Fwhibbit CTF 2017 - Rising Research


Rising Research (200 pts)
CTF: Fwhibbit CTF 2017
URL: https://ctf.followthewhiterabbit.es/
CAT: forensics

Points: 200
Country: Thailand

Attachment: https://mega.nz/#!I5kRCJqA!xSaCEtbljgBpOE8q6C3OmhK_Yyxe62BdiNwBBaKEM7o

Description: An infiltrated russian spy has sent us a file that indicates the name of a Doctor of great relevance in the advanced projects on Artificial Intelligence (IA). According to an intelligence report, we should omit the place where the information leak occurred: the Massachusetts Institute of Technology.


Hint (-75 points)

The magic numbers are very helpful as is the ASCII code of the PNG images.
There is a clue in the course of the resolution of the challenge, observing in the ASCII code. This steganography must be applied.


(1) ANALYSIS OF THE FILES WITH AN HEXADECIMAL EDITOR

Once decompressed, the provided attachment contains the following 25 PNG files:

$ ls -al *.png
-rw-r--r-- 1 sn4fu sn4fu  278335 Feb 18 17:18 20161107_odhgos_mh_sexistikhs_glwssas(2).png
-rw-r--r-- 1 sn4fu sn4fu  266969 Feb 18 17:20 20161109_logoCenter_1140x670.png
-rw-r--r-- 1 sn4fu sn4fu 1249243 Feb 18 17:14 4DO1rnQ83ny.png
-rw-r--r-- 1 sn4fu sn4fu  227173 Feb 18 17:22 blog-highlights-ellucian-wt-bogota.png
-rw-r--r-- 1 sn4fu sn4fu  386597 Feb 18 17:24 Cookies.png
-rw-r--r-- 1 sn4fu sn4fu  355155 Feb 18 17:26 Cover-18.png
-rw-r--r-- 1 sn4fu sn4fu  539250 Feb 18 17:27 Dailymotion_PS4App-DMBlue.png
-rw-r--r-- 1 sn4fu sn4fu   18224 Feb 18 17:28 default-image.png
-rw-r--r-- 1 sn4fu sn4fu  294444 Feb 18 17:29 facebook.png
-rw-r--r-- 1 sn4fu sn4fu 1304979 Feb 18 17:30 fb-og.png
-rw-r--r-- 1 sn4fu sn4fu   26640 Feb 18 17:37 freddie.png
-rw-r--r-- 1 sn4fu sn4fu   23975 Feb 18 17:39 github-mark.png
-rw-r--r-- 1 sn4fu sn4fu   40558 Feb 18 17:42 Image.png
-rw-r--r-- 1 sn4fu sn4fu  137214 Feb 18 17:45 kt_home_member-min.png
-rw-r--r-- 1 sn4fu sn4fu   11769 Feb 18 17:47 lc-og@2x.png
-rw-r--r-- 1 sn4fu sn4fu   23563 Feb 18 17:48 newTsol_logo_socmedia.png
-rw-r--r-- 1 sn4fu sn4fu   42858 Feb 18 17:49 obywatel-opengraph.png
-rw-r--r-- 1 sn4fu sn4fu  587575 Feb 18 19:10 og-image-cc.png
-rw-r--r-- 1 sn4fu sn4fu   11033 Feb 18 19:10 og-image.png
-rw-r--r-- 1 sn4fu sn4fu  794269 Feb 18 19:11 report05.png
-rw-r--r-- 1 sn4fu sn4fu   45252 Feb 18 19:21 snworks-logo-facebook.png
-rw-r--r-- 1 sn4fu sn4fu   37488 Feb 18 19:21 study-logo-og-new.png
-rw-r--r-- 1 sn4fu sn4fu  427313 Feb 18 19:22 ucal-fb-image.png
-rw-r--r-- 1 sn4fu sn4fu  136805 Feb 18 19:23 v2-frontpage-fb.png
-rw-r--r-- 1 sn4fu sn4fu  114093 Feb 18 19:23 zte-grand-s-ext.png

But unfortunately we are not able to display any of them. As we can see using an hex editor, the headers seem to be corrupted because there is no trace of the PNG magic numbers before the iHDR chunk on each file. The magic numbers have been overwritten with other strings. Checking all the files in alphabetical order reveals the following:

20161107_odhgos_mh_sexistikhs_glwssas\(2\).png
00000000   E3 55 45 44  56 45 53 53  00 00 00 0D  49 48 44 52  00 00 04 74  00 00 02 9E  .UEDVESS....IHDR...t....

