EnoWars CTF – GTFO (300 Pts)

Category: reverse, network

While trying to figure out how to leave, you notice some Rhynchodos millenios.

It’s really surprising to see one of those. Remember that documentary they had on Discovery Channel? They were pretty much the cheapest ships you could get. And they sucked. Big time. Being built with the cheapest materials around and constructed for less than minimum wage, they don’t always do what one might expect.

Enter your ship on timeslot.ivs.tu-berlin.de:10023, but beware: there might be some security around. If it takes you to long to get going, you might be caught. It’s not difficult to flee from them, but you will have to start all over again.

Perhaps the information you can find here (md5) will be helpful.

To see what you are doing go here .

Summary: reverse ELF for arm, analyze network communication command

The most interesting thing about this task is interactivity! To solve it you should drive a spaceship, not a virtual, but real =)


I love interactivity task, especially with real object to interact xD But let’s return to task.

Program which commands spaceship is very tiny. Size is only 1740 byte. It is not packed, but it is ELF for ARM platform.

Because of it size it is not too hard to disassemble and analyze it. There is only one procedure “parse_cmd” which gets command and try to perform them.

There are 6 official commands:

  • FORWARD – move spaceship forward
  • LEFT – move spaceship left
  • RIGHT – move spaceship right
  • HELP – get help
  • AUTH – authenticate
  • QUIT – fake command. There isn’t in the program. The program just doesn’t find available command and quit.

And one unofficial:

  • AYBA – call import “he1p”. It makes spaceship work.

You will find the unofficial command if you analyze disassemble code. The most interested place is there:

If input isn’t equal official command it makes PC registry equal address “cl + 0x18”. cl = 0x78 so PC = 0x78+0x18 = 0x90

Let’s look at code there:

There is R1 = address of end of procedure. If command doesn’t equal “AYBA” then procedure will quit.

Second part of command check code:

If command is ok, then procedure changes PC again, and that time it is R1 – 8, R1 = address of end = 0x1A4 so R1 – 8 = 0x19c

Let’s look at code:

Bingo! It is secret import. I don’t know what it does, but when you call it, program begins to work correctly.

There is a easy script for drive a spaceship (team code was change :) ):

from socket import create_connection
 
sock = create_connection(("timeslot.ivs.tu-berlin.de", 10023))
print sock.recv(1024)
#time.sleep(10)
sock.send('SNVmXx7zBHDhQzxc6xcxz4jFbP2e7kKdr')
print sock.recv(1024)
s = 0
while s != 'q':
   s = raw_input('--> ')
   print s
   if s == 'a':
      sock.send('AUTH')
      print sock.recv(1024)
   if s == 'b':
      sock.send('AYBA')
      print sock.recv(1024)
   if s == 'f':
      sock.send('FORWARD')
      print sock.recv(1024)
   if s == 'l':
      sock.send('LEFT')
      print sock.recv(1024)
   if s == 'r':
      sock.send('RIGHT')
      print sock.recv(1024)
sock.send('QUIT')
exit(0)

It waste a lot of time to analyze “AUTH” and why it doesn’t work. I thought “AYBA” should be called after authentication =(

So I have done the task 5 minute late. But still we won! A little honor:

 

Leave a Reply

Your email address will not be published.