Some time ago I solved the Airplane challenge published by Israeli Shin-Bet (Shabak). The crackme has three levels of increasing difficulty. Each one is a 32 bit Windows application. It was a very pleasant task, not difficult but also not too trivial. In this writeup I will present my solutions.
The story is about saving Shabak’s operative, R. Sanchez from from the prison 😀 So, let’s go!
Mirror: [task1], password “Challenge”
When we run the application, it just exits and nothing happens. So, I opened it under a debugger (OllyDbg). I started the analysis from viewing the referenced strings, and I noticed something potentially interesting:
It seems to be some custom file referenced from inside the code. Let’s go to this point of code, and see how it is used:
Indeed, the program is searching for this file and checking it’s attributes. If they match the required, some output is printed, that probably is our password.
Now we can solve it by two ways – either create the file with the proper attributes, or to influence the execution, so that it will print the password no matter what. I have chosen the second way – setting a breakpoint on each condition, and when it is hit, changing the flag in order to emulate the the appropriate condition being met.
So, indeed it resulted in printing the password:
Mirror: [task2], password “Challenge”
In contrary to the previous one, Task 2 prompts for the password:
Let’s enter whatever and see what happens:
It dropped a file “GettingSchwifty.bat” and tried to load it. It turned out not to be a valid PE, so the error occurred.
It seems the password that we typed was supposed to decrypt this PE file (name .bat is just a disguise). Let’s take a look at the dropped file:
As we can see, it has some regular patterns inside. It made me think that it may be XOR encrypted. So, I tried to XOR it with some valid PE file, to see if it reveals the password (I used my python script: dexor.py):
./dexor.py --file GettingSchwifty.bat --keyfile Second.exe
When we view the output by a hexeditor, we can see the repeating pattern at the beginning:
This may be our password, so let’s try. I copied this fragment, saved it as a key.bin and then tried dexor again:
./dexor.py --file GettingSchwifty.bat --keyfile key.bin
And hurray, the output is a valid PE file: a DLL named Piper.dll:
Since I already have the DLL, I don’t really care what was the password that allowed to decrypt it. I will just run the main executable (Second.exe) under the debugger, set the breakpoint before the GettingSchwifty.bat was loaded, and replace it with my version.
When the breakpoint before the LoadLibraryA is hit. I am deleting the dropped GettingSchwifty.bat and copying on it’s place my decrypted DLL.
It got loaded properly, so now we can enter to the function inside the DLL:
But it’s not over yet. One more password is required, before we get our flag printed. The application ask a question over a pipe “flumbus_channel” and we are supposed to answer it:
After a brief analysis I concluded that the brutforce is not the solution. So, we must approach it by some other way. By some googling around I found the answer for the asked question: “What is cooler than being cool?”.
The answer is: “Ice cold”! Pretty obvious, isn’t it? 😉 But is it what the application wanted us to say? Let’s pass the input and check. I want a fast solution, so instead of writing a client that will talk over the pipe, I will just edit the buffer in the memory. Let’s set a breakpoint on the call to ReadFile and follow the buffer in dump:
After the ReadFile returned, we can edit this buffer in order to emulate the input being read:
The password is translated to the uppercase, then it is used to decrypt the output buffer. Checksum of the decrypted buffer is calculated and compared with the hardcoded one: 0x55B8B000
It seems the password “ice cold” was the right one, the checksum matches! The output buffer got decrypted and by following it in dump we can already see the second flag:
However, displaying it nicely on the screen requires more effort – there are some debug checks, that causes application to exit:
I just patched the conditions above, so that the antidebug measures can not be taken:
And we get the password printed:
Another level cleared!
That’s how I reached the Task 3! This one will be a bit longer, so I am going to describe it in a second writeup.