IDA Challenge
14 Jul 2023
Didn't have time to finish the IDA challenge but below are a couple of notes; I wanted to try some new approaches documented below.
or z3: https://www.youtube.com/watch?v=kZd1Hi0ZBYc
So both approaches were interesting but the SENinja approach wasn't leveraging IDA and I have all my favorite plugins in IDA. The second z3 approach involved writing a z3 script which isn't the end of the world but seemed more time consuming than approach 1.
I decided I'd try and solve this using Ponce ( https://github.com/illera88/Ponce ).
I downloaded the file and first thing I noticed was this was an ElF executable and I'm running on windows. The easiest way to solve this is to run the binary in WSL with remote GDB debugger. However, I did not have WSL installed on this host and didn't want to bother with the set-up (This host was on a Windows 11 insider deprecated build and I've had a bit of pain getting HyperV and WSL to coexsist without needing reboots).
So I decided to download https://sourceforge.net/projects/bochs/ a emulator that supports debugging with IDA. I installed it following instructions in https://www.hex-rays.com/products/ida/support/idadoc/1329.shtml ; Edited the dbg_boch.cfg file in IDA by uncommenting and setting values for:
BOCHSDBG and BOCHSRC and I was now debugging an ELF on windows in IDA! Nice! I hit an issue at first as the ELF base adress was set to 0x0. Rebasing it to 0x4000 fixes our error.
As soon as our BP hits, we symbolize the rsi register:
Next, we run untill a symbolic condition is encountered. A symbolic condition is a constraint that will use our symbolic register in it's evaluation:
Unfortunately, my approach using Bosch kept crashing and I'm not sure why.
I decided to try something else. Decompiled the code and passed it to GPT4 for analysis asking it to list the constraints for password:
Well this is actually pretty impressive!
I tried to ask it to write the z3 solver and ended up with something pretty decent (even though it didn't work):
Last updated