20161109_logoCenter_1140x670.png
00000000   41 51 55 49  20 45 53 54  00 00 00 0D  49 48 44 52  00 00 04 72  00 00 02 9D  AQUI EST....IHDR...r....

4DO1rnQ83ny.png
00000000   34 38 43 56  12 67 32 87  00 00 00 0D  49 48 44 52  00 00 04 B0  00 00 02 76  48CV.g2.....IHDR.......v

blog-highlights-ellucian-wt-bogota.png
00000000   45 53 54 41  20 4C 41 0A  00 00 00 0D  49 48 44 52  00 00 04 B1  00 00 02 77  ESTA LA.....IHDR.......w

Cookies.png
00000000   66 6C 61 67  7B 33 73 74  49 48 44 52  00 00 04 B0  00 00 02 76  08 06 00 00  flag{3stIHDR.......v....

Cover-18.png
00000000   34 73 5F 67  75 34 70 30  00 00 00 0D  49 48 44 52  00 00 04 38  00 00 02 D0  4s_gu4p0....IHDR...8....

Dailymotion_PS4App-DMBlue.png
00000000   5F 71 75 33  5F 33 73 74  00 00 00 0D  49 48 44 52  00 00 04 B0  00 00 02 76  _qu3_3st....IHDR.......v

default-image.png
00000000   34 5F 33 73  5F 6C 34 5F  00 00 00 0D  49 48 44 52  00 00 04 B0  00 00 02 76  4_3s_l4_....IHDR.......v

facebook.png
00000000   66 6C 34 67  5F 74 72 79  00 00 00 0D  49 48 44 52  00 00 04 B0  00 00 02 76  fl4g_try....IHDR.......v

fb-og.png
00000000   5F 68 34 72  64 33 72 7D  00 00 00 0D  49 48 44 52  00 00 04 B0  00 00 02 76  _h4rd3r}....IHDR.......v

If we merge all the ASCII strings at the beginning of each file, we get the following fake flag:

flag{3st4s_gu4p0_qu3_3st4_3s_l4_fl4g_try_h4rd3r}

Now we follow on with the remaining files:

freddie.png
00000000   5A 6E 64 6F  61 57 4A 69  00 00 00 0D  49 48 44 52  00 00 04 B0  00 00 02 76  ZndoaWJi....IHDR.......v

github-mark.png
00000000   61 58 52 37  59 6A 52 7A  00 00 00 0D  49 48 44 52  00 00 04 B0  00 00 02 76  aXR7YjRz....IHDR.......v

Image.png
00000000   4D 7A 59 30  58 32 4A 31  00 00 00 0D  49 48 44 52  00 00 04 B0  00 00 02 76  MzY0X2J1....IHDR.......v

kt_home_member-min.png
00000000   4D 32 35 66  61 57 35 30  00 00 00 0D  49 48 44 52  00 00 03 E8  00 00 03 11  M25faW50....IHDR........

lc-og@2x.png
00000000   4D 32 35 30  4D 46 39 30  00 00 00 0D  49 48 44 52  00 00 04 B0  00 00 02 76  M250MF90....IHDR.......v

newTsol_logo_socmedia.png
00000000   63 6E 6C 66  61 44 52 79  00 00 00 0D  49 48 44 52  00 00 04 B0  00 00 02 76  cnlfaDRy....IHDR.......v

obywatel-opengraph.png
00000000   5A 44 4E 79  66 51 3D 3D  00 00 00 0D  49 48 44 52  00 00 04 B0  00 00 02 76  ZDNyfQ==....IHDR.......v

The same procedure reveals a base64 string:

ZndoaWJiaXR7YjRzMzY0X2J1M25faW50M250MF90cnlfaDRyZDNyfQ==

Once decoded, we get a new fake flag:

$ echo ZndoaWJiaXR7YjRzMzY0X2J1M25faW50M250MF90cnlfaDRyZDNyfQ== | base64 --decode
fwhibbit{b4s364_bu3n_int3nt0_try_h4rd3r}

There are still more files which we examine using the hex editor:

og-image-cc.png
00000000   2E 2E 6A 67  2E 2E 67 2E  00 00 00 0D  49 48 44 52  00 00 04 B0  00 00 02 76  ..jg..g.....IHDR.......v

og-image.png
00000000   2E 2E 2E 2E  2E 67 2E 2E  00 00 00 0D  49 48 44 52  00 00 04 B0  00 00 02 76  .....g......IHDR.......v

report05.png
00000000   68 2E 2E 6E  74 2E 2E 2E  00 00 00 0D  49 48 44 52  00 00 04 B0  00 00 02 76  h..nt.......IHDR.......v

snworks-logo-facebook.png
00000000   2E 2E 2E 79  65 2E 61 68  00 00 00 0D  49 48 44 52  00 00 04 B0  00 00 02 76  ...ye.ah....IHDR.......v

The last one contains a string of interest, which we will examine later:

TWUgZW5jYW50YSBsYSBJQSwgcmZnaHF2bnFiIHJhIHBueXZzYmVhdm4==

And now the last files, which do not reveal anything interesting:

study-logo-og-new.png
00000000   2E 76 62 67  6E 2E 2E 2E  00 00 00 0D  49 48 44 52  00 00 04 B0  00 00 02 76  .vbgn.......IHDR.......v

ucal-fb-image.png
00000000   2E 6E 67 47  66 6E 2C 2E  00 00 00 0D  49 48 44 52  00 00 04 B0  00 00 02 76  .ngGfn,.....IHDR.......v

v2-frontpage-fb.png
00000000   2E 2E 2E 79  67 66 64 6A  00 00 00 0D  49 48 44 52  00 00 04 B0  00 00 02 76  ...ygfdj....IHDR.......v

zte-grand-s-ext.png
00000000   2E 2E 6A 2E  39 2E 35 34  00 00 00 0D  49 48 44 52  00 00 03 37  00 00 01 80  ..j.9.54....IHDR...7....

We decode the base64 string found in the 'snworks-logo-facebook.png' file:

$ echo TWUgZW5jYW50YSBsYSBJQSwgcmZnaHF2bnFiIHJhIHBueXZzYmVhdm4== | base64 --decode
Me encanta la IA, rfghqvnqb ra pnyvsbeavn

After some investigations, we conclude that the second part of the decoded string 'rfghqvnqb ra pnyvsbeavn' is cyphered using a simple ROT13 cypher. Decyphering it is easy:

$ echo "rfghqvnqb ra pnyvsbeavn" | tr '[A-Za-z]' '[N-ZA-Mn-za-m]'
estudiado en california

So it seems that we found a hint:
Me encanta la IA, estudiado en california


(2) REBUILDING THE PNG FILES

The next step was rebuilding the PNG files in order to be able to display them and look for more information. The magic number of a PNG file is '89 50 4e 47 0d 0a 1a 0a' and we can easily see that its length is just the amount of bytes overwritten on each file. In order to restore the magic numbers in all the PNG files we use the following script:

#!/bin/bash

for file in /home/sn4fu/CTF/fwhibbit/forensics/rising_research/tmp/*
do
  printf '\x89\x50\x4e\x47\x0d\x0a\x1a\x0a' | dd conv=notrunc of=$file  bs=1
done

However, after the restoration process and using the 'pngcheck' tool we see that there are still 3 files with errors:

$ pngcheck 4DO1rnQ83ny.png 
4DO1rnQ83ny.png:  invalid chunk name "BAT#" (42 41 54 23)
ERROR: 4DO1rnQ83ny.png

$ pngcheck Cookies.png 
Cookies.png:  invalid chunk name "" (00 00 04 ffffffb0)
ERROR: Cookies.png

$ pngcheck snworks-logo-facebook.png 
snworks-logo-facebook.png  CRC error in chunk IDAT (computed 23e5ddc7, expected f1779cd6)
ERROR: snworks-logo-facebook.png

Examining in more detail 'Cookies.png' and comparing it with other successfully restored files, we see that it has a slightly different structure:

Cookies.png
00000000   89 50 4E 47  0D 0A 1A 0A  49 48 44 52  00 00 04 B0  00 00 02 76  08 06 00 00  flag{3stIHDR.......v....

