeac79 for our placeholder argv[3], and a quick Google search says it's the [MD5](https://en.wikipedia.org/wiki/MD5) hash of aaaaaa. The code then checks if the hash equals 7b4d6ff46ac46c3f628acc930d937d81, which gives no Google hits. But our sample hash shows it was only six characters, which is easily bruteforceable. So we pull out [Hashcat](https://hashcat.net/hashcat/), run hashcat64.exe -m 0 -a 3 7b4d6ff46ac46c3f628acc930d937d81 ?a?a?a?a?a?a and get the result p4rtme.

The fourth and final code sequence encrypts argv[4] with [TEA](https://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm) - three blocks, so 24 bytes in total, then compares the result with the values set at 0x08049E03, 0x08049F92 and 0x0804A121. Our first attempts at decrypting these values failed, but then we realize the key used (fetched from 0x080EA39C) is based on whether certain calls to ptrace succeeds and fails - a sneaky anti-debugger trick. With the correct key, we got the final part of the flag nt_of_your_t00l_sh3d...}.

When all pieces are put together, we get the final flag - flag{Th3_key_1s_in_th3_secret_comp4rtment_of_your_t00l_sh3d...}

Original writeup (https://github.com/ymgve/ctf-writeups/tree/master/hacklu2017/rev350-lostkey).