{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-idek-2022-en","result":{"data":{"markdownRemark":{"id":"691db3eb-9471-502d-9e95-59cad79d738a","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-idek-2022\">original page</a>.</p>\n</blockquote>\n<p>I participated in Idek CTF 2022, which was held in January 2023.</p>\n<p>Despite the contest being held in 2023, the name remained “2022.”</p>\n<p>I retired early on the very first problem and ended up with 0 solves, but I decided to write up the challenges I couldn’t finish as a review exercise.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li>\n<p><a href=\"#polyglot\">Polyglot</a></p>\n<ul>\n<li><a href=\"#reading-the-binary\">Reading the Binary</a></li>\n<li><a href=\"#analyzing-the-shellcode-with-binary-ninja\">Analyzing the Shellcode with Binary Ninja</a></li>\n<li><a href=\"#emulating-the-x86_64-shellcode-with-unicorn\">Emulating the x86_64 Shellcode with Unicorn</a></li>\n<li><a href=\"#decompiling-the-arm64-shellcode-with-capstone\">Decompiling the ARM64 Shellcode with Capstone</a></li>\n</ul>\n</li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"polyglot\" style=\"position:relative;\"><a href=\"#polyglot\" aria-label=\"polyglot permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Polyglot</h2>\n<p>This challenge provided a small binary named <code class=\"language-text\">polyglot</code>, and the goal was to extract information about two flags embedded inside it.</p>\n<p>The word “polyglot” itself means “a person who speaks multiple languages,” but in programming it more commonly refers to code that can be executed by multiple interpreters or compilers in the same way.</p>\n<p>Reference: <a href=\"https://library.naist.jp/dspace/handle/10061/5276\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Polyglot Programming</a></p>\n<p>The <code class=\"language-text\">file</code> command reported the file as “DOS executable (COM),” so I suspected it might be a polyglot source file compiled as a DOS binary.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">file</span> polyglot\npolyglot: DOS executable <span class=\"token punctuation\">(</span>COM<span class=\"token punctuation\">)</span></code></pre></div>\n<p>However, I was unable to run it even with emulators such as <a href=\"https://www.dosbox.com/download.php?main=1\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">DOSBox</a>, and after looking into it I still couldn’t figure out what the file actually was — so I gave up and moved on.</p>\n<h3 id=\"reading-the-binary\" style=\"position:relative;\"><a href=\"#reading-the-binary\" aria-label=\"reading the binary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Reading the Binary</h3>\n<p>Examining the binary’s hex dump produces the following output.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ xxd polyglot\n00000000: eb7e <span class=\"token number\">9090</span> 0002 0010 0370 0091 0200 80d2  .~<span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>.p<span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>\n00000010: ff83 00d1 0168 <span class=\"token number\">6238</span> <span class=\"token number\">6468</span> <span class=\"token number\">6238</span> <span class=\"token number\">4204</span> 0091  <span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>.hb8dhb8B<span class=\"token punctuation\">..</span>.\n00000020: <span class=\"token number\">2100</span> 044a e16b <span class=\"token number\">2238</span> 5f70 00f1 41ff ff54  <span class=\"token operator\">!</span><span class=\"token punctuation\">..</span>J.k<span class=\"token string\">\"8_p..A..T\n00000030: 0808 80d2 2000 80d2 e107 0091 8203 80d2  .... ...........