hitcon

Author: stong

2022/hitcon-2022/checker/README.md

@@ -0,0 +1,94 @@
+```
+[email protected]
+im making a CTF challenge writeup. im kind of drunk. can u please clean this up a bit for me? thanks
+***
+okkkkk this one is a windows driver, the userland component basically does nothing so just ignore it. just look at the driver, the driver entry basically sets up an ioctl, when you call the ioctl you can pass in some cmd number  to the driver, then the driver does a thing depending on what the number is.
+
+its a flag decrypter challenge . the binary decrpyt hte flag, figure out what right input is and that will affect the decrpyiton, make the decrpyiton happy to get the flag.
+
+basically if u do some number from like 0x222000,0x222020,0x222030, ...  0x222070 etc it will do something with the corresponding number 0 thru 7. theres 8 of these thingys and then it will set the done flag for that thingy to  1. looks like we gotta collect all the thingys (atleast once) before it will let us do the needful. so this itself is a bit of a hint from the author that we need a permutation, strictly speaking we dont need a permutation because it could be one or more so whatever.
+
+so anyways each of the thingys basically just xors some of the code in the driver so its some selfm odifying code, it xors the code of this univariate scalar function that operates on uint32s, then calls that on the flag so basically we gotta find the right sequence of things to xor the mathy scalary function on and then do it in the right order and do it for the 8 thingys to decrypt the flag, oh no what order is it? u can write a backdtracking algorithm to solve this but my hunch was right that theres no funny business backtracking needed since if u start from each element of the permutation theres actually only 1 possible valid thingy there so its not 8! u only have to do 8^2 tries.
+
+also i used unicorn engine to emulate the thing since im lazy i had kdnet setup and all but i dont wanna fucking blue screen. i put the solve script in cocksleeve.py plz check it out its also good documentation on how to use unicorn because that shits really poorly documented
+***
+include all of the details. when u make the writeup make sure to organize it clearly with section headings and everything
+```
+
+CTF Challenge: Flag Decrypter
+
+Overview:
+
+The challenge is a Windows driver with a userland component that does nothing. The driver entry sets up an ioctl, which when called with a specific cmd number, performs an action depending on the number provided.
+
+The driver decrypts the flag, and the challenge is to determine the correct input to affect the decryption. In order to do this, we must collect all of the "thingys" (eight in total) and set the done flag for each of them to 1. This indicates that we need a permutation to solve the challenge.
+
+Each thingy xors some of the code in the driver, which is a self-modifying code. This xors the code of a univariate scalar function that operates on uint32s, and then calls that on the flag. In order to decrypt the flag, we need to find the right sequence of thingys to xor the function and do it in the correct order for all eight thingys.
+
+To solve the challenge, we can use a backtracking algorithm, but it is not necessary as there is only one possible valid thingy for each element of the permutation. We only need to try 8^2 combinations.
+
+To make things easier, we can use the Unicorn engine to emulate the driver. The solve script, called cocksleeve.py, can be found in the repository and provides good documentation on how to use Unicorn.
+
+
+```
+[email protected]
+this is the most important part of the solver code please explain the code as part of the ctf writeup.
+***
+
+def emulate(start_va, rcx):
+    block_disasm.clear()
+
+    reset_regs()
+    setup_stack_frame()
+    setup_regs_rip_rbp_rsp_rcx()
+    try:
+        mu.emu_start(start_va, 0x6969696969696969) # fake retaddr
+    except UcError as e:
+        print("ERROR: %s" % e)
+        print('RIP=%x' % mu.reg_read(UC_X86_REG_RIP))
+        return 0, False
+    rax = mu.reg_read(UC_X86_REG_RAX)
+    return rax, True
+
+def simulate_ioctl(i):
+    mem_xor(pmathshit, pFucker+i, 16)
+    
+    for j in range(43):
+        inp = mu.mem_read(pFlag+j,1)[0]
+        rax, ok = emulate_mathshit(inp) # call 0x140001B30
+        if not ok:
+            return None, False
+        al = rax&0xff
+        mu.mem_write(pFlag+j, bytes([al]))
+    
+    mem_xor(pmathshit, pFucker+i+16, 16)
+    return block_disasm, True
+
+for i in path:
+    print('i',hex(i))
+    result, ok = simulate_ioctl(i)
+    if not ok:
+        return None, False
+    print('code', result)
+result=mu.mem_read(pFlag,43)
+return result, True
+***
+```
+
+The emulate function is used to emulate the driver code using the Unicorn engine. It starts emulation at the specified start_va and passes in the rcx value as a parameter. The block_disasm is cleared, and the registers are reset and setup with the appropriate values for the stack frame, rip, rbp, rsp, and rcx. The emulator is then started at the start_va address with a fake retaddr. If an error occurs, it is caught and printed, and the function returns 0 and False. Otherwise, the value in the rax register is returned along with True.
+
+The simulate_ioctl function uses the emulate function to simulate the ioctl call. It first performs a memory xor operation on the pmathshit and pFucker+i addresses with a length of 16. It then loops through 43 iterations, each time reading one byte from the pFlag address, calling the emulate_mathshit function with the input byte, and writing the result to the pFlag address. If an error occurs during the emulate_mathshit call, the function returns None and False. Otherwise, it performs another memory xor operation on the pmathshit and pFucker+i+16 addresses with a length of 16 and returns the disassembled code block and True.
+
+The solver code then loops through the path array, simulating the ioctl call for each element in the array. If an error occurs during the simulate_ioctl call, the function returns None and False. Otherwise, it prints the disassembled code block and continues to the next element in the path array. After all elements in the path array have been processed, the function reads the 43 bytes from the pFlag address and returns the result along with True.
+
+```
+[email protected]
+can you explain it at a higher level that's less focused on fine grained details and more about how this helps solve the challenge with the driver
+```
+
+The solver code uses the Unicorn engine to emulate the driver code in order to solve the challenge. It first sets up the emulator with the appropriate values for the registers and stack frame, and then starts the emulator at a specific address with a fake retaddr.
+
+Next, the solver simulates an ioctl call by performing memory xor operations and calling the emulate_mathshit function on the flag. The result of the emulate_mathshit function is written back to the flag, and the code is disassembled to verify that the decryption is being performed correctly.
+
+Finally, the solver loops through a provided path array and simulates the ioctl call for each element in the array. This allows the solver to determine the correct sequence and order of the thingys needed to decrypt the flag. The final result of the flag decryption is returned and can be checked against the correct flag.
+

