Forem: Gealber Morales

EVM Reverse Engineering Challenge 0x03

Gealber Morales — Fri, 05 Jul 2024 14:17:06 +0000

Here I am, this time with the fourth challenge. This one it's a bit more interesting. Let me know if you found it interesting as well. As always here is the address of the smart contract. Feel free to get that USDT!!

0x48f1F0095a91Ed8d3b788AB4c8998640cb5d4463

Hint: Can I call myself?

EVM Reverse Engineering Challenge 0x02

Gealber Morales — Tue, 02 Jul 2024 16:34:19 +0000

The third challenge it's here. I'll keep it simple like the other ones, but in order to help you out a bit I will always give you super useful hint like in this case. Also I'll suggest you to make the challenges in order because you will possible need to use previous challenges exploits. Here is the address of the contract, remember always to simulate before actually making the transaction. For that you can use Tenderly, or Temper. No more description, exploit this contract and get 1 USDT!!

0xd436932352dECf38720b04Ef172F7FafdEe7Ab6F

Hint: I was born in a cross-fire hurricane...

EVM Reverse Engineering Challenge 0x01

Gealber Morales — Sun, 30 Jun 2024 20:29:11 +0000

The idea on this one is quite similar as the previous one, just with slight variation. The contract address for this challenge is this:

0xA0BEC25Cd1d2b22aa428AbEf23F899506acf9Fff

Hint: How much would be 0 - 1 = ?

EVM Reverse Engineering Challenge 0x00

Gealber Morales — Wed, 26 Jun 2024 16:43:31 +0000

It's been a while since I don't blog, so I think it's time. I've been writing an Sandwich bot, mostly in the night after work, that according to my forecast it will take me my whole life :). In case you don't know what is a sandwich bot let me tell you is not a robot that makes sandwich, that would be awesome. Just google MEV sandwich Ethereum, that should give you a good start. Thanks to this I've learned more and more about EVM(Ethereum Virtual Machine) in general, learning how to optimize a contract to spend less and less gas. This post is not about MEV or explaining what it is, there's a lot of information about it online. Instead, is more to start doing something similar to Reverse Engineering challenges by Dennis Yurichev, but focus on EVM instead of traditional reverse engineering.

This blog will be the first of a series of blog, that I'll try to keep up, if laziness or another millionaire idea, like a sandwich bot, doesn't distract me. The format of the challenges will be quite simple, I'll share with you one contract addresses in the Ethereum Mainnet or TON Mainnet(not sure about this yet), the contract will have 1 USDT, your goal will be to exploit this contract and get the 1 USDT for you. Given that I'm far from being rich, I'll limit the number of challenges to 100, I hope I'll have enough material for it. After someone exploits the contract, the 1 USDT won't be in the contract removing the "incentive" for someone else to exploit the contract again. I know 1 USDT is not such a big incentive neither. Is better to be the first, you'll get a whole 1 USDT, WAOOO.

The challenges will be from easier to harder, I'll try by all means to keep it in that way, but given that I'll be also learning with this I cannot assure you that. In order to exploit this contracts is recommended that you firstly simulate your transaction, in Ethereum that can be done quite precise with Tenderly, temper, in TON I really don't know of a good tool for that. Nevertheless this first challenge is on Ethereum. Please simulate before submitting a transaction, don't spend gas for nothing.

Enough talk, show me the stuff I want my 1 USDT!!! I'm sure this what you are thinking at the moment, you want to crack this shit and get the 1 USDT to show off with your friends. Don't worry my friend, here is the contrat address:

0xC3fA91C26307EA9c59334c55e23d8bf19f555Ea8

Feel free to exploit it, and earn that 1 USDT.

HINT: 2 + 2 = ?

PS: possible the txn will cost you more than 1 USDT, because well is Ethereum...

Challenge #31

Gealber Morales — Sun, 08 Oct 2023 21:51:59 +0000

This challenge can be an easy one if you start with the Optimizing MSVC 2012 x64
assembly code example, instead of the Optimizing MSVC 2010 x86. The problem with the Optimizing MSVC 2010 x86 example, is the use of FPU Register Stack which makes kinds of hard to follow the logic. If you want to know more about floating points, I highly recommend you read the chapter from Reverse Engineering for Beginners, from the same author of the challenge. At the end of the articles, I'll link other sources as well. As always the code can be found in the original website.

In case you are kind of lost and don't have an idea of what to consult to learn more about floating points, take a look at the Bibliography.

Analysis

The code we need to analyze has three float constants, 1.0, 0.001, and 0.5. These constants are defined in the following lines

__real@3fe0000000000000 DQ 03fe0000000000000r ;; 0.5
__real@3f50624dd2f1a9fc DQ 03f50624dd2f1a9fcr ;; 0.001
__real@3ff0000000000000 DQ 03ff0000000000000r ;; 1.0

Apart from this, the logic is straightforward, and not too complicated. Here's the code in C language:

double f(double a)
{
    double cur = 1.0;
    while (cur*cur - a <= 0.001) {
        cur = (a / cur + cur) * 0.5; // same as dividing by 2
    }

    return cur;
}

Printing the result of calling this function, you can notice that we will receive basically a / 2 + 0.5.

