picoCTF: Some Assembly Required 2

## Before getting start 1. Make sure to enable [`DWARF` in web debugger](https://developer.chrome.com/blog/wasm-debugging-2020/), so that we can set breakpoints to observe what's going on.![](https://hackmd.io/_uploads/S1vA4Wfh2.png) 2. what `i32` means: https://developer.mozilla.org/en-US/docs/WebAssembly/Understanding_the_text_format 3. `i32.const`: https://developer.mozilla.org/en-US/docs/WebAssembly/Reference/Numeric/Const 4. `i32.load`: https://developer.mozilla.org/en-US/docs/WebAssembly/Reference/Memory/Load 5. `local.get`: https://developer.mozilla.org/en-US/docs/WebAssembly/Reference/Variables/Local_get 6. `local.set`: https://developer.mozilla.org/en-US/docs/WebAssembly/Reference/Variables/Local_set 7. `i32.sub`: https://developer.mozilla.org/en-US/docs/WebAssembly/Reference/Numeric/Subtraction ## Steps 1. We can see that in Source of the Debugger, there's a `copy_char` function in the `js` file. Remember to turn on the beautifier (`{}` icon) so that we can interpret the code more easily.![](https://hackmd.io/_uploads/HkmnhQfn3.png) 2. In `copy_char` of `wasm` (which is the function trigged by `onButtionPress` in `Y8splx37qY.js`), set some breakpoints, then enter something in the to see what's going on. ![](https://hackmd.io/_uploads/r1HZYWMhh.png)We can see that `112`, which is the ascii of `p`, is passed by `$var5`.![](https://hackmd.io/_uploads/ry-RQmfn2.png) It then [`xor` ](https://developer.mozilla.org/en-US/docs/WebAssembly/Reference/Numeric/XOR)(at `0x0306`) with `8` (passed by `$var7`(set at `0x0300`)), and be [stored](https://developer.mozilla.org/en-US/docs/WebAssembly/Reference/Memory/Store) at `1072` (which can be seen at `0x0323`) 3. The result can be seen in `Scope>Module>memories>$memory>buffer>[[Int8Array]]>[1000...1099]]`:![](https://hackmd.io/_uploads/S10e5XG23.png)If you wish, you can check the result by using Python ```shell └─$ python3 Python 3.11.2 (main, Mar 13 2023, 12:18:29) [GCC 12.2.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> ord('p')^8 120 >>> ord('i')^8 97 >>> ord('c')^8 107 >>> ord('o')^8 103 ``` 4. So what we should do is to `xor` the weird string at the bottom of the `wasm` file. Since `a^b^b=a`, so we can `xor`it with `8` again to get the plaintext. For example: ```shell >>> ord('p')^8 120 >>> chr(120^8) 'p' ``` Let's finish this using pwntools! ```shell ┌──(kali㉿kali)-[~] └─$ python3 Python 3.11.2 (main, Mar 13 2023, 12:18:29) [GCC 12.2.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> instr="xakgK\5cNs>n;jl90;9:mjn9m<0n9::0::881<00?>u\00\00" >>> from pwn import * [*] Checking for new versions of pwntools To disable this functionality, set the contents of /home/kali/.cache/.pwntools-cache-3.11/update to 'never' (old way). Or add the following lines to ~/.pwn.conf or ~/.config/pwn.conf (or /etc/pwn.conf system-wide): [update] interval=never [*] You have the latest version of Pwntools (4.10.0) >>> xor(instr,8) /home/kali/.local/lib/python3.11/site-packages/pwnlib/util/fiddling.py:327: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes strs = [packing.flat(s, word_size = 8, sign = False, endianness = 'little') for s in args] b'picoC\rkF{6f3bd18312ebf1e48f12282200948876}\x08\x08' ```