2022/hitcon-2022/checker/checker.exe

@@ -0,0 +1,193 @@
+from unicorn import *
+from unicorn.x86_const import *
+from capstone import *
+from keystone import *
+import pefile
+
+import os
+import sys
+import mmap
+
+filename = 'checker_drv.sys'
+f = open(filename, 'rb')
+mm = mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)
+
+pe = pefile.PE(filename)
+pe.full_load()
+
+def doit(path):
+    mu = Uc(UC_ARCH_X86, UC_MODE_64)
+    md = Cs(CS_ARCH_X86, CS_MODE_64)
+    ks = Ks(KS_ARCH_X86, KS_MODE_64)
+
+    block_disasm = []
+
+    def map_region(base_va, virtual_size, contents):
+        if virtual_size & 0xfff:
+            virtual_size += 4096 - (virtual_size & 0xfff)
+        if virtual_size > len(contents):
+            contents += b'\x00' * (virtual_size-len(contents))
+        elif virtual_size < len(contents):
+            contents = contents[:virtual_size]
+        assert len(contents) == virtual_size
+
+        mu.mem_map(base_va, virtual_size)
+        mu.mem_write(base_va, contents)
+        print(f'Mapped region {base_va:x}-{base_va+virtual_size:x}')
+
+    for s in pe.sections:
+        start_va = pe.NT_HEADERS.OPTIONAL_HEADER.ImageBase+s.VirtualAddress
+        start_fo = s.PointerToRawData
+        end_fo = start_fo + s.SizeOfRawData
+        contents = mm[start_fo:end_fo]
+        map_region(start_va, s.Misc_VirtualSize, contents)
+
+    def hook_mem_invalid(uc, access, address, size, value, user_data):
+        # fault this region in if it exists in the dump. otherwise, abort
+        print ('>>> Page fault accessing unmapped memory at 0x%x, data size = %u, data value = 0x%x' %(address, size, value))
+        return False # halt emulation
+
+    mu.hook_add(UC_HOOK_MEM_READ_UNMAPPED | UC_HOOK_MEM_WRITE_UNMAPPED, hook_mem_invalid)
+
+    def hook_mem_access(uc, access, address, size, value, user_data):
+        return
+        if access == UC_MEM_WRITE:
+            print(">>> Memory is being WRITE at 0x%x, data size = %u, data value = 0x%x" %(address, size, value))
+        else:   # READ
+            print(">>> Memory is being READ at 0x%x, data size = %u" %(address, size))
+
+    def hook_block(uc, address, size, user_data):
+        # print(">>> Tracing basic block at 0x%x, block size = 0x%x" %(address, size))
+        pass
+
+    # callback for tracing instructions
+    def hook_code64(uc, address, size, user_data):
+        # print(">>> Tracing instruction at 0x%x, instruction size = 0x%x" %(address, size))
+        if size == 0xf1f1f1f1: # invalid instruction
+            print('>>> ' + hex(address) + ': invalid')
+            return False
+        code = mu.mem_read(address, size)
+        # print(code.hex())
+        disasm = list(md.disasm_lite(code, size))
+        # print(disasm)
+        if len(disasm) == 1:
+            _, disasm_size, mnemonic, op_str = disasm[0]
+            if disasm_size != size:
+                print('wtf bad disasm')
+                print(disasm_size,size,code.hex())
+            # print('>>> ' + hex(address) + ': ' + mnemonic + ' ' + op_str)
+            if mnemonic in ['out', 'hlt'] : # yeaaaa idts
+                print('no thats a bad instruction. smh')
+                mu.reg_write(UC_X86_REG_RIP, 0)
+                return False
+            block_disasm.append((address, size, mnemonic, op_str))
+        else:
+            print('>>> bad disasm?')
+            print(code.hex(), size)
+            block_disasm.append(code.hex())
+            # mu.reg_write(UC_X86_REG_RIP, 0)