\n00000040: 0100 00d4 afbc f06b 0482 05a4 56b6 1648  .......k....V..H\n00000050: c093 ae51 788f b5b8 4e31 b5ed 9fa5 b3a0  ...Qx...N1......\n00000060: c6d8 9500 7fdd 5af3 3ecf 497d f0cc c365  ......Z.>.I}...e\n00000070: 16d6 ea8c 3c52 ddd8 c0c9 82cb 4bfd d484  ....&lt;R......K...\n00000080: e88b 0100 0066 0f6f 0514 0200 0049 89d2  .....f.o.....I..\n00000090: 31c9 4531 c00f 1147 0266 0f6f 0510 0200  1.E1...G.f.o....\n000000a0: 000f 1147 1266 0f6f 0514 0200 000f 1147  ...G.f.o.......G\n000000b0: 2266 0f6f 0518 0200 000f 1147 3266 0f6f  \"</span>f.o<span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>.G2f.o\n000000c0: 051c 0200 000f <span class=\"token number\">1147</span> <span class=\"token number\">4266</span> 0f6f 0520 0200  <span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>.GBf.o. <span class=\"token punctuation\">..</span>\n000000d0: 000f <span class=\"token number\">1147</span> <span class=\"token number\">5266</span> 0f6f 0524 0200 000f <span class=\"token number\">1147</span>  <span class=\"token punctuation\">..</span>.GRf.o.$<span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>.G\n000000e0: <span class=\"token number\">6266</span> 0f6f 0528 0200 000f <span class=\"token number\">1147</span> <span class=\"token number\">7266</span> 0f6f  bf.o.<span class=\"token punctuation\">(</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>.Grf.o\n000000f0: 052c 0200 000f <span class=\"token number\">1187</span> <span class=\"token number\">8200</span> 0000 660f 6f05  .,<span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>f.o.\n00000100: 2d02 0000 0f11 <span class=\"token number\">8792</span> 0000 0066 0f6f 052e  -<span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>f.o<span class=\"token punctuation\">..</span>\n00000110: 0200 000f <span class=\"token number\">1187</span> a200 0000 660f 6f05 2f02  <span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>f.o./.\n00000120: 0000 0f11 87b2 0000 0066 0f6f 0530 0200  <span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>.f.o.0<span class=\"token punctuation\">..</span>\n00000130: 000f <span class=\"token number\">1187</span> c200 0000 660f 6f05 <span class=\"token number\">3102</span> 0000  <span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>f.o.1<span class=\"token punctuation\">..</span>.\n00000140: 0f11 87d2 0000 0066 0f6f 0532 0200 000f  <span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>.f.o.2<span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>\n00000150: <span class=\"token number\">1187</span> e200 0000 660f 6f05 <span class=\"token number\">3302</span> 0000 0f11  <span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>f.o.3<span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>.\n00000160: 87f2 0000 0066 c707 0000 <span class=\"token number\">4889</span> c831 d244  <span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>.f<span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>H<span class=\"token punctuation\">..</span><span class=\"token number\">1</span>.D\n00000170: 0fb6 4c0f 0249 f7f2 0fb6 0416 <span class=\"token number\">4401</span> c841  <span class=\"token punctuation\">..</span>L<span class=\"token punctuation\">..</span>I<span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>D<span class=\"token punctuation\">..</span>A\n00000180: 01c0 410f b6c0 0fb6 <span class=\"token number\">5407</span> 0288 540f 0248  <span class=\"token punctuation\">..</span>A<span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>.T<span class=\"token punctuation\">..</span>.T<span class=\"token punctuation\">..</span>H\n00000190: 83c1 0144 884c 0702 <span class=\"token number\">4881</span> f900 0100 0075  <span class=\"token punctuation\">..</span>.D.L<span class=\"token punctuation\">..