[Reverse] Bugs Bunny CTF - Rev100


Find me faster !
Author: Aymen Borgi
rev100.zip

Starting to open our executable file on IDA:


There is some weird shit going around but we can see a function i_am_debugged() which leads you to exit the program if you running the program on a debugger like gdb or even IDA, there is alot of calls as you can see in the assembly code I could run the debugger and change those registers to not jump out of the program but since there was alot of calls I chose to do it in another way.
After a while I found this “loop” in the assembly code we can see they are just xoring two strange strings, variable “a” and variable “b” and then saving it on variable “c”.

Now we just need to find those “a” and “b” initial values and convert this assembly into python.
Finding “a” and “b” values is easy we can use IDA to do that:


Now we just write a python script equivalent to this assembly (Notice that wrote the strings in python as hex bytes because some characters weren’t pritable):

1
2
3
4
5
6
7
8
9
10

a = '\x61\x41\x40\x37\x6d\x77\x34\x2c\x5f\x41\x42\x60\x07\x34\x7d\x12\x57\x7a\x22\x25\x4f\x28'
b = '\x23\x34\x27\x44\x32\x35\x41\x42\x31\x38\x39\x38\x37\x46\x22\x23\x24\x25\x44\x50\x21\x55'
c = ''
v4 = len(a) + 1
v5 = len(b) + 1
for i in range(0, v4-1):
c += chr(ord(a[i])^ord(b[i]))
print c
print c

Running the script:

1
2
3

kinyabitch@Debian ~/D/H/ctf> python rev100.py
Bugs_Bunny{X0r_1s_fun}