inBINcible Writeup - Golang Binary Reversing

This file is an 32bits elf binary, compiled from go language (i guess ... coded by @nibble_ds ;)

The binary has some debugging symbols, which is very helpful to locate the functions and api calls.

GO source functions:

-  main.main

-  main.function.001

If the binary is executed with no params, it prints "Nope!", the bad guy message.

~/ncn$ ./inbincible 

Nope!

Decompiling the main.main function I saw two things:

1. The Argument validation: Only one 16 bytes long argument is needed, otherwise the execution is finished.

2. The key IF, the decision to dexor and print byte by byte the "Nope!" string OR dexor and print "Yeah!"

The incoming channel will determine the final message.

Dexor and print each byte of the "Nope!" message.

This IF, checks 16 times if the go channel reception value is 0x01, in this case the app show the "Yeah!" message.

Go channels are a kind of thread-safe queue, a channel_send is like a push, and channel_receive is like a pop.

If we fake this IF the 16 times, we got the "Yeah!" message:

(gdb) b *0x8049118
(gdb) commands
>set {char *}0xf7edeef3 = 0x01
>c
>end

(gdb) r 1234567890123456
tarting program: /home/sha0/ncn/inbincible 1234567890123456
...
Yeah!

Ok, but the problem is not in main.main, is main.function.001 who must sent the 0x01 via channel.

This function xors byte by byte the input "1234567890123456" with a byte array xor key, and is compared with another byte array.

=> 0x8049456:       xor    %ebp,%ecx

This xor,  encode the argument with a key byte by byte

The xor key can be dumped from memory but I prefer to use this macro:

(gdb) b *0x8049456
(gdb) commands
>i r  ecx
>c
>end
(gdb) c

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x12 18

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x45 69

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x33 51

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x87 135

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x65 101

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x12 18

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x45 69

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x33 51

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x87 135

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x65 101

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x12 18

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x45 69

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x33 51

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x87 135

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x65 101

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x12 18

The result of the xor will compared with another array byte,  each byte matched, a 0x01 will be sent.

The cmp of the xored argument byte,
will determine if the channel send 0 or 1

(gdb) b *0x0804946a
(gdb) commands
>i r al
>c
>end

At this point we have the byte array used to xor the argument, and the byte array to be compared with, if we provide an input that xored with the first byte array gets the second byte array, the code will send 0x01 by the channel the 16 times.

Now web have:

xorKey=[0x12,0x45,0x33,0x87,0x65,0x12,0x45,0x33,0x87,0x65,0x12,0x45,0x33,0x87,0x65,0x12]

mustGive=[0x55,0x75,0x44,0xb6,0x0b,0x33,0x06,0x03,0xe9,0x02,0x60,0x71,0x47,0xb2,0x44,0x33]

Xor is reversible, then we can get the input needed to dexor to the expected values in order to send 0x1 bytes through the go channel.

>>> x=''
>>> for i in range(len(xorKey)):
...     x+= chr(xorKey[i] ^ mustGive[i])
... 
>>> print x

G0w1n!C0ngr4t5!!


And that's the key :) let's try it:

~/ncn$ ./inbincible 'G0w1n!C0ngr4t5!!'
Yeah!

Got it!! thanx @nibble_ds for this funny crackme, programmed in the great go language. I'm also a golang lover.