</span>H<span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>u\n000001a0: c9c3 0fb7 0741 <span class=\"token number\">5449</span> 89fa <span class=\"token number\">5553</span> 0fb6 dc48  <span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>.ATI<span class=\"token punctuation\">..</span>US<span class=\"token punctuation\">..</span>.H\n000001b0: 85d2 <span class=\"token number\">7453</span> <span class=\"token number\">4189</span> c049 89d3 89c5 <span class=\"token number\">4883</span> c702  <span class=\"token punctuation\">..</span>tSA<span class=\"token punctuation\">..</span>I<span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>H<span class=\"token punctuation\">..</span>.\n000001c0: <span class=\"token number\">4129</span> f04c 8d0c <span class=\"token number\">1641</span> 83c0 0141 8d14 300f  A<span class=\"token punctuation\">)</span>.L<span class=\"token punctuation\">..</span>.A<span class=\"token punctuation\">..</span>.A<span class=\"token punctuation\">..</span><span class=\"token number\">0</span>.\n000001d0: b6d2 <span class=\"token number\">4801</span> fa0f b602 01c3 0fb6 cb48 01f9  <span class=\"token punctuation\">..</span>H<span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>H<span class=\"token punctuation\">..</span>\n000001e0: 440f b621 <span class=\"token number\">4488</span> <span class=\"token number\">2288</span> 0144 01e0 0fb6 c00f  D<span class=\"token punctuation\">..</span><span class=\"token operator\">!</span>D.<span class=\"token string\">\"..D......\n000001f0: b604 0730 0648 83c6 0149 39f1 75cd 410f  ...0.H...I9.u.A.\n00000200: b6c3 4000 e888 dc5b 5d66 4189 0241 5cc3  ..@....[]fA..A\\.\n00000210: 4881 ec58 0100 0066 0f6f 0582 0100 00ba  H..X...f.o......\n00000220: 2000 0000 48b8 80aa 0ab4 418e 7b1b 488d   ...H.....A.{.H.\n00000230: 7c24 4048 8d74 2420 0f29 4424 2066 0f6f  |<span class=\"token variable\">$@</span>H.t$ .)D$ f.o\n00000240: 056c 0100 000f 2944 2430 660f 6f05 6f01  .l....)D<span class=\"token variable\">$0f</span>.o.o.\n00000250: 0000 0f29 0424 4889 4424 0fe8 25fe ffff  ...).<span class=\"token variable\">$H</span>.D$..%...\n00000260: 4889 e6ba 1700 0000 e835 ffff ff48 c7c0  H........5...H..\n00000270: 0100 0000 48c7 c701 0000 0048 89e6 48c7  ....H......H..H.\n00000280: c217 0000 000f 05e8 0000 0000 31c0 4881  ............1.H.\n00000290: c458 0100 0048 c7c0 3c00 0000 4831 ff0f  .X...H..&lt;...H1..\n000002a0: 0500 0102 0304 0506 0708 090a 0b0c 0d0e  ................\n000002b0: 0f10 1112 1314 1516 1718 191a 1b1c 1d1e  ................\n000002c0: 1f20 2122 2324 2526 2728 292a 2b2c 2d2e  . !\"</span>#$%<span class=\"token operator\">&amp;</span>'<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>*+,-.\n000002d0: 2f30 <span class=\"token number\">3132</span> <span class=\"token number\">3334</span> <span class=\"token number\">3536</span> <span class=\"token number\">3738</span> 393a 3b3c 3d3e  /0123456789:<span class=\"token punctuation\">;</span><span class=\"token operator\">&lt;=</span><span class=\"token operator\">></span>\n000002e0: 3f40 <span class=\"token number\">4142</span> <span class=\"token number\">4344</span> <span class=\"token number\">4546</span> <span class=\"token number\">4748</span> 494a 4b4c 4d4e  ?@ABCDEFGHIJKLMN\n000002f0: 4f50 <span class=\"token number\">5152</span> <span class=\"token number\">5354</span> <span class=\"token number\">5556</span> <span class=\"token number\">5758</span> 595a 5b5c 5d5e  OPQRSTUVWXYZ<span class=\"token punctuation\">[</span><span class=\"token punctuation\">\\</span><span class=\"token punctuation\">]</span>^\n00000300: 5f60 <span class=\"token number\">6162</span> <span class=\"token number\">6364</span> <span class=\"token number\">6566</span> <span class=\"token number\">6768</span> 696a 6b6c 6d6e  _`abcdefghijklmn\n00000310: 