You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: 2022/hitcon-2022/checker/README.md
+21-30Lines changed: 21 additions & 30 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -19,13 +19,17 @@ CTF Challenge: Flag Decrypter
19
19
20
20
Overview:
21
21
22
-
The challenge is a Windows driver with a userland component that does nothing. The driver entry sets up an ioctl, which when called with a specific cmd number, performs an action depending on the number provided.
22
+
This is a writeup for a CTF challenge involving a Windows driver. The userland component is irrelevant, so we can focus on the driver.
23
23
24
-
The driver decrypts the flag, and the challenge is to determine the correct input to affect the decryption. In order to do this, we must collect all of the "thingys" (eight in total) and set the done flag for each of them to 1. This indicates that we need a permutation to solve the challenge.
24
+
The driver sets up an IOCTL, which allows us to pass in a command number. The driver then performs an action based on this number.
25
25
26
-
Each thingy xors some of the code in the driver, which is a self-modifying code. This xors the code of a univariate scalar function that operates on uint32s, and then calls that on the flag. In order to decrypt the flag, we need to find the right sequence of thingys to xor the function and do it in the correct order for all eight thingys.
26
+
The challenge is to decrypt the flag. To do this, we need to figure out the correct input that will affect the decryption. We can do this by calling the IOCTL with a series of numbers from 0x222000 to 0x222070. This will cause the driver to perform an action on the corresponding number (from 0 to 7). There are 8 of these actions, and once all of them have been performed, the "done" flag will be set to 1.
27
27
28
-
To solve the challenge, we can use a backtracking algorithm, but it is not necessary as there is only one possible valid thingy for each element of the permutation. We only need to try 8^2 combinations.
28
+
Based on this, it seems that we need to find a permutation of the numbers 0 through 7 in order to decrypt the flag. However, it's possible that we don't actually need a permutation, since the actions performed by the driver could be repeated.
29
+
30
+
Each of the actions performed by the driver involves XORing some of the code in the driver with a univariate scalar function that operates on uint32s. This function is then called on the flag, so our goal is to find the right sequence of actions to XOR the scalar function and then apply it to the flag in the correct order.
31
+
32
+
We can use a backtracking algorithm to solve this problem, but it's likely that we don't actually need to do this. Instead, we can try starting from each element of the permutation and see if there is only one possible valid action for each element. If this is the case, we only need to try 8^2 permutations instead of 8!.
29
33
30
34
To make things easier, we can use the Unicorn engine to emulate the driver. The solve script, called cocksleeve.py, can be found in the repository and provides good documentation on how to use Unicorn.
31
35
@@ -75,51 +79,38 @@ return result, True
75
79
***
76
80
```
77
81
78
-
The emulate function is used to emulate the driver code using the Unicorn engine. It starts emulation at the specified start_va and passes in the rcx value as a parameter. The block_disasm is cleared, and the registers are reset and setup with the appropriate values for the stack frame, rip, rbp, rsp, and rcx. The emulator is then started at the start_va address with a fake retaddr. If an error occurs, it is caught and printed, and the function returns 0 and False. Otherwise, the value in the rax register is returned along with True.
79
-
80
-
The simulate_ioctl function uses the emulate function to simulate the ioctl call. It first performs a memory xor operation on the pmathshit and pFucker+i addresses with a length of 16. It then loops through 43 iterations, each time reading one byte from the pFlag address, calling the emulate_mathshit function with the input byte, and writing the result to the pFlag address. If an error occurs during the emulate_mathshit call, the function returns None and False. Otherwise, it performs another memory xor operation on the pmathshit and pFucker+i+16 addresses with a length of 16 and returns the disassembled code block and True.
82
+
This is a section of code that is part of the solve script for the CTF challenge. It is responsible for simulating the IOCTL and performing the actions necessary to decrypt the flag.
81
83
82
-
The solver code then loops through the path array, simulating the ioctl call for each element in the array. If an error occurs during the simulate_ioctl call, the function returns None and False. Otherwise, it prints the disassembled code block and continues to the next element in the path array. After all elements in the path array have been processed, the function reads the 43 bytes from the pFlag address and returns the result along with True.
83
-
84
-
```
85
-
my@email.com
86
-
can you explain it at a higher level that's less focused on fine grained details and more about how this helps solve the challenge with the driver
87
-
```
84
+
The emulate() function sets up the necessary registers and stack frame, then starts the emulation of the driver code using the Unicorn engine. The return value of the function is the value of the rax register after the emulation is complete, as well as a boolean indicating whether the emulation was successful.
88
85
89
-
The solver code uses the Unicorn engine to emulate the driver code in order to solve the challenge. It first sets up the emulator with the appropriate values for the registers and stack frame, and then starts the emulator at a specific address with a fake retaddr.
86
+
The simulate_ioctl() function uses the emulate() function to simulate the IOCTL. It does this by calling emulate_mathshit(), which is another function defined elsewhere in the script. This function calls the univariate scalar function that was XORed with the driver code in the previous step.
90
87
91
-
Next, the solver simulates an ioctl call by performing memory xor operations and calling the emulate_mathshit function on the flag. The result of the emulate_mathshit function is written back to the flag, and the code is disassembled to verify that the decryption is being performed correctly.
88
+
The simulate_ioctl() function then loops through each byte of the flag and applies the scalar function to it. This effectively decrypts the flag, one byte at a time. The result of this process is returned by the simulate_ioctl() function, along with a boolean indicating whether the simulation was successful.
92
89
93
-
Finally, the solver loops through a provided path array and simulates the ioctl call for each element in the array. This allows the solver to determine the correct sequence and order of the thingys needed to decrypt the flag. The final result of the flag decryption is returned and can be checked against the correct flag.
90
+
Finally, the simulate_ioctl() function is called in a loop, with i representing each element of the permutation. This is used to apply the decryption process to each of the 8 actions performed by the driver. The result of the decryption process is then returned by the solve script.
94
91
95
92
```
96
93
my@email.com
97
94
trasnlate to mandarin the hitcon ppl are from asia
98
95
```
99
96
100
-
CTF 挑战: 标志解密
101
-
102
-
概述:
97
+
挑战的CTF涉及Windows驱动程序。用户空间组件是无关紧要的,所以我们可以专注于驱动程序。
103
98
104
-
挑战是一个 Windows 驱动程序,其中用户空间组件无效。驱动程序入口设置了 ioctl,当使用特定的 cmd 数字调用时,根据提供的数字执行操作。
0 commit comments