The `reverse_box`

challenge of TWCTF 2016 was a warmup challenge (only 50
points), not really hard. There
are plenty of
writeups for
it, but none of them used the technique I used to solve it in only a few
minutes. So I figured I could throw in my 50c and write this post.

### Info

The vulnerable file is here (sha1: 1e11da1636e4a6b71683de5c23634b98827d3b3d), given with the description:

So we had to reverse the hash to determine the value of `${FLAG}`

of this x32 binary.

### Static analysis

Using Binary-Ninja disassembler, we can see that the
`main`

function is not doing much, but something like

So the interesting part is in `fill_buffer()`

. It starts by selecting a random
int stored in `buffer[0]`

. Then the rest of the function performs some
permutations and rotations on this buffer. This means that there is a finite
number (exactly 256) of possible configurations for the buffer used to generate
the hash.

Since I was feeling lazy and didn’t want to reverse the whole thing, I decided to
use my tool `gef`

and
its Unicorn-Engine command to bruteforce the
initial random integer. We can do so because we know that the flag has to start
with `TWCTF{`

.

### Dynamic analysis

It is possible to use `gef`

to generate a fully working environment for
Unicorn-Engine to emulate anything. Here, all we need is to emulate from
0x80485b1 (where the random integer is generated) until 0x80486e0 (end of the
function `fill_buffer()`

).

You can then easily update the script to make it bruteforce the correct value
for `eax`

(i.e. the random integer), and let `unicorn`

transform the buffer
(located in the stack at 0xffffd26c - which we know thanks to GDB).

Then run the script:

It worked! Now we know the correct initial random integer, we can re-use the
`emulate()`

with this value, and read the flag:

Wrap it all and:

The entire `unicorn`

script generated by `gef`

can be
found here.

This was quite fun to solve this challenge with this method, since it only took
a few minutes to adapt the
script generated by `gef`

for Unicorn, and absolutely **no** knowledge of what
the function `fill_buffer()`

was actually doing in terms of permutations and
stuff to get the flag. It made me realize again that Unicorn-Engine is an
awesome emulation framework.

Hope you enjoyed!

**Share this post:**