6f70 <span class=\"token number\">7172</span> <span class=\"token number\">7374</span> <span class=\"token number\">7576</span> <span class=\"token number\">7778</span> 797a 7b7c 7d7e  opqrstuvwxyz<span class=\"token punctuation\">{</span><span class=\"token operator\">|</span><span class=\"token punctuation\">}</span>~\n00000320: 7f80 <span class=\"token number\">8182</span> <span class=\"token number\">8384</span> <span class=\"token number\">8586</span> <span class=\"token number\">8788</span> 898a 8b8c 8d8e  <span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>\n00000330: 8f90 <span class=\"token number\">9192</span> <span class=\"token number\">9394</span> <span class=\"token number\">9596</span> <span class=\"token number\">9798</span> 999a 9b9c 9d9e  <span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>\n00000340: 9fa0 a1a2 a3a4 a5a6 a7a8 a9aa abac adae  <span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>\n00000350: afb0 b1b2 b3b4 b5b6 b7b8 b9ba bbbc bdbe  <span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>\n00000360: bfc0 c1c2 c3c4 c5c6 c7c8 c9ca cbcc cdce  <span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>\n00000370: cfd0 d1d2 d3d4 d5d6 d7d8 d9da dbdc ddde  <span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>\n00000380: dfe0 e1e2 e3e4 e5e6 e7e8 e9ea ebec edee  <span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>\n00000390: eff0 f1f2 f3f4 f5f6 f7f8 f9fa fbfc fdfe  <span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>\n000003a0: ff62 5a46 8aaa 47b6 <span class=\"token number\">8784</span> bf1b e6da 0ad7  .bZF<span class=\"token punctuation\">..</span>G<span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span>.\n000003b0: <span class=\"token number\">4081</span> 0e14 6af7 6e2b f119 d52e 33a8 b6d1  @<span class=\"token punctuation\">..</span>.j.n+<span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token number\">3</span><span class=\"token punctuation\">..</span>.\n000003c0: <span class=\"token number\">7618</span> <span class=\"token number\">2537</span> 37f5 <span class=\"token number\">1470</span> <span class=\"token number\">6359</span> 1d85 0ea5 d9db  v.%77<span class=\"token punctuation\">..</span>pcY<span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span><span class=\"token punctuation\">..</span></code></pre></div>\n<p>At first glance it is hard to make sense of this, but since <code class=\"language-text\">file</code> recognized it as a COM program, I tried disassembling it as x86.</p>\n<p>The leading bytes appear to be Intel-architecture shellcode that jumps to 0x80 and makes some function calls.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ objdump -M intel -D -b binary -m i386 polyglot\n00000000 <span class=\"token operator\">&lt;</span>.data<span class=\"token operator\">></span>:\n   <span class=\"token number\">0</span>:   eb 7e                   jmp    0x80\n   <span class=\"token number\">2</span>:   <span class=\"token number\">90</span>                      nop\n   <span class=\"token number\">3</span>:   <span class=\"token number\">90</span>                      nop\n<span class=\"token punctuation\">{</span><span class=\"token punctuation\">{</span> <span class=\"token punctuation\">(</span>abbreviated<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">}</span><span class=\"token punctuation\">}</span>\n  <span class=\"token number\">80</span>:   e8 8b 01 00 00          call   0x210\n  <span class=\"token number\">85</span>:   <span class=\"token number\">66</span> 0f 6f 05 <span class=\"token number\">14</span> 02 00    movdqa xmm0,XMMWORD PTR ds:0x21</code></pre></div>\n<p>On the other hand, the output frequently contains <code class=\"language-text\">(bad)</code> entries.