Cover-18.png
00000000   89 50 4E 47  0D 0A 1A 0A  00 00 00 

Using the HxD hexadecimal editor in Windows, we insert the hex values '00 00 00' before '49 48 44 52'. The image is repaired but once displayed it does not reveal anything interesting.

Examining the file '4DO1rnQ83ny.png', we see that there is no iEND chunk at the end of the file. This chunk is compulsory for PNG files. The file contains the following strings at the end:

00130FC4   00 03 00 B4  84 8B 14 AA  EB 36 24 00  00 00 00 42  41 54 23 AE  42 60 82                  .........6$....BAT#.B`.

Using our hex editor, we overwrite 'BAT#' with 'IEND' and the image is repaired, but again we don't see anything of interest.

And finally, as we saw with 'pngcheck' the file 'snworks-logo-facebook.png' contains a CRC error in an iDAT chunk:

0000B0A4   40 08 00 00  00 00 08 D3  FF 2F C0 00  07 E0 DB 27  F1 77 9C D6  00 00 00 00  49 45 4E 44  @......../.....'.w......IEND

We overwrite the wrong CRC 'f1779cd6' with the expected one '23e5ddc7' and we are able to display the file. Nothing interesting.


(3) HOMING THE MISSILE

At this point, lots of stego tools were used against all the PNG files, to no avail. But then if we read again the hint we got from the decoded base64 string:

'Me encanta la IA, estudiado en california'

We see that there is precisely a file 'ucal-fb-image.png' that once displayed shows an University of California logo. If we zoom in the file, on the bottom left part we can see what it seems to be a part of an string. Using a contrast filter with the image reveals the following hidden hex string:

d3 b6 44 d4 55 65 65 26 75 86 13 45 94 07 03 25 96 93 d6 35 55 46 13 25 75 07 85 65 65 07 65 26 55 07 84 d4 27 07 13 35 f6 65 64 65 33 25 44 d4 35 53 54 46 85 93 03 25 b4 13 75 a5 35 07 54 25 85 a5 44 26 27 a4 d6 75 35 53 75 55 87 07 55
26 16 25 a6 35 55 25 13 d4 a4 a5 03 65 f6 87 75 26 45 86 c6 25 97 94 23 16 13 03 23 65

If we try to decode the hex string to ASCII, we just get rubbish and lots of non-printable characters.

In order to decode the string, we tried other techniques as well, to no avail:

  • Converting the file to binary and trying to carve possible hidden files within it.
  • Using the 'xortool' tool to try to determine possible simple stream cyphers and key lengths.
  • Decomposing the string in adequate length substrings and performing mask attacks against each one of them, considering them as hashes.

In the end, we decided just to reverse the string:

$ echo "d3b644d45565652675861345940703259693d635554613257507856565076526550784d427071335f6656465332544d43553544685930325b41375a53507542585a5442627a4d67535537555870755261625a635552513d4a4a50365f68775264586c6259794231613032365" | rev
5632303161324979526c68546257786f56305a4a4d315255536a52616255707855573553576d4a7262445a58524570535a57314b52303958644535534d4452335646566f533170724d487055625670565658705752316455536d39695230704954316857625656554d446b3d

And tried to decode it from hex to ASCII using Python, this time successfully:

>>> print '5632303161324979526c68546257786f56305a4a4d315255536a52616255707855573553576d4a7262445a58524570535a57314b52303958644535534d4452335646566f533170724d487055625670565658705752316455536d39695230704954316857625656554d446b3d'.decode("hex")
V201a2IyRlhTbWxoV0ZJM1RUSjRabUpxUW5SWmJrbDZXREpSZW1KR09XdE5SMDR3VFVoS1prMHpUbVpVVXpWR1dUSm9iR0pIT1hWbVVUMDk=

It looks clearly as a base64 string, so we try to decode it:

$ echo V201a2IyRlhTbWxoV0ZJM1RUSjRabUpxUW5SWmJrbDZXREpSZW1KR09XdE5SMDR3VFVoS1prMHpUbVpVVXpWR1dUSm9iR0pIT1hWbVVUMDk= | base64 --decode
Wm5kb2FXSmlhWFI3TTJ4ZmJqQnRZbkl6WDJRemJGOWtNR04wTUhKZk0zTmZUUzVGWTJobGJHOXVmUT09

We get what it seems to be a new base64 string. Due to the fact that recursive encoding seems to be in place, we used the following script in order to recursively decode in base64 looking for a 'fwh' string on each iteration, which is our flag format:

#!/bin/bash 
#
# base64_recursive_decoder
#
# Rev.20170111
# by sn4fu 
#

exec 2>/dev/null

if [[ $# -eq 0 ]] ; then
   echo 'Decodifica recursivamente un fichero de texto msg.txt en base64, buscando una cadena de texto.'
   echo 'Uso: ./base64_recursive_decoder <iteraciones> <cadena>'
   exit 0
fi

cp msg.txt 1.txt

for ((i=1; i<=$(($1 - 1)); i++)); do
   cat $i.txt | base64 -d > $(($i + 1)).txt
   if grep -r $2 $(($i + 1)).txt; then
      printf "\nCadena encontrada en la Iteracion $i\n"
      rm $i.txt $(($i + 1)).txt
      exit 0
   else 
      rm $i.txt
      a=$((i+1))
   fi
done

rm $a.txt

Once executed, the script reveals that base64 encoding was used 3 times:

./base64_recursive_decoder.sh 100 fwh

fwhibbit{3l_n0mbr3_d3l_d0ct0r_3s_M.Echelon}

Cadena encontrada en la Iteracion 3

Our flag is:

fwhibbit{3l_n0mbr3_d3l_d0ct0r_3s_M.Echelon}

Fwhibbit CTF 2017 - Crazy Serial

Published on:
Tags: reversing

Enunciado

Crazy Serial

Points: 350

Country: Vongo - Kinshasa

Attatchment: https://mega.nz/#!QpFSVYqI!85ekG2b5MwHW8BXxGvcUrkg_Liluz2M27c8xCeo4ZaA

Description: Serial serial serials, I have nightmares with serials!!! Dear soldier, we need you to find the crazy serial for the rabbit team, the future of the team depends on you...GO GO GO!

Solución

Nos dan un binario que al ejecutarlo nos pide una dirección de correo y un número de serial:

./crazy_serial-350   
 Enter your Mail
 > aa@a 
 Enter Serial
 > 12345678
  Wrong Serial

Si hacemos un string sobre el binario nos puede ayudar para ver por donde empezar a buscar en el código ensamblador:

strings crazy_serial-350
 Wrong Serial
 Enter your Mail
 Enter Serial
  fwhibbit{

Lo primero de todo es averiguar el punto de entrada del binario, para poner un breakpoint en el inicio de la función principal:

>>> set stop-on-solib-events 1
>>> info target
Symbols from "/root/Documents/FwhibbitCTF/reversing/crazy_serial-350".
Local exec file:
    `/root/Documents/FwhibbitCTF/reversing/crazy_serial-350', file type elf64-x86-64.
    Entry point: 0x555555554e00
br *0x000055555555505c

Echemos un vistazo al código a ver que encontramos:

1075:  call   f30                      <== Saca por pantalla el dibujo en ASCII del conejito playboy       
107a:   lea    rdi,[rip+0x817]          
1081:   mov    eax,0x0
1086:   call   ce0 <printf@plt>         <== Saca por pantalla la cadena "Enter your Mail"
108b:       lea    rax,[rbp-0x230]          <== Guarda la posición de memoria donde va a recoger el valor de Mail
1092:   mov    rsi,rax          <== Carga $rsi con $rbp-0x230. $rsi se usa como origen en las operaciones con cadenas
1095:   lea    rdi,[rip+0x201024]       <== Carga $rdi con el valor donde está la función _ZSt3cin que nos va a leer de consola
109c:   call   d70                      <== Llama a la función para recoger y poner en memoria el valor de Mail (cin?)

