Write Up FIRST Challenge 2020

5 min readJun 26, 2020


Yesterday i played FIRST Challenge with my friend and named our team as Mbuh which means “don’t know” . The following is my write up about some challenges that i’ve already solved.

Break the Snake — Reverse Engineering

Download pybreakme.zip and then extract it.

Looking at the file we know that the pybreakme is python executable file that was compiled with pyinstaller.

pybreakme was compiled into Mach-O executable which is can be run in Mac OS or maybe linux can run it with help of Darling . The first step i do is trying to do static analysis using IDA but I did not find anything meaningful. So after i that i try to extract pybreakme and then decopmile .pyc file. I used this script to extract the pyc file.

After that i was try to use uncompyle6 and uncompyle2 to decompile it but it failed. So i try using online decompiler and here is the result.

The algorithm for encode flag is xoring a character with a character afterwards. Assuming that the last character of the base64 encoded string is “=” because of padding , so we just need to do assumed_last_char ^ first_xored_char to get the first_char and then xoring the first_char with the second_xored_char and so on. Here my script to automate that and retrieve the flag.

Flag : We’ll not risk another frontal assault. That rabbit’s dynamite.

My Secret Part 1–5 — Reverse Engineering

Download mysecret file and then run file command.

Because the output is “data” so the next step i do is try to open it using hex editor.

From picture above we know that the file is ELF but the bytes are reversed . So we need to reverse it back to get the correct ELF file .

print a

run that script and redirect the output to file. After i got the correct ELF , the next step i do is try do run it.

The binary produce encrypted string and doesn’t need input. The next step is i try to debug it using GDB .

b main
x/25000i $pc

Because the binary is not stripped we can see the name of function , there is RC4 function called and i think the flag will be the argument of that function . So i set breakpoint on that function to see the argument.

b *0x55555557731e

yeah and my guess is correct , so we got the flag and the key used in RC4 encryption on this binary. Here is the flag

Part 1 : 095bf40d794b0259556648e114366f46108ab32b324ac9d30399e8e270d47ef5Part 2 : I forgot my very old key
Part 3 : 2d383d1c373a15831e94
Part 4 : RC4
Part 5 : 10107

PLC Firmware Injection — ICS

The description is really helpful on this challenge . So the first step we need to do is try to decode the serial traffic. It takes a long time to find the correct tools for decode the serial traffic and configuration for it.

From the picture above i try to search about serial traffic,serial decoder,and etc related. Finally i found “saleae logic analyzer” which seems to match the capture.logicdata

After downloading, i try to open capture.logicdata with it.

At first i open it i see nothing useful. So i try to search configuration about it and find about SPI (Serial Peripheral Interface) and how to analyze it. With many trial and error i got something from it.

SPI Configuration

There is output in decoded protocol and then i export it to make it more readable.


We got something like structured data, so i decide to search about it .

It is SREC format. Looking at wikipedia and found useful information.

From wikipedia i just know that S0 is ascii comment in hex format.

From this we know that our finding is correct because if we look at the challenge description it is about firmware stub. Looking for about srec decode i found how to decode it with python bincopy .

After that we just need to write it to file. And then i decide to open it with ghidra and set processor to PowerPC with size 32 and big endian ( trial and error will help you ).

Pressing D to disassemble it and got this.

Because this file is a stub i think the last 4 bytes maybe cut off . With reference from this website and of course google i try to analyze it and convert it to python code.

r9 = r9 << 1

Because we know that r3 is function argument ( First 8 integer arguments are in %r3 through %r10 ) , so the next step to do is run that code with r3=120.

Flag : 96




CTF Player | Currently learning about Reverse Engineering and Cryptography