Joel Eriksson
CEO/Founder of ClevCode. Vulnerability researcher, exploit developer and reverse-engineer. Previous CTO and co-founder of Bitsec, which was acquired by Nixu, and Cycura which was acquired by WELL Technologies. Have spoken at BlackHat, DefCon and the RSA conference. CTF player. Puzzle solver (Cicada 3301, Boxen)

PlaidCTF 2011 – 08 – The App Store! – 250 pts

This is my writeup for the eighth challenge in the PlaidCTF 2011 competition. The information for the challenge was:

“We found the mobile phone that’s left in one of the office.
Out of all applications, The Color Game App seemed suspicious.

We believe the solution to this game is the password of the user for the computer next to it.
Solve it! and get the password!

Key is the color sequence of the buttons in all lower case with no spaces [e.g. redyellowbluegreenred]

These are the screenshot of the game:
b94b784100fe411b2909988c074c947faad85237.jpg
ecdc0a5406ccfeb142b0bd8d4d7523e87cf2bcf0.jpg

This challenge consisted of an iPhone application, compiled for x86 so it can be used with the iPhone Simulator included with the iOS SDK. To analyze the code I used IDA Pro and for dynamically analyzing in runtime I used GDB, attaching to it after I’ve started it with the iPhone Simulator.

With IDA Pro I started with analyzing the viewDidLoad() method for the reverseMeViewController object. Scattered throughout the function are calls to the addObject() method of the NSMutableArray object named holyHandGrenadeOfAntioch. The objects added to the array are of type CFConstantStringClassReference and the strings that are added are, in order:
Blue, Green, Yellow, Blue, Red, Red, Red, Blue, Purple, Yellow, Green, Orange, Blue, Blue

By listing the cross references to the holyHandGrenadeOfAntioch object I find the reverseMeViewController.sheepFucker() method, which compares the contents of holyHandGrenadeofAntioch array with the contents of another array named donkeyFucker, and by listing the cross references to the donkeyFucker object I find that it is referenced in the following methods:

  • allDayHomeBoy
  • myLifeBeLike
  • weAreTheKnightsWhoSayNi
  • blameGalgara
  • bitch
  • brooooooooo

These are the handlers that are called when the addRed/addYellow/etc buttons are pressed in the applications, and by analyzing them in IDA I can see that they add the following strings to the donkeyFucker object:

  • allDayHomeBoy – Blue
  • myLifeBeLike – Green
  • weAreTheKnightsWhoSayNi – Yellow
  • blameGalgara – Purple
  • bitch – Red
  • brooooooooo – Orange

Now, a hasty assumption would be that the strings added to the array equals the actual colors that are seen in the GUI. In this case our key would be:
bluegreenyellowblueredredredbluepurpleyellowgreenorangeblueblue

Of course, this is not the case. We have a little bit of work to do still, and I chose to take the easy route of simply using GDB and setting a breakpoint on each of the button press handlers.

First, we start the application in the iPhone Simulator:

[je@TheMac ~/ctf/PlaidCTF-2011/08-The_App_Store/reverseMe.app]$ iPhone\ Simulator -SimulateApplication reverseMe

Second, we attach to the process in GDB and set our breakpoints:

[je@TheMac ~/ctf/PlaidCTF-2011/08-The_App_Store/reverseMe.app]$ ps auxw|grep reverseMe
je       22671   0,0  0,0  2425520      4 s003  R+   12:26am   0:00.00 grep reverseMe
je       22660   0,0  0,3   268920  13944   ??  Ss   12:24am   0:00.19 reverseMe -RegisterForSystemEvents
je       22656   0,0  0,3   445104  13852 s002  S+   12:24am   0:00.23 iPhone Simulator -SimulateApplication reverseMe
[je@TheMac ~]$ gdb reverseMe 22660
Attaching to program: `/Users/je/ctf/PlaidCTF-2011/08-The_App_Store/reverseMe.app/reverseMe', process 22660.
Reading symbols for shared libraries . done
0x950fb0fa in mach_msg_trap ()
(gdb) b *0x34da
Breakpoint 1 at 0x34da
(gdb) b *0x3674
Breakpoint 2 at 0x3674
(gdb) b *0x380e
Breakpoint 3 at 0x380e
(gdb) b *0x39a8
Breakpoint 4 at 0x39a8
(gdb) b *0x3b42
Breakpoint 5 at 0x3b42
(gdb) b *0x3cdc
Breakpoint 6 at 0x3cdc

I now simply press each button in order (red, yellow, green, purple, blue, orange) and see which handler is called for which color:

(gdb) c
Continuing.

(gdb) c
Continuing.

Breakpoint 1, 0x000034da in -[reverseMeViewController allDayHomeBoy:] ()
(gdb) c
Continuing.

Breakpoint 2, 0x00003674 in -[reverseMeViewController myLifeBeLike:] ()
(gdb) c
Continuing.

Breakpoint 3, 0x0000380e in -[reverseMeViewController weAreTheKnightsWhoSayNi:] ()
(gdb) c
Continuing.

Breakpoint 4, 0x000039a8 in -[reverseMeViewController blameGalgara:] ()
(gdb) c
Continuing.

Breakpoint 5, 0x00003b42 in -[reverseMeViewController bitch:] ()
(gdb) c
Continuing.

Breakpoint 6, 0x00003cdc in -[reverseMeViewController brooooooooo:] ()
(gdb)

This gives me the following mapping between handler and color:

  • allDayHomeBoy – Red
  • myLifeBeLike – Yellow
  • weAreTheKnightsWhoSayNi – Green
  • blameGalgara – Purple
  • bitch – Blue
  • brooooooooo – Orange

Combined with the knowledge of which string is added to the donkeyFucker array in each of these handlers, I can now map a string in the array to the actual color in the GUI:

  • Blue -> Red
  • Green -> Yellow
  • Yellow -> Green
  • Purple -> Purple
  • Red -> Blue
  • Orange -> Orange

Applying this to the list of strings in the holyHandGrenadeOfAntioch array we get:
Blue, Green, Yellow, Blue, Red, Red, Red, Blue, Purple, Yellow, Green, Orange, Blue, Blue
->
Red, Yellow, Green, Red, Blue, Blue, Blue, Red, Purple, Green, Yellow, Orange, Red, Red

Trying this in the emulator, we get a picture of a happy face. :)

Thus, our key is:
redyellowgreenredblueblueblueredpurplegreenyelloworangeredred