</p>\n<p>In objdump, <code class=\"language-text\">(bad)</code> is recorded when an opcode cannot be decoded correctly.</p>\n<p>Since the challenge description stated that “two flags are embedded,” I inferred that the binary also contained a second architecture beyond x86_64.</p>\n<p>I wanted to isolate the x86_64 portion, but unfortunately Ghidra couldn’t handle this kind of binary well. (IDA Pro reportedly can, but the free version didn’t support it.)</p>\n<h3 id=\"analyzing-the-shellcode-with-binary-ninja\" style=\"position:relative;\"><a href=\"#analyzing-the-shellcode-with-binary-ninja\" aria-label=\"analyzing the shellcode with binary ninja permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Analyzing the Shellcode with Binary Ninja</h3>\n<p>So I turned to <a href=\"https://binary.ninja/demo/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Binary Ninja</a>.</p>\n<p>After specifying the x86<em>64 architecture and opening the [Linear] view, Binary Ninja neatly decompiled only the x86</em>64 shellcode section.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 848px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/f63d437fcc0f2de5b92bfd450b114dfb/d52e5/image-20230226182209138.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 122.08333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAYCAYAAAD6S912AAAACXBIWXMAAAsTAAALEwEAmpwYAAAEE0lEQVQ4y5VV2XLqSAz1D2SBhLCGkIABA8Y2Nl4w3g04BALcunX//0/OSE2gmHmZmYdT6lar5ZZ0JEtxHOPze4vdaY/1en3Gdo+i+MRqtULxWVz1t+vP7aeQaZoiyzIhGZI6UeHFPqIigTqdwrJd2IsAxtzGzJxB1zUYMwO6ocMgmKYFVVUFJuOxwGXPkFrNFobaCOpcw2v7FaPRiByZGE81KGQ8mkww0Q1M6GNjWpt0NhwOUavV8PbRoztvqNfraDQaAlLpsQRZG2Liavjo9WDN5/QiE5ploz+eYmo5GBsmpqRTSS4WC8iDIcrPFbT7I9TbHTw+PuLu7g739/eQyqWycKguDHLYheu6mDsuvGWAIIzgktToha7nwl34JD3IQwXlp2dUG028VGsoPT0JZw8PD5Cq1SrkyQBjSxUhDQYDtNptvH90Icsy3t7faf+GPq27FEG320Wr1RKOauzwpYpKpYLn52cBKQxC5JsV8mIlqhRFEaIsR5JmYAZwBVerDFma0D4RNmuy36xzsg3P9jeQdF1HkEeIi5SqaCCMI4R0EIShyJe/9EW4tufACxcUtgeDUsC2fPefkJrNJnqKjIGqiGq1Odz3jqgY7+v1GhrEhG5PhkIM4HC5wow62TR/9mfbOiTbthHlFMomEwVxbAe268GjAvAZw6V9lCTI8xweFeWidxx6NUVx2TMkdhKvUuHQ932RtyihdRBg4XniAjvhy3yB196N3qN0XHUE6aXygq7SI3IrVLEXdN46aFEayqUSnogOV1AFWVbIpk7VLZfLYi+qS1W+2El9uQ/DMWH5c0yINvwVg9prQN0gyz1BnVv0+31xxvKqv1lLCeVme9iJ4cDDYLulQXE4oSCZZefGvyBJ4jOV0ht9+ncb6fX1Ff3RAMPpCFzxTqeD7se7CLtBYF2Tq0lS7pMdEZ/X595tokX3L33MemlKTe/41FZLT/BI0zSozDPqXTFpDOOKgPgZ0yt5zZPoDPMHM7AvySd6cJestmuEROY8T7Ha0JyjcFNKx3qzQZZnCKinl8ulYEJADBBs4CagTovicyr4XJKJsE7sISgikVTLMmE7c+g0deYkxZe1KZFagaIo4PnJdtzTjN5Pf1/WEodozqnK7ETXxbybUZUNGl+mZWE2m5E0BSza28RHDpnvXVJ0C6koChx/n3D68wun0wG/fx2wP57wTdjvdzgcDvgm7Hd7Ib8P36Tf43A84ng64uvrC7vd7gqJp68bLxAWsQiJv86v5FerVBQ+55HGckiDVcgf3VV/A2mkjMhZguywpvE/xsJfYBkt4Sxp0FIB7CSFRh9QyJh/D/8G4XC5jpDuV0LhscNwKX5cNvW5ty4wo+5h/v0nhxxmIBzmV4d+6AuHc2789eZ/OfwLGbbx2UPy6pwAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/f63d437fcc0f2de5b92bfd450b114dfb/8ac56/image-20230226182209138.webp 240w,\n/static/f63d437fcc0f2de5b92bfd450b114dfb/d3be9/image-20230226182209138.webp 480w,\n/static/f63d437fcc0f2de5b92bfd450b114dfb/27a2c/image-20230226182209138.webp 848w\"\n              sizes=\"(max-width: 848px) 100vw, 848px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/f63d437fcc0f2de5b92bfd450b114dfb/8ff5a/image-20230226182209138.png 240w,\n/static/f63d437fcc0f2de5b92bfd450b114dfb/e85cb/image-20230226182209138.png 480w,\n/static/f63d437fcc0f2de5b92bfd450b114dfb/d52e5/image-20230226182209138.png 848w\"\n            sizes=\"(max-width: 848px) 100vw, 848px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/f63d437fcc0f2de5b92bfd450b114dfb/d52e5/image-20230226182209138.png\"\n            alt=\"image-20230226182209138\"\n            title=\"image-20230226182209138\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"emulating-the-x86_64-shellcode-with-unicorn\" style=\"position:relative;\"><a href=\"#emulating-the-x86_64-shellcode-with-unicorn\" aria-label=\"emulating the x86_64 shellcode with unicorn permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Emulating the x86_64 Shellcode with Unicorn</h3>\n<p>As noted in the challenge description, the flag is split into two parts.