# Roxog

BreizhCTF 2019 - Reverse (100 pts).

# BreizhCTF 2019: Roxog

### Challenge details

Event Challenge Category Points Solves
BreizhCTF 2019 Roxog Reverse 100 ?

### TL;DR

A Go binary, flag xored with static int

### Methodology

#### Recon with r2

First we fire up r2 : r2 -A ./roxog It take quite a long time, we can first assume it’s staticly compiled

Then we search the main function (afl for listing function and ~main to make a grep on this list) :

The syntax look alike a Go binary, main.main is the main function in Go binaries.

Since it’s Go, I prefer IDA to reverse it. So let’s fire up IDA to make serious business :).

### IDA Part

When looking at main_main, we don’t see any obvious comparison, except one that compare args, we can assume it’s the good way to follow since there is an os_Exit call in the box before.

When we have enough args and we jump below a strange function is called : runtime_text

Let’s see what’s hiding in this function.

In this function we can see some interesting things :

It seems that the initial name of this function was main.roxgo

And finally there is a loop with a xor by 0x7f

## Hypothesis

At this point, I made the assumption that the data loaded by the function was xored by 0x7F. It cost almost no time to test this assumption and if it’s true, I will save a lot of time.

To have the data I go with radare again, data is at 0x4AFE80 we just have to tell the length and the address (here the length is totally random we just need a quick test) : ps 300 @0x4AFE80

Then let’s script it :

potential_cipher = open("out").read()

out = ""
for i in potential_cipher:
out += chr((0x7f ^ ord(i)) & 0xff)

print(out)


Looks like we are on the right path :) The funny thing with Go, is that String are not like C char* so let’s find another way to dump this cipher.

### GDB part

Let’s fire up GDB :

Now break at 0x40102F where we load the cipher

And step few instructions to see the loaded data in rax (n to step one instruction):

Now let’s dump rax data with dump memory out $rax$rax+30 where out is the output file, $rax the start and $rax+30 the stop address

And execute again our Python script since my out file is the same that I had before ;)

Ok we have the end o the flag … Let’s dump a little bit before :

And execute our script :

### Conclusion

Try to make assumption when you’re reversing a CTF challenge, it can save you many time. And look for xor, many reverser likes to use xor in their challenges :)

### Flag

BREIZHCTF{d0_y0u_Kn0w_7h47_m4nY_pr0j3kt5_4r3_wr1773n_in_GO?!_g0ph3r_rul35_t3h_w0r1d_0x7f}


@Areizen