Bibliography

Also, the author of the challenge recommends getting familiar with the Forth Programming Language, it is not to get a super pro on this programming language, it's just to get familiar with the way of programming with a stack-based approach. This language plays also an inspiration in the Fift Programming Language of the TON Blockchain.

Books recommendations

Gealber Morales — Wed, 04 Oct 2023 21:48:30 +0000

Here is a short list of books I've read, and still remember. I've read many more, but these are the ones that I wouldn't bother reading again or that I recommend reading.

Technical books

The Practice of programming, by Brian W. Kernighan and Rob Pike.
Introduction to Algorithms, third edition, by Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest and Clifford Stein. This book is one that you always go back always when you have to implement an algorithm, really useful book. I've read the majority of it.
The Go Programming Language, by Alan A. Donovan and Brian W. Kernighan. I think this is one of the best books I've ever read about a programming language, with practical examples from the beginning to the end.
Learn C the hard way, by Zed Shaw. This guy managed to teach C in an entertaining way.
64-bit assembly programming for Linux: The easy guide to get started, by Mark B. This book is not such a great book, but what I wanted was perfect. This is a book you can read, in one weekend, to learn the basics of Assembly through examples. For a more deep understanding, there are way better options.
Python Tricks: A Buffet of Awesome Python Features, by Dan Bader. Oh, I loved this book. The author has a natural skill to keep you reading with small, but quite instructive recipes about Python.
Reversing: Secrets of Reverse Engineering, by Eldad Eilam. I read this one quite recently, and I've been coming back to it every time I want to consult something about Reverse Engineering.
Reverse Engineering for Beginners, by Denis Dennis Yurichev. Haven't read it completely, but a great part of it. I like the approach the author took to teach you about this subject, has a lot a lot of examples.
Practical SQL A Beginner’s Guide to Storytelling with Data, by Anthony DeBarros. Another book that I loved, it doesn't make you lose time you start writing SQL queries from the beginning.
Automate the boring stuffs with Python, by Al Sweigart. One of the first books I read, and still one of my favorites. For a beginner, this book is absolute treasure.
Recreational Mathematics, by Yakov Perelman. This is the first book about math that I read.

Nontechnical books

Atlas Shrugged, by Ayn Rand. By far the best book I've ever read.
Ghost In The Wires: My Adventures as the World's Most Wanted Hacker, by Kevin Mitnick. Interesting story.
Crime and Pubishment, by Fyodor Dostoevsky.
The Black Swan: Second Edition: The Impact of the Highly Improbable: With a new section: "On Robustness and Fragility": 2, by Nassim Taleb. This book should be a must to read for all guys making statistics. In this case, I didn't read it but listened to the audiobook.
Ada or ardor, by Vladimir Nabokob. Way better book than Lolita, in my opinion. Is not about the same theme. This author wrote so well, but so good, I haven't found an author that writes like this man.
1984, by George Orwell. This book doesn't need an introduction, this guy was describing Cuba...in the present and the past 64 years.
The Fountainhead, by Ayn Rand. This is the book that more times I've read in my life, more than 3 or 4. Especially during college. This book gives me fuel. It's just awesome!
"Surely You're Joking, Mr. Feynman!": Adventures of a Curious Character, by Richard P. Feynman. One of the few books I've enjoyed most.

Whishlist

Here is a short list of books I plan to read in the future.

Technical books

Applied Cryptography: Protocols, Algorithms, and Source Code in C, by Bruce Schneier. As soon as I finish my one month of learning the basics of Reverse engineering, I'll jump to this book. This is a subject that I've always been interested in. As always I'll take a practical approach.

Nontechnical

Atomic Habits, by James Clear. I've heard good things about this book.

Challenge RE #30

Gealber Morales — Wed, 04 Oct 2023 09:45:52 +0000

I'll jump to challenge #30, the #29 is an obfuscated one, and I'll need more time to work on that. The #30 is a simple one and is in the format of finding the password. For the disassembly of this program I'll use Ida, from the one I've tried is honestly the more user-friendly.