</p>\n<p>Reading Binary Ninja’s decompiled output, it appears that executing the x86_64 shellcode should yield the first flag.</p>\n<p>I used the Unicorn emulator to run the shellcode.</p>\n<p>I based the solver on the sample Python code from the official documentation.</p>\n<p>Reference: <a href=\"https://www.unicorn-engine.org/docs/tutorial.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Programming with C &#x26; Python languages – Unicorn – The Ultimate CPU emulator</a></p>\n<p>Reference: <a href=\"https://www.unicorn-engine.org/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Unicorn – The Ultimate CPU emulator</a></p>\n<p>From the decompilation, the decrypted flag string inside the shellcode is (likely) printed by a <code class=\"language-text\">write</code> syscall invoked at the syscall at offset 0x0285.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 491px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/2e3420b89027d1adefd6fa4aff850cc8/13566/image-20230226201419296.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 52.083333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB/ElEQVQoz32SS4+bMBSF+TOTkCiU8DDGYDCPhJAmKQQIeXQ0I83sqy4qza796acX0k7VRbs48sUyx9+9Plp76XB7fcT56YK6qVHXR3Rdi6qiur+i6m843R5RVxV2ux32+/1/pYWRhMoUoiSGCAIIIRDQOkpGoyKl4Ps+OOfgHh/rf0lj0kdeFYg2CqZlYjqdwjAMMJfB4wxceGAeg+VYmM/nMD4YmE4mmDw8jGd1Xf9Lmq9CFO0W2ac1HM/BbDaDaZoj6UgliMrnSPKUaANwKWER6ZIxGHRuTueHi35L4yrAuimR7HLYzMZMJ8Pl8t4eGS6p9oUPxj14RGqHEn6xgSCZZKoT5QAx+2VMhGRIhOmeDF3rnXD4eaC0HRsiFOABzYjkEqEoCnhJCtN1R5OFsfhDOBgWRJgeVveWidBmLoI4gkwTxCtFdTi2zSOBMKP9IoHaZpA5PVpGxEnwTqmxyEdaF5DbFEsiHAa+sF1YUQZHppAqhksXxKmCR/MMlYRLjyXXMXXkUMs6HNuBY9l3wtfnz/jx9hXfv33Bre+QZhkOlMGesjfk73Tu0bQN+kuP9tzhdO0pnw2O5wb7wwEN5fbl+QV926EsS2jlxwK3pxP66xEJZdFxXIRhiA3NKU0S2lNQlMNxpW9Fq1QR8lWOOIqREUBImWX0QC7N9CcCilahp/S7QAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/2e3420b89027d1adefd6fa4aff850cc8/8ac56/image-20230226201419296.webp 240w,\n/static/2e3420b89027d1adefd6fa4aff850cc8/d3be9/image-20230226201419296.webp 480w,\n/static/2e3420b89027d1adefd6fa4aff850cc8/881c7/image-20230226201419296.webp 491w\"\n              sizes=\"(max-width: 491px) 100vw, 491px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/2e3420b89027d1adefd6fa4aff850cc8/8ff5a/image-20230226201419296.png 240w,\n/static/2e3420b89027d1adefd6fa4aff850cc8/e85cb/image-20230226201419296.png 480w,\n/static/2e3420b89027d1adefd6fa4aff850cc8/13566/image-20230226201419296.png 491w\"\n            sizes=\"(max-width: 491px) 100vw, 491px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/2e3420b89027d1adefd6fa4aff850cc8/13566/image-20230226201419296.png\"\n            alt=\"image-20230226201419296\"\n            title=\"image-20230226201419296\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I wrote the following solver that uses Unicorn to run the code up to 0x285 and dump everything on the stack at that point.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> unicorn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n<span class=\"token keyword\">from</span> unicorn<span class=\"token punctuation\">.