Write Up FIRST Challenge 2020

Yesterday i played FIRST Challenge with my friend and named our team as Mbuh which means “don’t know” . The following is my write up about some challenges that i’ve already solved.

Break the Snake — Reverse Engineering

Looking at the file we know that the pybreakme is python executable file that was compiled with pyinstaller.

pybreakme was compiled into Mach-O executable which is can be run in Mac OS or maybe linux can run it with help of Darling . The first step i do is trying to do static analysis using IDA but I did not find anything meaningful. So after i that i try to extract pybreakme and then decopmile .pyc file. I used this script to extract the pyc file.

After that i was try to use uncompyle6 and uncompyle2 to decompile it but it failed. So i try using online decompiler and here is the result.

The algorithm for encode flag is xoring a character with a character afterwards. Assuming that the last character of the base64 encoded string is “=” because of padding , so we just need to do assumed_last_char ^ first_xored_char to get the first_char and then xoring the first_char with the second_xored_char and so on. Here my script to automate that and retrieve the flag.

Flag : We’ll not risk another frontal assault. That rabbit’s dynamite.

My Secret Part 1–5 — Reverse Engineering

Because the output is “data” so the next step i do is try to open it using hex editor.

From picture above we know that the file is ELF but the bytes are reversed . So we need to reverse it back to get the correct ELF file .

f=open("mysecret","r")
a=f.read()[::-1]
print a

run that script and redirect the output to file. After i got the correct ELF , the next step i do is try do run it.

The binary produce encrypted string and doesn’t need input. The next step is i try to debug it using GDB .

b main
x/25000i $pc

Because the binary is not stripped we can see the name of function , there is RC4 function called and i think the flag will be the argument of that function . So i set breakpoint on that function to see the argument.

b *0x55555557731e

yeah and my guess is correct , so we got the flag and the key used in RC4 encryption on this binary. Here is the flag

Part 1 : 095bf40d794b0259556648e114366f46108ab32b324ac9d30399e8e270d47ef5Part 2 : I forgot my very old key
Part 3 : 2d383d1c373a15831e94
Part 4 : RC4
Part 5 : 10107

PLC Firmware Injection — ICS

The description is really helpful on this challenge . So the first step we need to do is try to decode the serial traffic. It takes a long time to find the correct tools for decode the serial traffic and configuration for it.

From the picture above i try to search about serial traffic,serial decoder,and etc related. Finally i found “saleae logic analyzer” which seems to match the capture.logicdata

After downloading, i try to open capture.logicdata with it.

At first i open it i see nothing useful. So i try to search configuration about it and find about SPI (Serial Peripheral Interface) and how to analyze it. With many trial and error i got something from it.

SPI Configuration

There is output in decoded protocol and then i export it to make it more readable.

S0190000506f7765725043204669726d776172652053747562002B
S12304CC9421FFD093E1002C7C3F0B78907F000C3920012C913F0018815F000C813F000C69
S12304EC7D4A49D6813F00187D2A4BD6913F001C813F001C5529083C913F001C813F001C14
S117050C7D234B78397F003083EBFFFC7D615B784E80002084
S5030003F9

We got something like structured data, so i decide to search about it .

It is SREC format. Looking at wikipedia and found useful information.

From wikipedia i just know that S0 is ascii comment in hex format.

From this we know that our finding is correct because if we look at the challenge description it is about firmware stub. Looking for about srec decode i found how to decode it with python bincopy .

After that we just need to write it to file. And then i decide to open it with ghidra and set processor to PowerPC with size 32 and big endian ( trial and error will help you ).

Pressing D to disassemble it and got this.

Because this file is a stub i think the last 4 bytes maybe cut off . With reference from this website and of course google i try to analyze it and convert it to python code.

r31_0xc=r3
r9=0x12c
r31_0x18=r9
r10=r31_0xc
r9=r31_0xc
r10=r10*r9
r9=r31_0x18
r9=r10/r9
r31_0x1c=r9
r9=r31_0x1c
r9 = r9 << 1
r31_0x1c=r9

Because we know that r3 is function argument ( First 8 integer arguments are in %r3 through %r10 ) , so the next step to do is run that code with r3=120.

Flag : 96

CTF Player | Currently learning about Reverse Engineering and Cryptography