|
| 1 | +[](ctf=tum-ctf-teaser-2015) |
| 2 | +[](type=rev) |
| 3 | +[](tags=xtea) |
| 4 | +[](tool=pwntools) |
| 5 | + |
| 6 | +# whitebox crypto (rev 20) |
| 7 | + |
| 8 | +So we have an [executable](../xtea) |
| 9 | + |
| 10 | +Problem statement |
| 11 | +``` |
| 12 | +Do not panic, it's only XTEA! I wonder what the key was... |
| 13 | +``` |
| 14 | + |
| 15 | +Little bit of google we get this piece of code from [Wikipedia](https://en.wikipedia.org/wiki/XTEA) |
| 16 | +```c |
| 17 | +void encipher(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4]) { |
| 18 | + unsigned int i; |
| 19 | + uint32_t v0=v[0], v1=v[1], sum=0, delta=0x9E3779B9; |
| 20 | + for (i=0; i < num_rounds; i++) { |
| 21 | + v0 += (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]); |
| 22 | + sum += delta; |
| 23 | + v1 += (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum>>11) & 3]); |
| 24 | + } |
| 25 | + v[0]=v0; v[1]=v1; |
| 26 | +} |
| 27 | +``` |
| 28 | +Given file |
| 29 | +```bash |
| 30 | +$ file ./xtea |
| 31 | +./xtea: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=331f96cc8eefbf07d5752cf9e8cf4facb32ba8ff, not stripped |
| 32 | +``` |
| 33 | + |
| 34 | +A little bit of analysis shows we have to give something as argv[1] of length 16 as input |
| 35 | + |
| 36 | +```bash |
| 37 | +$ ./xtea AAAAAAAAAAAAAAAA |
| 38 | +4a584fe6 116e650b |
| 39 | +``` |
| 40 | + |
| 41 | +It returns the input "encrypted". We have to find the key. |
| 42 | +The code from Wikipedia says key[4] would be having 4 blocks of length 4. So the key is of length 16. |
| 43 | +sum=0 at the start of the process and it cumulatively adds delta to it which is added to key[i] in some fashion. |
| 44 | +We see an encipher function in the file. |
| 45 | + |
| 46 | +```objdump |
| 47 | +gdb-peda$ pdisass encipher |
| 48 | +Dump of assembler code for function encipher: |
| 49 | + 0x00000000004005a0 <+0>: mov ecx,DWORD PTR [rdi+0x4] |
| 50 | + 0x00000000004005a3 <+3>: push r12 |
| 51 | + 0x00000000004005a5 <+5>: push rbp |
| 52 | + 0x00000000004005a6 <+6>: push rbx |
| 53 | + 0x00000000004005a7 <+7>: mov edx,ecx |
| 54 | + 0x00000000004005a9 <+9>: mov eax,ecx |
| 55 | + 0x00000000004005ab <+11>: shr edx,0x5 |
| 56 | + 0x00000000004005ae <+14>: shl eax,0x4 |
| 57 | + 0x00000000004005b1 <+17>: xor eax,edx |
| 58 | + 0x00000000004005b3 <+19>: add eax,ecx |
| 59 | + 0x00000000004005b5 <+21>: xor eax,0x7b707868 |
| 60 | + 0x00000000004005ba <+26>: add eax,DWORD PTR [rdi] |
| 61 | + 0x00000000004005bc <+28>: mov r10d,eax |
| 62 | + 0x00000000004005bf <+31>: mov edx,eax |
| 63 | + 0x00000000004005c1 <+33>: shl eax,0x4 |
| 64 | + 0x00000000004005c4 <+36>: shr r10d,0x5 |
