# ImaginaryCTF 2022 - wired ## Challenge Description > We found this video on social media, and suspect that it is being used to transmit some information. Can you figure out what the message is? > >[wired.mp4](https://imaginaryctf.org/r/oFD5G#wired.mp4) [program.hex](https://imaginaryctf.org/r/dDKeM#program.hex) ## Overview ![](https://i.imgur.com/j36QvmQ.jpg) The video file shows an Arduino Uno connected to eight LEDs and a device labeled as a hardware RNG module. The program.hex file is an ihex file, presumably the program being run by the Arduino shown in the video. From there, we can guess that the Arduino is somehow encoding the characters of the flag and transmitting them to the LEDs. ## Simulating the Arduino I used [simavr](https://github.com/buserror/simavr) to run the program.hex file. The `board_simduino` program in the `examples` directory of this project is effectively a simulated Arduino that can be debugged using gdb. [This writeup](https://ctf.harrisongreen.me/2020/midnightsunctf/avr/) of an AVR challenge from a couple years ago was a really helpful reference for me, and I ended up using more or less the same setup. To debug the program, I did the following: * Start gdb using `avr-gdb` and target the simulated Arduino with the command `target remote localhost:1234`. * Start simduino with `./simduino.elf -d`. If gdb is running, it should stop the simduino program at the entry point. * In gdb, allow the simduino program to continue. At this point, program.hex can be uploaded to simduino using the command `avrdude -p m328p -c arduino -P /tmp/simavr-uart0 -U flash:w:program.hex`. I should note that GDB doesn't handle breakpoint addresses correctly. GDB interprets all addresses as being in data memory, so it puts breakpoints in the wrong place - for example, if you try to set a breakpoint at `0x100`, GDB will put the breakpoint at `0x800100`. The workaround for this is to define all breakpoints in terms of an offset to the program counter. When I first started the program, I defined a variable `$a` that was equal to the program counter at that time (in my case, it was `0x7800`). To set a breakpoint at `0x100`, I could then use the command `break *($a-0x7800+0x100)`. ## Disassembly The Arduino Uno is built on the ATmega328 processor, so it uses the AVR instruction set. This means we can disassemble the program.hex file using the command `avr-objdump -m avr -d program.hex`. (Ghidra also supports the AVR architecture, but it numbers the memory addresses differently from GDB, which was inconvenient. Because of this, I found the disassembly from `avr-objdump` easier to work with most of the time.) ```objdump 0: 0c 94 5c 00 jmp 0xb8 ; 0xb8 4: 0c 94 79 00 jmp 0xf2 ; 0xf2 8: 0c 94 79 00 jmp 0xf2 ; 0xf2 c: 0c 94 79 00 jmp 0xf2 ; 0xf2 10: 0c 94 79 00 jmp 0xf2 ; 0xf2 ... ``` We can see that the program starts with a large table of jump instructions, presumably interrupt vectors. The `jmp 0xb8` instruction at address 0 tells us that `0xb8` is the actual starting address of the program. ## The hardware RNG module ```objdump 3e2: 90 92 7c 00 sts 0x007C, r9 ; 0x80007c 3e6: 80 91 7a 00 lds r24, 0x007A ; 0x80007a 3ea: 80 64 ori r24, 0x40 ; 64 3ec: 80 93 7a 00 sts 0x007A, r24 ; 0x80007a 3f0: 80 91 7a 00 lds r24, 0x007A ; 0x80007a 3f4: 86 fd sbrc r24, 6 3f6: fc cf rjmp .-8 ; 0x3f0 3f8: 90 91 78 00 lds r25, 0x0078 ; 0x800078 3fc: 80 91 79 00 lds r24, 0x0079 ; 0x800079 ``` At address 3e2, we can see several accesses of the addresses`0x78`, `0x79`, and `0x7a`. This doesn't seem like much at first, but a look at [this include file](https://github.com/DarkSector/AVR/blob/master/asm/include/m328Pdef.inc) for the ATmega328 processor reveals that these addresses are actually memory mapped to registers containing information related to the processor's analog-to-digital converter. In other words, when the program reads from these addresses, it's probably actually reading from the `A0` pin of the Arduino, where the RNG module is connected. The