BCTF 2015 - Securecom

23 March 2015

Reverse engineering of a client and a server binary communicating through a COM object.

Introduction

Securecom was a reverse engineering challenge at BCTF 2015.

We are given an archive which contains two Windows x64 executables.
The files are named "sclient_f6fe04598d51e04b0c67666012d5e4c4" and "sserver_2e0457e1afd3845ef6c54616acea9fde".

Analysis

According to the name of the two executables we can guess that somehow the two executables can interact with one another.

The server

After disassembly and analysis of the server executable we can see that it uses CoRegisterClassObject to registers an EXE class object with OLE so the client can connect to it. The two applications will probably communicate through events.

The server will reply with the flag if the received data is "SOSIMPLE".

mov rax, 454C504D49534F53h
cmp [rdx], rax

Client

The client calls gets to read the user input. According to the previous analysis of the server sending "SOSIMPLE" should trigger the condition and send the flag.

But the string is truncated to 6 characters. The easy way would be to prevent the string truncation by changing the RSI register to 8 right after gets is called.

Patching

The QueryPerformanceCounter and QueryPerformanceFrequency tricks are used multiple times to detect debugging so the tampering won't work.
To bypass this protection I patched the client and replaced all conditional jumps with the nop instruction.

Now we won't be bothered with the anti-debug tricks and we can get the flag.