| 65 | + 0x00000000004005c8 <+40>: xor r10d,eax |
| 66 | + 0x00000000004005cb <+43>: add r10d,edx |
| 67 | + 0x00000000004005ce <+46>: xor r10d,0x1b58ea2e |
| 68 | + 0x00000000004005d5 <+53>: lea r11d,[r10+rcx*1] |
| 69 | + 0x00000000004005d9 <+57>: mov r9d,r11d |
| 70 | + 0x00000000004005dc <+60>: mov eax,r11d |
| 71 | + 0x00000000004005df <+63>: shl eax,0x4 |
| 72 | + 0x00000000004005e2 <+66>: shr r9d,0x5 |
| 73 | + 0x00000000004005e6 <+70>: xor r9d,eax |
| 74 | + 0x00000000004005e9 <+73>: add r9d,r11d |
| 75 | + 0x00000000004005ec <+76>: xor r9d,0xba9ae30 |
| 76 | + 0x00000000004005f3 <+83>: lea eax,[r9+rdx*1] |
| 77 | + 0x00000000004005f7 <+87>: mov r12d,eax |
| 78 | + 0x00000000004005fa <+90>: mov edx,eax |
| 79 | + 0x00000000004005fc <+92>: shl edx,0x4 |
| 80 | + 0x00000000004005ff <+95>: shr r12d,0x5 |
| 81 | + 0x0000000000400603 <+99>: xor r12d,edx |
| 82 | + 0x0000000000400606 <+102>: add r12d,eax |
| 83 | + 0x0000000000400609 <+105>: xor r12d,0x9bd661db |
| 84 | + 0x0000000000400610 <+112>: lea r10d,[r12+r11*1] |
| 85 | + 0x0000000000400614 <+116>: mov r8d,r10d |
| 86 | + 0x0000000000400617 <+119>: mov edx,r10d |
| 87 | + 0x000000000040061a <+122>: shl edx,0x4 |
| 88 | + 0x000000000040061d <+125>: shr r8d,0x5 |
| 89 | + 0x0000000000400621 <+129>: xor r8d,edx |
| 90 | + 0x0000000000400624 <+132>: add r8d,r10d |
| 91 | + 0x0000000000400627 <+135>: xor r8d,0x9bd661db |
| 92 | + 0x000000000040062e <+142>: lea r9d,[r8+rax*1] |
| 93 | + 0x0000000000400632 <+146>: mov ebp,r9d |
| 94 | + 0x0000000000400635 <+149>: mov eax,r9d |
| 95 | + 0x0000000000400638 <+152>: shl eax,0x4 |
| 96 | + 0x000000000040063b <+155>: shr ebp,0x5 |
| 97 | + 0x000000000040063e <+158>: xor ebp,eax |
| 98 | + 0x0000000000400640 <+160>: add ebp,r9d |
| 99 | + 0x0000000000400643 <+163>: xor ebp,0x4818a1a2 |
| 100 | + 0x0000000000400649 <+169>: lea r12d,[rbp+r10*1+0x0] |
| 101 | + . |
| 102 | + . |
| 103 | + . |
| 104 | +
|
| 105 | +``` |
| 106 | +Looking at it we can say the key is hardcoded here. |
| 107 | +So we start with sum=0 and keep it increasing by delta .The hardcoded values in hex are (sum + key[sum & 3]) and (sum + key[(sum>>11) & 3]) |
| 108 | +Little bit of unpacking to do. |
| 109 | + |
| 110 | +```python |
| 111 | +>>> from pwn import * |
| 112 | +>>> p32(0x7b707868) |
| 113 | +'hxp{' |
| 114 | +>>> delta=0x9e3779b9 |
| 115 | +>>> p32((0x1b58ea2e-delta)&0xffffffff) |
| 116 | +'up!}' |
| 117 | +>>> p32((0xba9ae30-delta)&0xffffffff) |
| 118 | +'w4rm' |
| 119 | +>>> p32((0x9bd661db-delta*2)&0xffffffff) |
| 120 | +'ing_' |
| 121 | +``` |
| 122 | + |
| 123 | +gives us flag |
| 124 | +>hxp{w4rming_up!} |
| 125 | +
|
0 commit comments