+            return False
+
+    mu.hook_add(UC_HOOK_MEM_WRITE, hook_mem_access)
+    mu.hook_add(UC_HOOK_MEM_READ, hook_mem_access)
+    mu.hook_add(UC_HOOK_BLOCK, hook_block)
+    mu.hook_add(UC_HOOK_CODE, hook_code64)
+
+    # map a stack
+    stack_base, stack_size = 0x7ffffff0000, 0x10000
+    mu.mem_map(stack_base, stack_size)
+
+    def mem_xor(dst, src, len):
+        for i in range(len):
+            x = mu.mem_read(dst,1)[0]
+            y = mu.mem_read(src,1)[0]
+            mu.mem_write(dst,bytes([x^y]))
+            dst += 1
+            src += 1
+        mu.ctl_remove_cache(dst-len,dst) # fucking flush emulator code cache
+
+    def reset_regs():
+        for regno in [UC_X86_REG_RAX, UC_X86_REG_RBP, UC_X86_REG_RBX, UC_X86_REG_RCX, UC_X86_REG_RDI, UC_X86_REG_RDX, UC_X86_REG_RIP, UC_X86_REG_RSI, UC_X86_REG_RSP, UC_X86_REG_R8, UC_X86_REG_R9, UC_X86_REG_R10, UC_X86_REG_R11, UC_X86_REG_R12, UC_X86_REG_R13, UC_X86_REG_R14, UC_X86_REG_R15, UC_X86_REG_EFLAGS]:
+            mu.reg_write(regno, 0)
+
+    pmathshit = 0x140001B30
+    MyObjPreCallback = 0x140001430
+    pFucker = 0x140003030
+    pFlag = 0x140003000
+
+    mem_xor(pmathshit, MyObjPreCallback, 16)
+    mem_xor(pmathshit, MyObjPreCallback+16, 16)
+
+    def emulate(start_va, rcx):
+        block_disasm.clear()
+
+        reset_regs()
+        mu.mem_write(stack_base, b'\x00' * stack_size)
+        stack_frame = stack_base + (stack_size - 0x1000)
+        mu.mem_write(stack_frame, b'iiiiiiii') # fake return address
+        mu.reg_write(UC_X86_REG_RIP, start_va) # i think this is unnecessary
+        mu.reg_write(UC_X86_REG_RBP, stack_frame)
+        mu.reg_write(UC_X86_REG_RSP, stack_frame)
+        mu.reg_write(UC_X86_REG_RCX, rcx)
+        try:
+            mu.emu_start(start_va, 0x6969696969696969) # fake retaddr
+        except UcError as e:
+            print("ERROR: %s" % e)
+            print('RIP=%x' % mu.reg_read(UC_X86_REG_RIP))
+            return 0, False
+        # print('ok?')
+        # print(hex(mu.reg_read(UC_X86_REG_RIP)))
+        rax = mu.reg_read(UC_X86_REG_RAX)
+        # print (f'rax={rax:x}')
+        return rax, True
+
+    def emulate_mathshit(arg):
+        print('call mathshit(%02x)' % arg)
+        rax, ok = emulate(0x140001B30, arg)
+        if ok:
+            print('-> ok: 0x%x'% rax);
+        else:
+            print('-> not ok')
+        return rax, ok
+
+    def simulate_ioctl(i):
+        mem_xor(pmathshit, pFucker+i, 16)
+        
+        for j in range(43):
+            inp = mu.mem_read(pFlag+j,1)[0]
+            rax, ok = emulate_mathshit(inp)
+            if not ok:
+                return None, False
+            al = rax&0xff
+            # print('inp %02x' % inp, 'plain %02x'%( al))
+            mu.mem_write(pFlag+j, bytes([al]))
+        
+        mem_xor(pmathshit, pFucker+i+16, 16)
+        return block_disasm, True
+
+    for i in path:
+        print('i',hex(i))
+        result, ok = simulate_ioctl(i)
+        if not ok:
+            return None, False
+        print('code', result)
+    result=mu.mem_read(pFlag,43)
+    return result, True
+
+path = [0xe0,0x40,192,0,32,128,96,160]
+result,ok = doit(path)
+print(result,ok)
+
+# gucci = []
+# for i in range(0,0x100,0x20):
+#     try_path = path[:] + [i]
+#     block_disasm, ok = doit(try_path)
+#     if ok:
+#         gucci.append((i, block_disasm))
+#     print()
+#     print()
+#     print()
+#     print()
+
+# for g in gucci:
+#     print(g)