result of this read is stored in `r24`. ```objdump ;load flag character into r18 414: 29 91 ld r18, Y+ 416: fe 01 movw r30, r28 418: 31 97 sbiw r30, 0x01 ; 1 ;XOR flag with random number from A0 41a: 28 27 eor r18, r24 ;store XOR result 41c: 20 83 st Z, r18 ``` After the read from pin `A0`, the result is then XORed with a character of the flag. ## Generating the XOR key At first I thought each character of the flag was XORed with the same value, but it's actually a little more complicated than that. The XOR key for each character is generated based on the key used for the previous character. We can see that the XOR key is generated using the following steps: ```objdump 41e: 9c 01 movw r18, r24 420: 21 70 andi r18, 0x01 ; 1 422: 33 27 eor r19, r19 ``` First, the LSB of the previous XOR key is stored in `r18`. ```objdump 424: b6 95 lsr r27 426: a7 95 ror r26 428: 97 95 ror r25 42a: 87 95 ror r24 ``` Then, the previous XOR key is shifted right. This makes it look like the XOR key is stored in `r27:r26:r25:r24`, but only `r25` and `r24` are actually used. I found that it made the most sense to treat the XOR key as a 16-bit value stored in `r25:r24`. ```objdump 42c: 23 2b or r18, r19 42e: 11 f0 breq .+4 ; 0x434 430: 2d ea ldi r18, 0xAD ; 173 432: 92 27 eor r25, r18 434: ec 16 cp r14, r28 436: fd 06 cpc r15, r29 438: 69 f7 brne .-38 ; 0x414 ``` Finally, we check whether the LSB of the previous XOR key was 1 or 0. If it was 1, we XOR `r25` (the high byte of the XOR key) with `0xAD`. I replicated this key generation function with the following Python function: ```python def shift_key(prev_key): new_key = prev_key >> 1 if(prev_key & 1 == 1): new_key = new_key ^ 0xAD00 return new_key ``` ## The LED Pinout Now that we know how the flag is encoded in memory, we need to figure out how to interpret the values shown on the LEDs. ```objdump 470: 61 e0 ldi r22, 0x01 ; 1 472: 82 e0 ldi r24, 0x02 ; 2 474: 0e 94 7b 00 call 0xf6 ; 0xf6 ``` I noticed that the function at `0xf6` was getting called a lot, and that it always took 2 parameters: a value between 2 and 9 in `r24`, and a value of either 1 or 0 in `r22`. Looking at the function at `0xf6`, it's hard to tell exactly what's happening, but it looks like the function sets or clears a single bit from a register, then stores the result somewhere. From there, I guessed that the function turns a given output pin on or off. Since there are 8 connected pins and 8 possible values passed in through `r24`, it's safe to assume that `r24` stores the number of the pin to be modified, and `r22` stores whether the pin should be set or cleared. At that point, I needed to figure out which pins corresponded to which LEDs. Fortunately, before the flag is transmitted, a function is called that turns on the LED for each pin in order, so we can match the pin numbers to the LEDs. (I didn't notice that pin 9 came before pins 2 through 8 at first, leading to several very painful hours of trying to figure out why none of the values made any sense.) ![](https://i.imgur.com/DZoxjxz.png) ## The Encoded Flag ```objdump ;bit 0 460: 80 fe sbrs r8, 0 462: 04 c0 rjmp .+8 ; 0x46c 464: 61 e0 ldi r22, 0x01 ; 1 466: 89 e0 ldi r24, 0x09 ; 9 468: 0e 94 7b 00 call 0xf6 ; 0xf6 ;bit 1 46c: 81 fc sbrc r8, 1 46e: 04 c0 rjmp .+8 ; 0x478 470: 61 e0 ldi r22, 0x01 ; 1 472: 82 e0 ldi r24, 0x02 ; 2 474: 0e 94 7b 00 call 0xf6 ; 0xf6 ;bit 2 478: 82 fe sbrs r8, 2 47a: 04 c0 rjmp .