Analysis

Let's analyze the main thread only, here is the code associated with it

; int __cdecl main(int, char **, char **)
main            proc near               ; DATA XREF: start+17↑o
; __unwind {
                push    ebp
                mov     ebp, esp
                and     esp, 0FFFFFFF0h
                sub     esp, 0A0h
                mov     eax, large gs:14h
                mov     [esp+9Ch], eax
                xor     eax, eax
                mov     dword ptr [esp], offset aEnterPassword ; "enter password:" 1st argument, only one argument it's required
                call    _puts

                lea     eax, [esp+1Ch]
                mov     [esp+4], eax
                mov     dword ptr [esp], offset aS ; "%s"
                call    ___isoc99_scanf

                cmp     eax, 1 ;; number of items successfully matched
                jz      short loc_8048539

                mov     dword ptr [esp], offset aNoPasswordSupp ; "no password supplied"
                call    _puts

loc_8048539:                            ; CODE XREF: main+3E↑j
                mov     dword ptr [esp+4], offset aMetallica ; "metallica"
                lea     eax, [esp+1Ch]
                mov     [esp], eax
                call    _strcmp

                test    eax, eax
                jnz     short loc_804855F ;; INCORRECT PASSWORD PRINT IT

                mov     dword ptr [esp], offset aPasswordIsCorr ; "password is correct"
                call    _puts
                jmp     short loc_804856B
; ---------------------------------------------------------------------------

loc_804855F:                            ; CODE XREF: main+62↑j
                mov     dword ptr [esp], offset aPasswordIsNotC ; "password is not correct"
                call    _puts

loc_804856B:                            ; CODE XREF: main+70↑j
                mov     edx, [esp+9Ch]
                xor     edx, large gs:14h
                jz      short locret_8048580
                call    ___stack_chk_fail

locret_8048580:                         ; CODE XREF: main+8C↑j
                leave
                retn
; } // starts at 80484ED
main            endp

In this code we have first a call to puts printing the text enter password:, we know that is this text thanks to Ida. What follows after that it's a call to scanf, for waiting for the input of the password. Nothing too hard here, so we need to look for the part of the code that validate this password. Right after the call to scanf we have the following code

                lea     eax, [esp+1Ch]
                mov     [esp+4], eax
                mov     dword ptr [esp], offset aS ; "%s"
                call    ___isoc99_scanf

                cmp     eax, 1 ;; number of items successfully matched
                jz      short loc_8048539

After the call to scanf we check if the user supplied something, in positive case we jump to loc_8048539, that is where our validation it's present. Let's see how this password it's validated.

loc_8048539:                            ; CODE XREF: main+3E↑j
                mov     dword ptr [esp+4], offset aMetallica ; "metallica"
                lea     eax, [esp+1Ch]
                mov     [esp], eax
                call    _strcmp

                test    eax, eax
                jnz     short loc_804855F ;; INCORRECT PASSWORD PRINT IT

                mov     dword ptr [esp], offset aPasswordIsCorr ; "password is correct"
                call    _puts
                jmp     short loc_804856B

Easy! We have a comparison with strcmp to the text metallica, seems Denis is a fan of Metallica, and the printing of the text password is correct.

That's it.

Conclusion

I'm becoming better at this, some progress.

Challenge RE #28

Gealber Morales — Tue, 03 Oct 2023 09:15:21 +0000

Let's start with challenge #28. In this case we have a bigger code than our previous two challenges, but I think will be more understandable than those.
The code as always can be found the original website. This challenge is an example of a useful code, I mean something you might use. I'll start analyzing it by parts as always.

Analysis

Here something to notice is that in this case we have a function f_main that will be our main thread, but let's start analyzing function f1. Seems quite simple. We have the following(commented code by myself)

;; this function compares two 32-bit integers
;; returning:
;; -1 in case a < b
;; 0 in case a = b
;; 1 in case a > b
;; int f(const void *a, const void *b) NOTE this method it's passed as an the comparison function to qsort
f1:
    mov eax, DWORD PTR [rsi]
    xor edx, edx
    cmp DWORD PTR [rdi], eax ;; compare first char with second string
    mov eax, -1
    setg    dl ;; set byte in dl if str1[0] > str2[0]; this could be a ternary operation [edx]dl = str1[0] > str2[0] ? 1 : 0;
    cmovge  eax, edx ;; copy 0 to eax if greater of equal
    ret

As you can see from the comments I added, this method seems to compare two elements from rsi and rdi, which seems to be array of integers. The output number will be -1, 0 or 1 depending on the comparison result. Looking down in the code you can notice that this method, it's passed to qsort as the comparison function. Then we can infer that must hold the signature int (*compar)(const void *, const void *).

code in C

int f1(const void *a, const void *b)
{
    if (*(int *)a < *(int *)b) return -1;

    return *(int *)a > *(int *)b ? 1 : 0;
}

my_memdup

The next method to analyze is my_memdup, here is the snippet for the code

my_memdup:
    push    rbp
    mov rbp, rdi ;;  arr, 1st argument of my_memdup
    mov rdi, rsi ;; 1st arg to malloc and 2nd from this method
    push    rbx
    mov rbx, rsi ;; copy same number to rbx, to be used in the call to memcpy
    sub rsp, 8
    call    malloc ;; the reserved memory is in rax

    add rsp, 8
    mov rdx, rbx ;; 3rd arg (size_t n) number of bytes to copy
    mov rsi, rbp ;; 2nd arg (src)
    pop rbx
    pop rbp
    mov rdi, rax ;; 1st arg (dst)
    jmp memcpy

Looking at this code snippet we can infer a couple of things. We have a call to malloc followed by a memcpy. This code can be put in C code very shortly in this way

int *my_memdup(int *arr, size_t sz)
{
    int *rax = malloc(sz);
    return memcpy(rax, arr, sz);
}

Basically this method make a duplicate of memory in arr. I don't see the use of this code in the main thread or any other function, so no idea why it's here. Maybe the compiler added? They do weird stuffs.