Una vez ejecutado lo anterior, vamos a tener el valor de nuestro Mail introducido (en este caso AA@A) en la siguiente posición de memoria:

>>> x/32xw $rbp-0x230
0x7fffffffdf40: 0x41404141  0x00000000  0x00000000  0x00000000

Si seguimos viendo el código, nos va a pedir el valor del serial y lo va a guardar en memoria:

10a1:  lea    rdi,[rip+0x805]        
10a8:   mov    eax,0x0
10ad:   call   ce0 <printf@plt>       <== Saca por pantalla la cadena "Enter Serial"
10b2:   lea    rax,[rbp-0x430]      <== Guarda la posición de memoria donde va a recoger el valor del Serial
10b9:   mov    rsi,rax
10bc:   lea    rdi,[rip+0x200ffd]        # 2020c0 <_ZSt3cin@@GLIBCXX_3.4>
10c3:   call   d70 <_ZStrsIcSt11char_traitsIcEERSt13basic_istreamIT_T0_ES6_PS3_@plt>

Si miramos la posición de memoria $rbp-0x430 es donde estará almacenado nuestro valor introducido como serial (en este caso 11111111):

>>> x/32xw $rbp-0x430
0x7fffffffdd40: 0x31313131  0x31313131  0xf7a7fb00  0x00007fff

Veamos ahora que comprobaciones hace con los valores introducidos. La primera comprobación la hace con Mail, va a recorrer la cadena con un bucle para comprobar si hay una '@' en la cadena.

10c8:  mov    DWORD PTR [rbp-0x18],0x0     <== i=0
10cf:   mov    eax,DWORD PTR [rbp-0x18]     <== Inicio del bucle
10d2:   movsxd rbx,eax
10d5:   lea    rax,[rbp-0x230]
10dc:   mov    rdi,rax
10df:   call   d50 <strlen@plt>           <== Calcula la longitud de la cadena de Mail introducida
10e4:   cmp    rbx,rax              <== Si ha llegado al último caracter de la cadena sale
10e7:   jae    1104 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEixEm@plt+0x324>
10e9:   mov    eax,DWORD PTR [rbp-0x18]
10ec:   cdqe   
10ee:   movzx  eax,BYTE PTR [rbp+rax*1-0x230]   <== Coge el caracter[i] de Mail
10f6:   cmp    al,0x40              <== Comprueba que el caracter[i] de Mail sea igual a @
10f8:   jne    10fe <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEixEm@plt+0x31e>
10fa:   mov    BYTE PTR [rbp-0x11],0x1      <== Si hay una @ se guarda un 1 en var_11(=$rbp-0x11) -- Centinela
10fe:   add    DWORD PTR [rbp-0x18],0x1     <== i++
1102:   jmp    10cf <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEixEm@plt+0x2ef>     <== Vuelve al principio del bucle

También comprueba que Mail sea mayor que 3 caracteres:

1104:  movzx  eax,BYTE PTR [rbp-0x11]  <== Recoge valor del centinela
1108:   xor    eax,0x1          <== Comprueba si centinela es 1 (si hay una @)
110b:   test   al,al                
110d:   jne    1124             <== Sale si el centinela=0
110f:   lea    rax,[rbp-0x230]      <== Vuelve a coger el valor de &Mail
1116:   mov    rdi,rax
1119:   call   d50 <strlen@plt>       <== Calcula la longitud de Mail
111e:   cmp    rax,0x3          <== Comprueba si tiene más de 3 caracteres
1122:   ja     1129             <== Sigue la ejecucción si lenght(Mail)>3
1124:   call   100f             <== Función que llama a salir del programa si no cumple alguna de las condiciones

Una vez superado el Mail, empieza la locura de comprobaciones con el Serial, hay una ristra enorme de comprobaciones y creo que no voy a poner todas, pondré las más significativas. Se trata de ir superando todas las comprobaciones hasta sacar el valor del serial. La primera comprobación es el nº de dígitos que tiene el serial:

1129:  lea    rax,[rbp-0x430]  <== Posición de memoria de Serial
1130:   mov    rdi,rax
1133:   call   d50 <strlen@plt>   <== Halla length(Serial)
1138:   cmp    rax,0x18     <== Compara con 24
113c:   ja     1143         <== Si es mayor que 24 sigue
113e:   call   100f         <== Si no lo es sale

Comprueba que en las posiciones 0x5, 0xb y 0x12 el Serial tenga el caracter "-".

