BSidesCBR 2017 CTF Write-Up: Push My Buttons

This is a write up of “Push My Buttons” (150 points) from the BSides Canberra CTF.

You can find the challenge here: https://github.com/OJ/bsides-2017-ctf-docker/tree/master/rev-pushmybuttons.

Alright, onto the challenge:

This was the first Binary Reversal we did in this CTF. To begin, we searched for ways to enable disabled buttons, and came across an article about applications which do this automatically: https://www.raymond.cc/blog/how-to-enable-and-access-disabled-grayed-out-buttons-windows-and-checkboxes/. We installed Daanav Enabler, which enabled two more buttons:

But two buttons remained unclickable. The first inclination we had was towards reading the memory addresses used by the application, and figuring out the remaining strings from there. We opened Cheat Engine, and went to the memory view, and looked around for a bit:

CheatEngine memory viewer

Soon, though, it appeared that the better idea would be to open the String Map in Cheat Engine — although this was a tool none of us had used previously, so no one had prior knowledge of the actual function of the string viewer. As it turns out, the string viewer actually contains every single string the OS has stored in memory. This meant it would be difficult to figure out where the important strings were located in memory.

CheatEngine string map

We decided then on saving the string map to the disk, and using regular expressions to extract the relevant strings. For this, we opened the string list in Visual Studio.

Visual Studio Regex Searching

This didn’t help either; we could only find the BSIDES_CTF{Acc3ss_ part of the flag like this, which we already had previously obtained.

Finally, we decided to disassemble the application. For this we used Hex-Rays Interactive Disassembler (IDA), and HexEdit for editing the binary.

The workflow here was to read through the assembly in IDA until we found something worth trying (for example, the EnableWindow calls). We then opened that section of code in HexEdit and changed values. Here we changed the Push 0’s (near the button drawing code) to Push 1. This was a logical step because of the IDA comment (“bEnable”) and due to the location of these Push statements in the code.

After this change to the binary, the application appeared like this:

Finally, by combining both of the previously discussed button enabling actions, we managed to enable all six buttons:

All that was left was to click the buttons and figure out the order in which the words should appear:

We then redeemed the flag, bringing us another 150 points.