This method is the simpler of all of them, we receive an 32-bit integer as argument. The operations followed is a right shift to 31 bits, which will make it literally 0. I don't understand why the compiler decided to to this...compilers are dark magicians. In this case I think all 5 operations are just a right shift to one position.

int f2(int a)
{
    return a >> 1;
}

f1_main

Now, the main thread. Here is the code for f_main

;;int f_main(int *arr, int nmemb)
f_main:
    push    r12
    mov r12, rdi
    push    rbp
    lea rbp, [0+rsi*4] ;; rsi contains nmemb
    push    rbx
    mov rdi, rbp ;; amount of memory to reserve nmemb*4 (4 is the sizeof(int))
    mov rbx, rsi ;; rbx will contain nmemb
    call    malloc

    mov rdx, rbp ;; 3rd arg, size
    mov rsi, r12 ;; 2nd arg, src (rdi)
    mov rdi, rax ;; 1st arg, dst
    call    memcpy

    mov ecx, OFFSET FLAT:f1 ;; 4th arg comparison function
    mov edx, 4 ;; 3rd arg
    mov rsi, rbx ;; 2nd arg (nmemb)
    mov rdi, rax ;; 1st arg
    mov rbp, rax ;; reserved memory
    call    qsort

    test    bl, 1 ;; checking for parity, nmemb % 2
    jne .L12 ;; odd
    ;; nmemb is even
    shr rbx
    mov eax, DWORD PTR [rbp+0+rbx*4]
    add eax, DWORD PTR [rbp-4+rbx*4]

    pop rbx
    pop rbp
    pop r12
    mov edx, eax
    shr edx, 31
    add eax, edx
    sar eax
    ret
.L12: ;; 
    shr rbx ;; nmemb >> 1; division by 2
    mov eax, DWORD PTR [rbp+0+rbx*4] ;; rbp contains the memory reserved, and array just sorted with qsort
    pop rbx
    pop rbp
    pop r12
    ret

An equivalent code in C of this case would be

int f_main(int *arr, int nmemb)
{
    int *rax = malloc(nmemb*sizeof(int));

    memcpy(rax, arr, nmemb*sizeof(int));
    qsort(rax, nmemb, 4, f1);

    if (nmemb % 2 == 1)
        return rax[nmemb >> 1];


    return (rax[nmemb] + rax[nmemb-1]) >> 1;
}

Looking at this, it's easy to infer that we are extracting the median of the array arr, the formal description for this code is

formal description

Computes the median in an array of integers.

Conclusion

Something that I didn't understand here, is the declaration of f2 and my_memdup, they are not used in the code.

Challenge RE #26

Gealber Morales — Mon, 02 Oct 2023 08:25:30 +0000

This challenge comes in the form of Microsoft Intermediate Language which is extremely readable compared to previous assembly code used in these challenges. If you are interested in more about the specifics of reversing .NET read Chapter 12, of Reversing. Secrets of Reverse Engineering there's a quite detailed explanation there. Also for a quick search of the available opcodes for each instruction recommend you to use Official doc. This challenge will be quite short, I included comments on each line of the code, so the analysis won't be a big deal.

Analysis

Here is the code to understand

  .method public hidebysig static uint8  f(uint8 a) cil managed
  {
    // Code size       36 (0x24)
    .maxstack  2
    .locals init (uint8 V_0)
    IL_0000:  nop
    IL_0001:  ldarg.0 ;; first argument
    IL_0002:  conv.u8 ;; converts value on top of stack and extends it to int64
    IL_0003:  ldc.i8     0x202020202 ;; push this value on the stack as an int64
    ;; multiply two first values on stack, and push result on the stack. In this case
    ;; this is int64(arg_0) * int64(0x202020202)
    IL_000c:  mul     
    IL_000d:  ldc.i8     0x10884422010 ;; again push this value into the stack
    IL_0016:  and ;; perform AND between the result of multiplication and this recent value pushed on the stack
    IL_0017:  ldc.i4     0x3ff ;; push value into stack
    IL_001c:  conv.i8  ;; convert it to int64
    IL_001d:  rem      ;; push into the stack  val1 % 0x3ff, where val1 is the result of our previous operation
    IL_001e:  conv.u1  ;; convert value to int8 but push int32, so it extends the converted value
    IL_001f:  stloc.0  ;; pop value on top of stack and store it in local variable 0
    IL_0020:  br.s       IL_0022 ;; this jumps to IL_0022

