Square CTF 2017 – FLOPPY – REVERSE 1000 PTS

Our team of corn snakes formed an uneasy alliance with the office mice and slithered into the server room of Evil Robot Corp. They extracted an image of the VPN server before they had to retreat. Turns out sending a team of reptiles into a room whose main purpose is to keep its contents cold wasn’t the best idea. Can you figure out how this bootable floppy works and recover the secret data?

We are presented with a download link for ‘floppy.img’. The file appears to be a DOS/MBR boot sector that is not mountable.

I decided to use Boch’s Emulator to test this image. When configuring Boch’s there are two setting groups that need to be updated – ‘Memory’ and ‘Disk & Boot’

In the ‘Memory’ settings ensure you have the latest Boch’s ROM BIOS and VGA BIOS images and update their paths:

In the ‘Disk and Boot’ configure the following settings and select the ‘floppy.img’ file for First floppy/image device:

Once configured click start and let it load to the Challenge screen:

We enter random input ‘ASDF’ and see a response of ‘Nope’.

So lets take a look under the hood. We are able to load this directly in IDA PRO x86 and review the code.

After loading ‘floppy.img’ in IDA, lets start with the Strings view (SHIFT+F12)

Here we can see the string ‘flag-‘ as well as ‘Nope’.  Double-click on the ‘flag-‘ string to see the IDA view including XREFs:

Click on the aFlag line and hit CTRL+X – this will list the XREFs to this string.

Clicking OK will bring us to the graph view of the function that is calling the string:

We can see a JNZ instruction that decides whether or not we see the ‘Flag-‘ string we want or the ‘Nope’ string.

There are more difficult ways to solve this challenge, but I want the fastest and easiest way. So for that we are simply going to patch the JNZ instruction bytes to a JZ instruction and save our new floppy.img. The result will be outputting the flag, no matter the input.

  • To start click on the line with our JNZ instruction – jnz loc_456
  • Click the ‘Edit’ menu
  • Scroll down to ‘Patch Program’
  • Click ‘Change Byte…’

You will see the following popup

In the values field, change the second byte 85 to 84 and Click OK.

You will notice the instruction change to JZ loc_456

Now to save your patched program click File -> Produce File -> Create EXE. And save the file as patched_floppy.img.

Head back to Boch’s and update your ‘Boot and Disk’ settings to point to your new ‘patched_floppy.img’ and Start it up.

Enter random characters, in this case ‘DSFS’ and the flag will now be output to the screen: