This challenge was solved by and the write up was written by two of my teammates, gym and balidani.
In this challange we were provided with a risc-v (http://riscv.org/) ELF executable. Unfortunately most of our common tools did not support the archticeture, but some googling quickly revealed that the riscv gnu xcompiler toolchain contains objdump for the riscv.
With objdump we could analyse the different regions of the ELF file and dump the asm code from the .text section. Although, the riscv developers provide a qemu fork https://github.com/riscv/riscv-qemu for riscv and a precompiled linux image, we could not run the provided binary in the vm so we stuck with the static analysis of the dumped code.
After, looking through the asm it became obvious that the binary reads a serial fom the input and if the serial is correct prints the flag.
First it verifies that the serial is in the form of
Than it checks if the serial only contains the ‘-‘ sign, uppercase characters and numbers. This is done by checking if the byte value is between 45 and 90 and than shifting a magic constant with the byte value and checking if the lst bit is zero.
After this, all of the 4 byte segments of the serial are loaded as 32bit integers and check is made if they satisfy a series of equations. Such equation in the asm:
These equations are the following:
If all these constraints are satisfied theses words are xored with some additional constants and concatenated into a string and the result is printed as the flag.
We used pythons z3 to find the serial the fullfills all these conditions such serial is
The xor constants can be read from the ASM code:
Note: the lui instruction loads immediate value into a register and performs a 12 bit left shift on it.
After rearranging the bytes we managed to get the correct flag:
This challenge was a VM implemented where every instruction was an emoji. For the first part of the challenge we had to reverse a flag ch...… Continue reading