+8 ; 0x484 47c: 61 e0 ldi r22, 0x01 ; 1 47e: 83 e0 ldi r24, 0x03 ; 3 480: 0e 94 7b 00 call 0xf6 ; 0xf6 ... ``` The actual transmission of the flag takes place in these lines. A character of the encoded flag is stored in `r8`, and each bit of this character determines which LEDs should be on. However, we need to be careful: notice that some bits of the flag character are checked with the `sbrs` (Skip if Bit in Register Set) instruction, and others are checked with `sbrc` (Skip if Bit in Register Clear). An `sbrs` instruction followed by an `rjmp` instruction means that the program takes the jump if the bit being checked was 0. Similarly, `sbrc` followed by `rjmp` takes the jump if the bit being checked was 1. Effectively, this means that sometimes a lit LED corresponds to a value of 1 and an unlit LED corresponds to a value of 0, but sometimes it's the other way around. Bits 1,3,4, and 7 are checked with `sbrc`, so their LEDs are on if that bit of the flag character was 0. The others are checked with `sbrs`, so their LEDs are on if the bit was 1. When recording the values from the video, I treated a lit LED as a 1 and an unlit LED as a 0, meaning that I had to negate bits 1, 3, 4, and 7 before attempting to decode the flag. ```python def negate_bits(bits, which_to_negate): new_bits = 0 for i in range(8): if i in which_to_negate: new_bits |= (~bits & (1 << i)) else: new_bits |= bits & (1 << i) return new_bits ``` ## Decoding At this point, we have all the information we need to decode the video. For each combination of LEDs shown in the video, we need to do the following: * Write the combination of LEDs as an 8-bit value, using pin 9 as the LSB and pins 2-8 for the following pins. Treat a lit LED as a 1 and an unlit LED as a 0. * Negate bits 1, 3, 4, and 7. * XOR the result with the corresponding XOR key in the sequence. Since we know the first character of the flag is `i`, we have all the information we need to generate the sequence of XOR keys, since each XOR key in the sequence is uniquely determined by the previous key. By XORing `i` with `0b01010110`, the first value shown in the video, we find that the first XOR key in the sequence is `0xa5`. From there, we can calculate all subsequent keys. The full solve script is given below: ```python= #Negate bits from the input def negate_bits(bits, which): new_bits = 0 for i in range(8): if i in which: new_bits |= (~bits & (1 << i)) else: new_bits |= bits & (1 << i) return new_bits #Generate a new XOR key from the previous key def shift_key(prev_key): new_key = prev_key >> 1 if(prev_key & 1 == 1): new_key = new_key ^ 0xAD00 return new_key #Generate as many successive XOR keys as we need def list_keys(key, num_times): keyList = [] keyList.append(key) curr_key = key for i in range(num_times): keyList.append(shift_key(curr_key)) curr_key = shift_key(curr_key) return keyList #XOR each character of the encoded flag #with the lower 8 bits of the corresponding XOR key def generate_flag(init_val, flag_vals): s = "" theKeys = list_keys(init_val, len(flag_vals)) for i in range(len(flag_vals)): s += chr(flag_vals[i]^(theKeys[i] & 0xff)) return s flag_vals = [0b01010110, 0b10101011, 0b01000111, 0b10101000, 0b11001011, 0b01111000, 0b00110101, 0b00010110, 0b10011010, 0b11000111, 0b01011001, 0b00100110, 0b10010011, 0b01001110, 0b10011100, 0b00001111, 0b11111101, 0b10000011, 0b01101101, 0b00101101] new_flag_vals = [] for i in flag_vals: new_flag_vals.append(negate_bits(i, [1,3,4,7])) print(generate_flag(0xa5, new_flag_vals)) ``` This successfully prints the flag: `ictf{weird_rng_912b}`
Last changed by  
clairelevin
345

Read more

MapleCTF 2022 - vm-v2

Challenge Description Yet another VM challenge. Note: this fixes an unintended solution to vm. The only change is in the data.txt file. We are given 3 files: prog.txt, data.txt, and chal.sv. The chal.sv file is a circuit simulation written in System Verilog, and the program.txt and data.txt files are loaded into the memory of this simulation. The flag is loaded into index 140 of some array. We are trying to make sure that index 135 of the same array is 2 by the time the program stops running.

8/30/2022
DiceCTF @ HOPE 2022 - dumb

Challenge Description I know the flag and I can prove it... dumb.zip Overview We're given a few different files: a folder called parts, and two Python scripts called check.py and proof.py. To make sense of the files in the parts folder, we'll first want to look at the check script. import json import subprocess

7/24/2022
Read more from clairelevin
Published on HackMD