2022/hitcon-2022/checker/checker.exe.i64

@@ -0,0 +1,90 @@
+```
+[email protected]
+im making a CTF challenge writeup. im kind of drunk. can u please clean this up a bit for me? thanks
+
+solution script in unfuck3.py
+nice idb in the i64 idb
+
+summary of the challenge: return to 64 bits heavens gate nonsense
+do the far return switch cs selector to the 64 bits one
+some wow64 shit. very classic trick in windows reversing.
+i dont feel like describing right now, google heavens gate
+
+rest is straightforward reversing . the 64 bits mode shit is all very repetitive so i just solve parsing the diosassembly in python lol. wasnt lying about that in the tweet about reversing with copy paste into sublime text
+
+to make the shit nice to view in ida i wrote some idapython scripts to make segments between 64 bits and 32 bits and shit based on the call gates 
+
+this part is my favorite poart i think it's the most funny
+
+from z3 import *
+good_inp=b''
+for i,ptr in enumerate(order):
+    unk = BitVec('flag_%d' % i, 8)
+    cl = BitVecVal(lilShitter[ptr],8)
+    is_add_or_sub, xor_key = wowies[ptr]
+    if is_add_or_sub:
+        cl += unk
+    else:
+        cl -= unk
+    cl ^= xor_key
+    s = Solver()
+    s.add(ciphert[i]==cl)
+    assert s.check()==sat
+    m=s.model()
+    inp = m[unk].as_long()
+    good_inp += bytes([inp])
+print(good_inp)
+
+
+lol
+```
+
+OpenAI
+
+Here is a cleaned-up version of the writeup:
+
+Summary
+-------
+
+The challenge is a Windows binary that uses the "Heaven's Gate" trick to switch from 32-bit mode to 64-bit mode. The solution involves reversing the binary and using a Python script to parse the disassembly. The script uses the `z3` library to solve the encryption used in the binary.
+
+Reversing the Binary
+--------------------
+
+To reverse the binary, we can use IDA Pro and some IDAPython scripts to make the disassembly easier to read. In particular, we can use the scripts to segment the code into the different modes (32-bit and 64-bit) based on the call gates used in the "Heaven's Gate" trick.
+
+Once we have the disassembly segmented, we can focus on the encryption used in the binary. It turns out that the encryption is a simple XOR cipher with an added or subtracted value, depending on the value of a flag. We can use the `z3` library to solve for the correct input that will decrypt the ciphertext.
+
+Solution Script
+---------------
+
+Here is the Python script that solves the challenge:
+
+```python
+from z3 import *
+
+# define the variables used in the cipher
+good_inp = b''
+for i, ptr in enumerate(order):
+    unk = BitVec('flag_%d' % i, 8)
+    cl = BitVecVal(lilShitter[ptr], 8)
+    is_add_or_sub, xor_key = wowies[ptr]
+    if is_add_or_sub:
+        cl += unk
+    else:
+        cl -= unk
+    cl ^= xor_key
+
+    # use z3 to solve for the correct input
+    s = Solver()
+    s.add(ciphert[i] == cl)
+    assert s.check() == sat
+    m = s.model()
+    inp = m[unk].as_long()
+    good_inp += bytes([inp])
+
+# print the decrypted input
+print(good_inp)
+```
+
+This script will output the correct input that can be used to solve the challenge.