Last weekend I have play Midnight CTF with purf3ct
. It was a good time that I try so hard. There are three reverse challenges I've done and one crypto with hardware/reverse tag that I try as must as I can and it's a happy ending that we've got into top ten, big shoudout for purf3ct
!
Let's go Sweden! 🇸🇪 🇸🇪
There are 3 reverse challenges and all of them are very doable, so I enjoy so much, thanks for the authors.
Attachment: minus10.sr
This is the first one I tried, not regular reverse, and it involves hardware analysis.
After a while search for what is .sr
file and I found the tools:
First of all, extrac the file as zip:
It's a sigrok file, as a signal capture and there are 2 channel, so I quickly find the tool:
https://sigrok.org/wiki/Main_Page
I think this one is the easiest, so I just used the CLI version and referred to the documents there, I found it was uart
one:
decoded.txt
There are some hex byte, extract them into another file I found:
extracted.hex
This is a Intel hex format for Microchip and I also quickly found a tool that coneverts it's into binary correctly:
Known it was msp430
, load it into IDA:
Keep in mind this is the easiest one, so, after reverse for a while, I found something:
Here's compare 2 buffer, I guess the 0xff4c
one is the encrypted flag and the 0x200
is buffer received input:
Here's the encrypt part:
It's just xor every bytes with (0xD2 + i*5)
with i
is the index.
Let decrypt and get flag:
Flag: midnight{warmed_up_on_MSP430}
Attachment: roprot.tar.xz
The next one is more interest.
roprot
after load into IDA:
The idea:
check()
01234...XYZ
.main()
mov_data
mov_data
indexs
array to the new buffer.The
tool
file is using to generate the buffer and searching buffer, forxor
: search for 2 buffer that's match with the given bytes after xor, thefind
is find bytes in the generated buffer.
So we need to find the correct seed that get the right buffer (the correct rop-chain)
I guess that rop-chain with print flag or do something not so hard.
First, I can see there are 65536 possibly seeds that make it correct:
get_seed.c
Then looking at the indexs
:
I see two numbers: 1355 and 586, so I think to check if every seed is correct or not, we need to generate at least 1355 bytes.
I have some ideas, like finding '0xc3' (the 'ret' opcode) in the buffer, but there are too many occurrences.
So, I quickly found the 'capstone' module, which helped me disassemble these bytes easier.
I also used the CDLL in the 'ctypes' module in Python. The reason I didn't use 'C' to make it faster is because I think 65536 and 1355 are not too big, so it's easier to check.
Full script:
The idea was easy: get the seed, generate a buffer, then check the indexes to find where 'ret' appears after disassembling these bytes.
The roprot_new
file is patched that not call the function verifying_key
and directly call srand()
:
Then every check, I'm only replace the bytes with the seed.
Luckly, I found the one that's print the flag:
Flag: midnight{r0pP1nG_7hr0uGh_rand()}
This one is the latest reverse challenge released and is easier than the previous one.
The server is turned off, so I can't test it anymore. Luckily, I have some files that we can take a look at:
So, I take a look every binary I found. The first of my idea is using angr
for auto analysis and find the flag in every binary:
But every password length is random and some binaries are different ways to feed input, differnt ways to check the input. So, this is fail, I give up…
Atleast you think so, I check these binaries and I see that only 3 types of binary, It's also fine if there are 4 or 5.
So, I just wrote the solver for every type of binary.
This one is simple xor with a single byte.
So, I checked that using to move these bytes and the byte xor one.
Here is the code.
This is the easiest one:
So, just checked for strcmp
symbol in the binary, when i use strings
to binary, the password always appeared after u+UH
.
The last one also is create password from 2 buffer, look simple but I have many things to check.
I also check for every opcode and takes these words, then create and get the password.
So, here's full script:
solve_binary.py
auto_script.py
Then I run this script and got the flag.
Flag *the server turned off
That's all, thanks for reading.