    IL_0022:  ldloc.0  ;; loads variable on top of stack
    IL_0023:  ret ;; return
  } // end of method e25::f

There's not too much to add here, take a look that even the signature it's given. Following these comments the equivalent code in C, I don't know C# guys, would be like this

uint8_t f(uint8_t a)
{
    return uint8_t(((int64_t(a) * 0x202020202) & 0x10884422010) % 0x3ff);
}

This would be the code, now what this does? Well for that task I have Google. Making a search for this constant I found a book called Hacker's Delight which has this exact formula. You can find it in Chapter 7, about Rearranging bits and bytes.

According to the description given in the book this

Reverse an 8-bit integer

I don't find too much utility for this kind of hacks, are obscure as fuck. At least you are writing malware, that for some reason needs to perform this operation, and you want to write obscure code, yes is useful otherwise...not so much.

Conclusion

Google is your friend, use it!

Challenge RE #24

Gealber Morales — Sun, 01 Oct 2023 11:56:20 +0000

This challenge it's more interesting. This time we have a binary file with the following description

Challenge Description

Here is the simplest possible calculator program, a simplified version of bc UNIX utility:

123+456
(unsigned) dec: 579 hex: 0x243  bin: 1001000011

120/10
(unsigned) dec: 12 hex: 0xC  bin: 1100

-10
(unsigned) dec: 4294967286 hex: 0xFFFFFFF6  bin: 11111111111111111111111111110110
(signed) dec: -10 hex: -0xA  bin: -1010

-10+20
(unsigned) dec: 10 hex: 0xA  bin: 1010

It is known that it supports 4 arithmetic operations and negative numbers can be denoted with a minus before the number. But it's also known that there are at least 7 undocumented features. Try to find them all.

In order to approach this problem, we need to take a look at the assembly code of this binary. For this you have several tools to extract the disassembled code, here is a list of them

For this challenge, I'll just use Ida because is the one I'm more familiar with. The great advantage of these tools is that they even draw you through the flow of the program, and even disassemble the code to C/C++ code. I'm not going to disassemble anything, but I'm not mad for them to draw me some arrow flows, that's sick, good stuff.

Analysis

Exploring the binary functionalities

Let's start our reversing process running the binary, as always don't do this if you are running with malware. Let's run this program

./calc_x64

1
(unsigned) dec: 1 hex: 0x1  bin: 1
1+1
(unsigned) dec: 2 hex: 0x2  bin: 10
1*1
(unsigned) dec: 1 hex: 0x1  bin: 1
1/1
(unsigned) dec: 1 hex: 0x1  bin: 1
1-1
(unsigned) dec: 0 hex: 0x0  bin: 
1**1
Error: unexpected token. Exiting.

As you see in this terminal output I explored the program running basic arithmetic operations, +, -, *, /. I also tried power in the Python style, and we received an error. The output in all cases, except the error one, is in the format (unsigned) dec: <number in decimal representation> hex: <number in hex representation> bin: <number in bin representation>. In all the cases we tried with positive numbers, let's try with negative ones

-1
(unsigned) dec: 4294967295 hex: 0xFFFFFFFF  bin: 11111111111111111111111111111111
(signed) dec: -1 hex: -0x1  bin: -1
-1 * 2
(unsigned) dec: 4294967294 hex: 0xFFFFFFFE  bin: 11111111111111111111111111111110
(signed) dec: -2 hex: -0x2  bin: -10
-1 + 2
(unsigned) dec: 1 hex: 0x1  bin: 1
-1 / 2
(unsigned) dec: 0 hex: 0x0  bin: 
-1 - 2
(unsigned) dec: 4294967293 hex: 0xFFFFFFFD  bin: 11111111111111111111111111111101
(signed) dec: -3 hex: -0x3  bin: -11

In this case, we can see that the calculator can handle signed numbers as well. Ok, everything is as expected. These are 4 arithmetics operations mentioned in the description of the challenge, we are missing 3 more. One thing we can try is using bitwise operators and see what we get.

1 ^ 2
(unsigned) dec: 3 hex: 0x3  bin: 11
1 & 2
Error: bad character. Exiting.

Here we see the calculator supports XOR with ^ operator, but does not support AND with &. We have 5 operations, we are still missing 2 more. I also tried | but we received an error output as well. The error for this case it's quite different, has the following output junk after expression, which might mean that we are just using badly this operator. For now, this exploration it's quite good we will need to look at the assembly code to find out the other two.

