I’ve participed to NDH2013 this year and worked on a very interesting binary : k1986. It comes with two files :
aris@kali64:~/ndh2013$ ls -l k1986 license.db
-rwxr-xr-x 1 aris aris 14984 jun 23 02:07 k1986
-rwx------ 1 aris aris 360 jun 22 22:54 license.db
aris@kali64:~/ndh2013$ file k1986-orig license.db
k1986-orig: ELF 64-bit LSB executable, x86-64, invalid version (SYSV), for GNU/Linux 2.6.32,
dynamically linked (uses shared libs), corrupted section header size
license.db: data
It’s starting well, corrupted ELF file. The content of license.db seems encrypted, so my first guess was that it was a DRM server of some kind. It becomes more fun when you try to check what it does:
aris@kali64:~/ndh2013$ objdump -t k1986-orig
objdump: k1986-orig: File format not recognized
aris@kali64:~/ndh2013$ gdb --quiet ./k1986-orig
"/home/aris/ndh2013/k1986-orig": not in executable format: Format de fichier non reconnu
(gdb) quit
aris@kali64:~/ndh2013$ nm ./k1986-orig
nm: ./k1986-orig: File format not recognized
aris@kali64:~/ndh2013$ ldd ./k1986-orig
n'est pas un exécutable dynamique
Continue reading “Nuit Du Hack CTF 2013 : k1986 write-up”