More articles

1. What Is Hacking Tools
2. Hacker Tools Github
3. Underground Hacker Sites
4. Hacks And Tools
5. Hack And Tools
6. Pentest Automation Tools
7. Hacker Tools Github
8. Android Hack Tools Github
9. What Are Hacking Tools
10. Hacker Tools Hardware
11. Hacking Tools Mac
12. Best Pentesting Tools 2018
13. New Hack Tools
14. Pentest Recon Tools
15. Hacker Hardware Tools
16. Hacking Tools Kit
17. Hack Tools For Mac
18. Pentest Tools Alternative
19. Hacking Tools Hardware
20. Hacking Tools 2019
21. Hacker Tools Online
22. How To Install Pentest Tools In Ubuntu
23. Hackrf Tools
24. Hacker Tool Kit
25. Hacker Tools Github
26. Pentest Tools Download
27. Pentest Tools For Android
28. Hacker Tools For Pc
29. Tools For Hacker
30. Hacking Tools Usb
31. Hacker Tools Apk Download
32. Pentest Tools Nmap
33. Hack Tools For Ubuntu
34. Blackhat Hacker Tools
35. Pentest Tools For Windows
36. Hacker Tools Github
37. Hack Tools Mac
38. Pentest Tools Subdomain
39. Pentest Tools Framework
40. Pentest Tools Tcp Port Scanner
41. Pentest Tools Bluekeep
42. Pentest Tools Find Subdomains
43. Best Hacking Tools 2020
44. Hacking Tools Free Download
45. Hacking Tools For Mac
46. Nsa Hack Tools Download
47. Hack Rom Tools
48. Bluetooth Hacking Tools Kali
49. Hacker Tools
50. Pentest Automation Tools
51. Pentest Tools Kali Linux
52. Hack Tools 2019
53. Pentest Tools Review
54. Pentest Tools For Ubuntu
55. Hacker Tools For Pc
56. Pentest Tools List
57. Hacking Tools Kit
58. What Are Hacking Tools
59. Pentest Box Tools Download
60. Pentest Tools Download
61. Hacking Tools Hardware
62. Hacking Tools Free Download
63. Hacker Tools Hardware
64. What Is Hacking Tools
65. Hacking Tools For Kali Linux
66. Hacker Tools For Mac
67. Hacking Tools Usb
68. Game Hacking
69. How To Hack
70. Pentest Tools Linux
71. Pentest Tools Website
72. Pentest Tools Open Source
73. Pentest Tools
74. Top Pentest Tools
75. Hack And Tools
76. Hack Tools Github
77. How To Hack
78. Hack And Tools
79. Hack Tools For Ubuntu
80. Hacking Tools For Pc
81. Hacks And Tools
82. Easy Hack Tools
83. Hacker Tools Free
84. Hacking App
85. Nsa Hack Tools
86. Pentest Tools Windows
87. Best Hacking Tools 2020
88. Hack Rom Tools
89. Pentest Tools Github
90. Hacking App
91. What Are Hacking Tools
92. Hacking Tools Pc
93. Pentest Tools Download
94. Hacker Tools For Pc
95. New Hack Tools
96. Hack Website Online Tool
97. Hacker Tools Hardware
98. Hack Tools Online
99. Hacker Tools Hardware
100. Kik Hack Tools
101. Hacker Tools Hardware
102. Pentest Tools Github
103. Hacking Tools For Beginners
104. Hack Tools For Mac
105. Hacking Tools Mac
106. Pentest Reporting Tools
107. Hacker Tools
108. Ethical Hacker Tools
109. Hacker Tools Github
110. Hacker Tool Kit
111. Ethical Hacker Tools
112. Best Pentesting Tools 2018
113. Hacking Tools Pc
114. Pentest Recon Tools
115. Hacking App
116. Hacker Tools For Pc
117. Hack Apps
118. Hack Tool Apk No Root
119. Hack Tools For Mac
120. Ethical Hacker Tools
121. New Hack Tools
122. Hacks And Tools
123. Pentest Tools Linux
124. Usb Pentest Tools
125. Pentest Automation Tools
126. Hack Tools For Mac
127. Tools 4 Hack
128. Hacker Tools
129. Hack App
130. Easy Hack Tools
131. Hacker
132. Install Pentest Tools Ubuntu
133. Pentest Tools Tcp Port Scanner
134. Hack Tools
135. Tools 4 Hack
136. Hacking Tools For Kali Linux
137. Wifi Hacker Tools For Windows
138. Github Hacking Tools
139. Hack Rom Tools
140. Pentest Tools Nmap
141. Hack Rom Tools
142. Pentest Tools For Windows
143. Pentest Tools Website
144. Hacking Tools For Windows 7
145. Hacker Tools Linux
146. Hack Tool Apk No Root
147. Install Pentest Tools Ubuntu
148. Hack Tools For Pc
149. Hack Tools Mac
150. Hack Tools Github
151. Free Pentest Tools For Windows
152. Hacking Tools Pc
153. Pentest Tools Online
154. Hacker Tools
155. Pentest Tools Apk
156. Pentest Tools Windows
157. Hack Tools For Games
158. Hacking Tools For Kali Linux
159. Usb Pentest Tools
160. Hacker Tools Linux
161. Hacking Tools Windows
162. Pentest Automation Tools
163. Hacker Search Tools
164. Hacking Tools Download
165. Pentest Tools
166. Install Pentest Tools Ubuntu
167. Hacking Tools Windows