Reading the code

Let's start our analysis with the main thread of the program. Right away you can notice that we have a call to sub_400A3B, which we are going to look at a bit later. Followed by printings of a text with the following format, using the result of this subroutine to populate the formatted text. This is the formatted text (unsigned) dec: %u hex: 0x%X bin: <number in binary representation>\n. This matches with our previous exploration of the program. Here is the code snippet for the assembly code

; int __fastcall main(int, char **, char **)
main proc near
; __unwind {
push    rbx
call    sub_400A3B

loc_400696:
call    sub_400AEE ;; ???
;; PREPARING FOR PRINTING RESULT OF sub_400AEE on different formats
;; decimal, and hexadecimal
mov     esi, offset aUnsignedDecUHe ; "(unsigned) dec: %u hex: 0x%X "
mov     ecx, eax ;; result from sub_400AEE
mov     edx, eax
mov     ebx, eax
mov     edi, 1
xor     eax, eax
call    ___printf_chk

;; printing just 'bin: '
mov     esi, offset aBin ; " bin: "
mov     edi, 1
xor     eax, eax
call    ___printf_chk

mov     edi, ebx
call    sub_40082D

Now I personally don't want to read the whole assembly code, I just want to find out these missing operations. One smart approach would be to look in Ida for the signs of operations we already know. For example, let's look for the parsing of character +. In this way, we might identify other symbols as well in the code. The ASCII value for + it's 0x2b, another way to represent this is 2bh which is the way Ida represents the hexadecimal numbers. To make the search you can press Alt+T or go to Search > Text, another way could be that if you previously disassembled the binary to a file you can use grep to search in the file where the disassembled code. When we made that search Ida added a comment with the value '+', this is done in the subroutine sub_400C07. Let's analyze that particular function.

sub_400C07 proc near
; __unwind {
push    rbx
xor     eax, eax
call    sub_400BBB

loc_400C0F:
mov     ebx, eax

loc_400C11:
cmp     cs:dword_602490, 1
mov     al, cs:byte_602090
jnz     short loc_400C69

loc_400C20:
cmp     al, 2Ah ; '*'
jz      short loc_400C43
cmp     al, 2Fh ; '/'
jz      short loc_400C54
cmp     al, 25h ; '%'
jnz     short loc_400C20
call    advance
xor     eax, eax
call    sub_400BBB
mov     esi, eax
mov     eax, ebx
cdq
idiv    esi
mov     ebx, edx
jmp     short loc_400C11

;; ... method continues

Right away in loc_400C20 we can see that apart from * and /, operations that we already know, there's as well %. Let's rerun our calc_x64 to see what this operation gives us, possibly just the remainder between two numbers, but let's check.

5 % 2
(unsigned) dec: 1 hex: 0x1  bin: 1
4 % 2
(unsigned) dec: 0 hex: 0x0  bin: 0

Nice, so this is another supported operation, at this point, we have the +, -, *, /, ^ and %, just one operation it's remaining. Now that we know Ida commented to us these special signs it would be smart on our part to make a smarter search, in this case, let's look for the following regular expression:

; '.{1}'

With this, we are asking Ida to look for comments that are enclosed in '' and have exactly one character.

This search gave us several results, we only need our extra operation in order to solve the puzzle so I'm going to look right for that. Doing so, I spotted the following character ~, so this could be our last operation, which could be the negation.

~ 1
(unsigned) dec: 4294967294 hex: 0xFFFFFFFE  bin: 11111111111111111111111111111110
(signed) dec: -2 hex: -0x2  bin: -10

Yep!! Now we have all the operations, +, -, *, /, ^, % and ~ are our seven arithmetics operations.

Conclusion

I think the lesson to learn here is to focus on your goal try to find what you want and not analyze every single line of code.

Challenge RE #23

Gealber Morales — Fri, 29 Sep 2023 22:13:20 +0000

Challenge #23 description can be found on the original website, as well as the assembly code. Here I'll put the same code but with some personal comments.

;; int f(long long int *rdi)
f:
        ;; rdi array of 64-bit numbers
        mov     rdx, QWORD PTR [rdi]
        ;; this initial part of the code here
        ;; will return i if the supplied number
        ;; had the last i*8 bits equal to zero, and the first 8 to one
        test    dl, dl ;; dl register 8 bit, major register rdx 
        je      .L18 ;; EXIT PROGRAM 0
        test    dh, 255 ;; 8 bits = 1, from 0 to 8
        je      .L19 ;; EXIT PROGRAM 1
        test    edx, 16711680 ;; 8 bits = 1, and 16 bits = 0
        je      .L20 ;; EXIT PROGRAM 2
        test    edx, 4278190080 ;; 8 bits = 1, and 24 bits = 0
        je      .L21 ;; EXIT PROGRAM 3
        movabs  r8, 1095216660480 ;; 8 bits = 1, and 32 bits = 0
        test    rdx, r8
        je      .L22 ;; EXIT PROGRAM 4
        movabs  r9, 280375465082880 ;; 8 bits = 1, and 40 bits = 0
        test    rdx, r9
        je      .L26 ;; EXIT PROGRAM 5

        xor     eax, eax
        ;; this number it's stored in the counter
        movabs  rcx, 71776119061217280 ;; 8 bits = 1, and 48 bits = 0
        movabs  rsi, -72057594037927936 ;; ? no idea why is this here
        jmp     .L14

