Description Category: reversing We found the mobile phone that's left in one of the office. Out of all applications, The Color Game App seemed suspicious. (Download) We believe the solution to this game is the password of the user for the computer next to it. Solve it! and get the password! Key is the color sequence of the buttons in all lower case with no spaces [e.g. redyellowbluegreenred] These are the screenshot of the game: pic 1 pic 2 **** I've posted a copy of the app to http://www.limited-entropy.com/docs/pctf/writeup/rev250/iphone.zip . After opening the binary with IDA Pro, jumping around a bit to get a feeling of what objc code looks like, swearing a bit about objc_msgSend, etc. we end up analyzing the function "__reverseMeViewController_viewDidLoad_ proc near" at __text:000028DC. It does something like: array1 = new MutableArray array2 = new MutableArray array2.add("Blue"); array2.add("Green"); ... These elements in order are the solution to the problem. They are interleaved with calls to addButton(Color) to make things slightly more difficult. The final catch is that the app uses a different color name internally than the actual color. We find the name mapping by reversing the functions that implement the button handler. For example, we see this in viewDidLoad: __text:00002AA4 mov ecx, [ebp+var_1C] __text:00002AA7 lea edx, (cfstr_Addred.isa - 28EDh)[ebx] ; "addRed" __text:00002AAD lea eax, (setTitleForState - 28EDh)[ebx] __text:00002AB3 mov eax, [eax] __text:00002AB5 mov dword ptr [esp+0Ch], 0 __text:00002ABD mov [esp+8], edx __text:00002AC1 mov [esp+4], eax __text:00002AC5 mov [esp], ecx __text:00002AC8 call _objc_msgSend __text:00002ACD mov esi, [ebp+var_1C] __text:00002AD0 lea eax, (AllDayHomeBoy - 28EDh)[ebx] __text:00002AD6 mov edx, [eax] __text:00002AD8 mov ecx, [ebp+arrayCapacity] __text:00002ADB lea eax, (AddTargetAction - 28EDh)[ebx] __text:00002AE1 mov eax, [eax] __text:00002AE3 mov dword ptr [esp+10h], 40h __text:00002AEB mov [esp+0Ch], edx __text:00002AEF mov [esp+8], ecx __text:00002AF3 mov [esp+4], eax __text:00002AF7 mov [esp], esi __text:00002AFA call _objc_msgSend So we reverse AllDayHomeBoy as this is the event handler. There we see this code: __text:000034DA __reverseMeViewController_allDayHomeBoy__ proc near __text:000034DA __text:000034DA var_1C = dword ptr -1Ch __text:000034DA var_18 = dword ptr -18h __text:000034DA var_14 = dword ptr -14h __text:000034DA var_10 = dword ptr -10h __text:000034DA var_C = dword ptr -0Ch __text:000034DA arg_0 = dword ptr 8 __text:000034DA __text:000034DA push ebp __text:000034DB mov ebp, esp __text:000034DD push esi __text:000034DE push ebx __text:000034DF sub esp, 40h __text:000034E2 call $+5 __text:000034E7 pop ebx __text:000034E8 mov edx, [ebp+arg_0] __text:000034EB lea eax, (mutableArray1 - 34E7h)[ebx] __text:000034F1 mov eax, [eax] __text:000034F3 mov eax, [eax] __text:000034F5 lea eax, [edx+eax] __text:000034F8 mov eax, [eax] __text:000034FA mov ecx, eax __text:000034FC lea edx, (cfstr_Blue.isa - 34E7h)[ebx] ; "Blue" __text:00003502 lea eax, (addObject - 34E7h)[ebx] __text:00003508 mov eax, [eax] So internally 'Red' is 'Blue'. We change all Blue's in our list by red. We do the same for all colors and then we get the complete solution. key: redyellowgreenredblueblueblueredpurplegreenyelloworangeredred