Hackvent 2019: Day 16

Hackvent 2019190

Challenge

HV19.16 B0rked Calculator

Introduction
Santa has coded a simple project for you, but sadly he removed all the operations.
But when you restore them it will print the flag!

Resources: HV19-Day16-b0rked.zip

Solution

We are presented with a x86 Windows binary file. Upon inspection it looks to be a simple calculator but unfortunately its borked!

Hackvent 2019 - Day 16 - b0rked GUI

It supports the following operations: + - * and /.
However, it seems like it either ignores the left or right operand in calculations. In the example above, it ignored the right operand.
We find the following problems:

+ ignores right operand
- ignores left operand
* ignores left operand
/ ignores left operand

We open the binary in IDA Pro and discover that each operation is contained in its own method and is passed two doublewords as arguments:

Hackvent 2019 - Day 16 - IDA decompilation

However, each method was broken in some way:

  • Missing stack variable definitions
  • Now loading arguments into registered
  • Not calling required ASM function to perform operation (add, sub, mul, div)

Each method conveniently was padded with 0x90 NOP opcodes which meant we did not have to change the size of the binary. We patch all these method one by one, running the binary again after each correction to check functionality works.

These were the changes made where white is old binary and green is new binary:

Hackvent 2019 - Day 16 - IDA before and after

IDA Diff:

This difference file was created by IDA

b0rked.exe
0000000000000BBD: 90 03
0000000000000BBE: 90 45
0000000000000BBF: 90 0C
0000000000000BC8: 90 8B
0000000000000BC9: 90 45
0000000000000BCA: 90 08
0000000000000BCB: 8B 2B
0000000000000BCC: 4D 45
0000000000000BD8: 90 8B
0000000000000BD9: 90 45
0000000000000BDA: 90 08
0000000000000BDB: 90 8B
0000000000000BDC: 90 4D
0000000000000BDD: 90 0C
0000000000000BDE: 90 F7
0000000000000BDF: 90 E1
0000000000000BE8: 90 8B
0000000000000BE9: 90 45
0000000000000BEA: 90 08
0000000000000BEB: 90 8B
0000000000000BEC: 90 4D
0000000000000BED: 90 0C
0000000000000BEE: 90 F7
0000000000000BEF: 90 F1

Running the binary one more time and clicking on calc showed us our flag on the screen:

Hackvent 2019 - Day 16 - b0rked patched

Flag:

HV19{B0rked_Flag_Calculat0r}

Leave a comment

(required)(will not be published)(required)

Comments

There are no comments yet. Be the first to add one!