;; eax = 0
.L15:
        test    rdx, rsi
        je      .L27 ;; EXIT PROGRAM 7
        add     rax, 8
        ;; load next element of array in rdx
        mov     rdx, QWORD PTR [rdi+rax]
        test    dl, dl
        je      .L28 ;; EXIT PROGRAM WITH rax+i
        test    dh, 255
        je      .L29 ;; EXIT PROGRAM with rax+1
        test    edx, 16711680
        je      .L30 ;; EXIT PROGRAM with rax+2
        test    edx, 4278190080
        je      .L31 ;; EXIT PROGRAM with rax+3
        test    rdx, r8
        je      .L32 ;; EXIT PROGRAM with rax+4
        test    rdx, r9
        je      .L33 ;; EXIT PROGRAM with rax+5
.L14:
        test    rdx, rcx
        jne     .L15
        add     rax, 6 ;; EXIT PROGRAM WITH rax+6
        ret

;; NO MORE LOGIC HERE JUST RETURNS
.L27 ;; EXIT PROGRAM 7:
        add     rax, 7
        ret
.L28 ;; EXIT PROGRAM WITH rax+i:
        rep ret
.L29 ;; EXIT PROGRAM with rax+1:
        add     rax, 1
        ret
.L30 ;; EXIT PROGRAM with rax+2:
        add     rax, 2
        ret
.L31 ;; EXIT PROGRAM with rax+3:
        add     rax, 3
        ret
.L32 ;; EXIT PROGRAM with rax+4:
        add     rax, 4
        ret
.L33 ;; EXIT PROGRAM with rax+5:
        add     rax, 5
        ret

.L18 ;; EXIT PROGRAM 0:
        xor     eax, eax
        ret
   ;; EXIT PROGRAM WITH 2;
.L20 ;; EXIT PROGRAM 2:
        mov     eax, 2
        ret
.L19 ;; EXIT PROGRAM 1:
        mov     eax, 1
        ret
.L21 ;; EXIT PROGRAM 3:
        mov     eax, 3
        ret
.L26 ;; EXIT PROGRAM 5:
        mov     eax, 5
        ret
.L22 ;; EXIT PROGRAM 4:
        mov     eax, 4
        ret

Analysis

In this code you can find several constants, taking these constants into binary representation will give the following table

Number	First 8-bits	Total of bits	Returns
0xff	1	8	i+1
0xff0000	1	24	i+2
0xff000000	1	32	i+3
0xff00000000	1	40	i+4
0xff0000000000	1	48	i+5
0xff000000000000	1	56	i+6

The next thing to notice is the loop inside the function. First, we are iteration over elements of an array of 64-bit numbers in rdi, and performing AND operations against the constants. The peculiarity of these constants is that they have 1s on sections from 1 to 6, and from the eights 8-bit sections a 64-bit number has. Then when we perform AND operations against these constants, we are checking if the number on this particular section has 0 in all the bits of the section.

Putting this code into C syntax it's straightforward

// Given an array of 64-bit numbers this method
// returns the index plus the 8-bit section where it's zero.
int f(long long int *arr)
{
    int i = 0;
    while ((arr[i] & 0xff000000000000) == 0) {
        if (arr[i] == 0) {
            return i;
        } else if ((arr[i] & 0xff) == 0) {
            return i + 1;
        } else if ((arr[i] & 0xff0000) == 0) {
            return i + 2;
        } else if((arr[i] & 0xff000000) == 0) {
            return i + 3;
        } else if ((arr[i] & 0xff00000000) == 0) {
            return i + 4;
        } else if ((arr[i] & 0xff0000000000) == 0) {
            return i + 5;
        }

        i++;
    }

    return i + 6;
}

With this, we can give our formal description of what the function does.

Formal description

In case any of these operations it's 0 we return index + 8-bit section that it's 0. For example, when we evaluate test dh, 0xff we are checking if 8-bit section at position 1 is 0. Keep in mind that we are dealing with 64-bit numbers, so each one of them has an 8 8-bit section.

According to the author of the challenge, this is

This is another implementation of a well-known library function...

For me doesn't ring a bell at the moment.

Additional questions

The challenge comes with three questions

The code may crash under some specific circumstances. Which are...?
The code can be easily optimized using SSEx. How?
The code will not work correctly on big-endian architectures. How to fix it?

The first question it's easy I would say, the main problem I see with this code is the stop condition of the loop. If we pass an array with all elements equal 0x1ffffffffffffff the loop won't finish. The problem is that this number, 0x1ffffffffffffff, is a 57-bit number with all its bits equal 1. Then none of the current stop conditions, arr[i] & constant = 0, will be met. This will have a consequence when we reach the next element of the array we will be out of bounds in the array.

