Securecom was a reverse engineering challenge at BCTF 2015.
We are given an archive which contains two Windows x64 executables.
The files are named "sclient_f6fe04598d51e04b0c67666012d5e4c4" and "sserver_2e0457e1afd3845ef6c54616acea9fde".
According to the name of the two executables we can guess that somehow the two executables can interact with one another.
After disassembly and analysis of the server executable we can see that it uses CoRegisterClassObject to registers an EXE class object with OLE so the client can connect to it. The two applications will probably communicate through events.
The server will reply with the flag if the received data is "SOSIMPLE".
mov rax, 454C504D49534F53h cmp [rdx], rax
The client calls
gets to read the user input. According to the previous analysis of the server sending "SOSIMPLE" should trigger the condition and send the flag.
But the string is truncated to 6 characters. The easy way would be to prevent the string truncation by changing the
RSI register to 8 right after
gets is called.
QueryPerformanceFrequency tricks are used multiple times to detect debugging so the tampering won't work.
To bypass this protection I patched the client and replaced all conditional jumps with the
Now we won't be bothered with the anti-debug tricks and we can get the flag.