1143:  movzx  eax,BYTE PTR [rbp-0x42b]     <== Posicion 5 del Serial ($rbp-0x430 es la posición 0)
114a:   cmp    al,0x2d              <== Valor ASCII de '-'
114c:   je     1169 
114e:   movzx  eax,BYTE PTR [rbp-0x425]     <== Posición 0xb del Serial(0x430-0x425 = 0xb)
1155:   cmp    al,0x2d              <== Valor ASCII de '-'
1157:   je     1169 
1159:   movzx  eax,BYTE PTR [rbp-0x41e]     <== Posición 0xb del Serial(0x430-0x41e = 0x12)
1160:   cmp    al,0x2d              <== Valor ASCII de '-'
1162:   je     1169 
1164:   call   100f 

La siguiente comprobación es que las posiciones 0x0 y 0xa del Serial sean iguales, Serial[0x0]=Serial[0xa]:

1169:  0f b6 95 d0 fb ff ff    movzx  edx,BYTE PTR [rbp-0x430] <== 0x430-0x430 -> Posición 0x0
1170:   0f b6 85 da fb ff ff    movzx  eax,BYTE PTR [rbp-0x426] <== 0x430-0x426 -> Posición 0xa
1177:   38 c2                   cmp    dl,al
1179:   74 05                   je     1180 
117b:   e8 8f fe ff ff          call   100f 

Si seguimos el ensamblador se tiene que cumplir lo siguiente:

1187 cmp     al, 7Ah :     Serial[0x1] = 0x7a ('z')
1197 cmp     al, 79h :  Serial[0x3] = 0x79 ('y')
11A7 test    al, al  :  Serial[0x19] = 0x00 (Último caracter de Serial, indica fin de cadena)
11B7 cmp     al, 65h :  Serial[0x2] = 0x65 ('e')
11D7 cmp     eax, edx:  Serial[0x4] = Serial[0x11]+0x2
11E7 cmp     al, 64h :  Serial[0x6] = 0x64 ('d')
11F7 cmp     al, 72h :  Serial[0x7] = 0x72 ('r')
120E cmp     dl, al  :  Serial[0x8] = Serial[0x16]
121E cmp     al, 4ch :  Serial[0x9] = 0x4c ('L')
1244 call    sub_1029:  Serial[0xc] = Serial[0x5]+Serial[0x5]+0x9
126C cmp     eax, edx:  Serial[0x17] = Serial[0x11]+0x1
127C cmp     al, 74h :  Serial[0xd] = 0x74 ('t')
128C cmp     al, 66h :  Serial[0xe] = 0x66 ('f')
12B2 call    sub_1029:  Serial[0x10] = Serial[0xf]+Serial[0xf]+0xFFFFFF7A
12CA cmp     al, 54h :  Serial[0x15] = 0x54 ('T')
12DA cmp     al, 48h :  Serial[0x10] = 0x48 ('H')
12EA cmp     al, 75h :  Serial[0x14] = 0x48 ('u')
12FA cmp     al, 35h :  Serial[0x11] = 0x35 ('5')
130A cmp     al, 70h :  Serial[0x13] = 0x70 ('p')
131A cmp     al, 46h :  Serial[0x16] = 0x46 ('F')
1331 cmp     dl, al  :  Serial[0xa] = Serial[0x15]
1357 call    sub_1029:  Serial[0x14] = Serial[0x18]+Serial[0x18]+0xFFFFFFC3

Si lo ponemos todo en orden y cumplimos las condiciones nos sale el siguiente serial: Tzey7-drFLT-ctfgH5-puTF6Y. Y ejecutando el programa nos devuelve la flag:

./crazy_serial-350 
 Enter your Mail
 > AA@A
 Enter Serial
 > Tzey7-drFLT-ctfgH5-puTF6Y

  fwhibbit{r4bb1t_s3r14l-2JBH8tckcTj}

Creo que esto se hace mucho más rápido si usamos la libreria de python angr. A ver si aprendo y publico la solución usándola.