</span>x86_const <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\n<span class=\"token comment\"># code to be emulated</span>\ncode <span class=\"token operator\">=</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"polyglot\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"rb\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># memory address where emulation starts</span>\nADDRESS <span class=\"token operator\">=</span> <span class=\"token number\">0x0</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Emulate x86 code\"</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">try</span><span class=\"token punctuation\">:</span>\n    mu <span class=\"token operator\">=</span> Uc<span class=\"token punctuation\">(</span>UC_ARCH_X86<span class=\"token punctuation\">,</span> UC_MODE_64<span class=\"token punctuation\">)</span>\n\n    <span class=\"token comment\"># map 2MB memory for this emulation</span>\n    mu<span class=\"token punctuation\">.</span>mem_map<span class=\"token punctuation\">(</span>ADDRESS<span class=\"token punctuation\">,</span>  <span class=\"token number\">0x100000</span><span class=\"token punctuation\">)</span>\n\n    <span class=\"token comment\"># write machine code to be emulated to memory</span>\n    mu<span class=\"token punctuation\">.</span>mem_write<span class=\"token punctuation\">(</span>ADDRESS<span class=\"token punctuation\">,</span> code<span class=\"token punctuation\">)</span>\n\n    <span class=\"token comment\"># initialize machine registers</span>\n    mu<span class=\"token punctuation\">.</span>reg_write<span class=\"token punctuation\">(</span>UC_X86_REG_RSP<span class=\"token punctuation\">,</span> <span class=\"token number\">0x0</span> <span class=\"token operator\">+</span> <span class=\"token number\">0x100000</span><span class=\"token punctuation\">)</span>\n    mu<span class=\"token punctuation\">.</span>reg_write<span class=\"token punctuation\">(</span>UC_X86_REG_RBP<span class=\"token punctuation\">,</span> <span class=\"token number\">0x0</span> <span class=\"token operator\">+</span> <span class=\"token number\">0x100000</span><span class=\"token punctuation\">)</span>\n\n    <span class=\"token comment\"># emulate code in infinite time &amp; unlimited instructions</span>\n    mu<span class=\"token punctuation\">.</span>emu_start<span class=\"token punctuation\">(</span>ADDRESS<span class=\"token punctuation\">,</span> ADDRESS <span class=\"token operator\">+</span> <span class=\"token number\">0x285</span><span class=\"token punctuation\">)</span>\n\n    <span class=\"token comment\"># now print out some registers</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Emulation done. Below is the CPU context\"</span><span class=\"token punctuation\">)</span>\n\n    rsp <span class=\"token operator\">=</span> mu<span class=\"token punctuation\">.</span>reg_read<span class=\"token punctuation\">(</span>UC_X86_REG_RSP<span class=\"token punctuation\">)</span>\n    rbp <span class=\"token operator\">=</span> mu<span class=\"token punctuation\">.</span>reg_read<span class=\"token punctuation\">(</span>UC_X86_REG_RBP<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>mu<span class=\"token punctuation\">.</span>mem_read<span class=\"token punctuation\">(</span>rsp<span class=\"token punctuation\">,</span> rbp<span class=\"token operator\">-</span>rsp<span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">b'\\x00'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">except</span> UcError <span class=\"token keyword\">as</span> e<span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"ERROR: %s\"</span> <span class=\"token operator\">%</span> e<span class=\"token punctuation\">)</span></code></pre></div>\n<p>Running this outputs <code class=\"language-text\">bytearray(b'3_X86_N_4rM_1n_0n3_biN}')</code>, giving us the second half of the flag.