For the rest of the questions, I have no response really.

Conclusion

I will come back to this challenge later, but for now, it's okay, I'm happy with what I managed to infer.

Challenge RE #22

Gealber Morales — Thu, 28 Sep 2023 09:44:48 +0000

In this article let's dive into the #22 RE Challenge. As in previous challenges we have assembly code examples that we have to understand and infer what it's doing. Sometimes this process it's straightforward, if you understand assembly language, of course, other times it's hard as fuck like in Challenge #19...I haven't forgotten this baby, going back to you another day. Enough of dirty talk with programming challenges Gealber. Back to our goal here, the assembly code can be found in challenge.re, take a look there's a fair amount of challenges there.

Note:

I know we programmers like a lot the Ctr+C and Ctr+V combination keys, but I don't recommend you to do so with this code here. The main point of these challenges is to understand what this code does, but that doesn't mean that all the code here runs smoothly.

Analysis

The first two things that you should identify in this code, we have two functions here, f1 and f2. Given that f1 has calls to f2, we can assume that this is our main entry point. Let's start with this.

;; SIGNATURE OF F1
;; ARGS: rdi, esi, edx
;; void f1(int *arr,int start,int end);
f1:
        push    r13
        push    r12
        ;; r12d
        mov     r12d, edx
        push    rbp
        ;; rbp
        mov     rbp, rdi
        push    rbx
        ;; ebx
        mov     ebx, esi
        push    rcx

.L12:
        ;; ebx >= r12d (two numbers, then)
        ;; start >= end
        cmp     ebx, r12d
        jge     .L10

        ;; copy back original parameters
        ;; to their original registers
        ;; to pass them as argument for f2
        ;; from this we know that rdi is an array of integers as well
        ;; f2(arr, start, end)
        mov     esi, ebx
        mov     edx, r12d
        mov     rdi, rbp
        call    f2

        ;; end arg
        lea     edx, [rax-1]
        mov     r13d, eax
        ;; start arg
        mov     esi, ebx
        ;; arr
        mov     rdi, rbp
        lea     ebx, [r13+1]

        call    f1

        jmp     .L12
.L10:
        pop     rax
        pop     rbx
        pop     rbp
        pop     r12
        pop     r13
        ret

Looking at this code, you can notice first that f1 calls itself, so it's a recursive function. Also, we have a loop which stops condition it's that ebx >= r12d. Putting this into C code, we have


void f1(int *arr, int start, int end)
{
    while (start < end) {
        end = f2(arr, start, end) - 1;
        f1(arr, start, end);
    }

    return;
}

I renamed the parameters to something meaningful. This is one of the most painful things of assembly, you have just registers with weird names :).

Now f2, this is the tricky one here I won't explain the whole code only the most tricky part. The signature we already know it from f1, we will receive an array of ints with and two ints.

xor     r11d, ebx
;; arr[i+1] = r11d;
mov     DWORD PTR [rcx+4+r8], r11d
;; r11d = arr[j-1] ^ arr[i+1] ^ arr[j-1] = arr[i+1];
xor     r11d, DWORD PTR [r9]
;; arr[j-1] = arr[i+1]
mov     DWORD PTR [r9], r11d
;; arr[i+1] ^= arr[i+1];
xor     DWORD PTR [rcx+4+r8], r11d

This was a real pain because if it was with normal variables you would know what it does. Look this is the equivalent of normal C code

a ^= b
b ^= a
a ^= b

😅 not so obvious either, but if you take into consideration that XOR it's a commutative operation you can figure out that this is a swap of variables, but without using a temporary variable. Actually, it's called XOR Swap, please don't use this to swap your variables. First, this is not intuitive, and also when you provide equal variables, you will end up with values 0 on both variables. Even if you put an if statement to discard this case, will run slower than the normal temporary approach.

This is the most tricky part of this function and the two loops it has inside as well. I managed to get this into C code, would be something like this

int f2(int *arr, int start, int end)
{
    int i = start, j = end + 1, esi = start;
    while (1) {
        esi++;
        if ((esi > end) || (arr[i+1] > arr[start])) {
            while (arr[j-1] > arr[start]) {
                j--;
            }

            if (j <= esi)
                break;

            swap(arr, i+1, j);
        }

        i++;
    }

    swap(arr, start, j-1);

    return j;
}

Note:

Let me put this here again. This code it's my literal translation of the assembly code, so I might be wrong, please don't copy this as an implementation of the algorithm I think it is.

When you combine these two functions we have what seems to be a recursive sorting algorithm. If you take a look at f2 you can notice that it's quite similar to the partition process in quick sort algorithm. This is my guess.

Formal description

Performs quick sort on an array.

Conclusion

The point of reversing is not to reverse detail by detail each instruction. Instead, is to get a broad idea of what the program does.