</p>\n<h3 id=\"decompiling-the-arm64-shellcode-with-capstone\" style=\"position:relative;\"><a href=\"#decompiling-the-arm64-shellcode-with-capstone\" aria-label=\"decompiling the arm64 shellcode with capstone permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Decompiling the ARM64 Shellcode with Capstone</h3>\n<p>Now let’s recover the first half of the flag.</p>\n<p>I tried every architecture Binary Ninja supports, but none of them produced a usable analysis.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 380px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/487bd1f155966ce73e268ea5f35ff2d4/3f520/image-20230226202240307.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 76.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAADBElEQVQ4y51USU9TYRR9WwItnaAUaN/rXDq/0vF1hk52ILRQSqlQiFYhLkxcaGLixhiXxIVxQ1wYf4A7Y+Jf8b8c7/0YJCxd3Lxveuc759zznqTT62G322FdtmJ9bQ2yLMNiNkOSpP8rRXEiEAjA4/HA6/PC5/PB6/HC5XLB6XSKctNYURRRvO66N39YUj5fwOjwEMPhEDu9HgaDAXK5HIrFIiqVCkpUxUoVjUYDzWYTtVod27UaavU6GjRvth7Rekvst1otSGoigf39oQA8Go/R7XYxpufZ2SmOT6aYHU/wcnKAMgGrqopCLoteu4V6tQw1EkIsGIAaiyKdTouSNjc3cTSZYHpKL89mguFkcoSLi3PMnp/jxdkJ3kxHqG5tI5VKYfz6A84vv2H6/jPG7z7hyeV31A+mSCZUZDJZSKFwmHzzk4de4Zff7xdz9onHLrcbitsDP3nLZx9/vMKzq594+uUHLr7+wtvff9CZvYLXKSMai0EKBoMIhUKiGQyysRFEOBxBmNZ4jxsWCPjFPo/L5Of+wQjD0ZhYbyGZTNL5MDxeLyL0lPhwOBKFpmlEOYNoNAJulFORYTQaYbVSnNbXodywL5VK6LTbwutupw2NPOX3/JSQxcVFSHzzMmWQ9RcKReETd1eNx6FbWIDJZMLKygpsq6vEcAPlchm7u7vodLro7eyIC1Q1AUV2QE+ZFoBGkxlpAZgXkWG/zBRuA93IgKsEtkDg8/PzyOY07FHjEmoccbqU2TkcDrHHZwWgyWxBntgViwVsUTfZi7m5OZJguANkOQaDgS7URBJYMtvEUWErWAV/cQLQbLGIm6rVqpCg0UvxWJw8NFBdA7IcZswM+/0+ejeAbBF3X5EVoewOUMvlITvsJNUCm408s9kEq1uGDMhzTctjb29AsvtkUUEw5Ljd7gtACwGyh9FoFHqdTshlzx4Cctdj9FVk0hmkkikBxixlSoSPcpxLZ/8BspRyuSIkaBSbAMWAQbk59wEdpMLp4p/G9c+A2bF/S0tLWKO/1V+txc/txwOgrAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/487bd1f155966ce73e268ea5f35ff2d4/8ac56/image-20230226202240307.webp 240w,\n/static/487bd1f155966ce73e268ea5f35ff2d4/1cdb2/image-20230226202240307.webp 380w\"\n              sizes=\"(max-width: 380px) 100vw, 380px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/487bd1f155966ce73e268ea5f35ff2d4/8ff5a/image-20230226202240307.png 240w,\n/static/487bd1f155966ce73e268ea5f35ff2d4/3f520/image-20230226202240307.png 380w\"\n            sizes=\"(max-width: 380px) 100vw, 380px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/487bd1f155966ce73e268ea5f35ff2d4/3f520/image-20230226202240307.png\"\n            alt=\"image-20230226202240307\"\n            title=\"image-20230226202240307\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>According to writeups, IDA Pro supports this, but it’s far too expensive for personal use.</p>\n<p>The following video showed me a technique using <a href=\"https://www.capstone-engine.org/lang_python.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Capstone</a> to write a custom ARM64 disassembler script.</p>\n<p>Reference: <a href=\"https://www.youtube.com/watch?v=1mkKrN3VQM4&#x26;ab_channel=REAdventures\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Using Unicorn Engine for emulation | Polyglot - IdekCTF 2023 - YouTube</a></p>\n<p>The code itself is very simple — just load the binary with the ARM64 architecture specified.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> capstone\n\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"polyglot\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"rb\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> fp<span class=\"token punctuation\">:</span>\n    bytecode <span class=\"token operator\">=</span> fp<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\nengine <span class=\"token operator\">=</span> capstone<span class=\"token punctuation\">.</span>Cs<span class=\"token punctuation\">(</span>capstone<span class=\"token punctuation\">.</span>CS_ARCH_ARM64<span class=\"token punctuation\">,</span> capstone<span class=\"token punctuation\">.</span>CS_MODE_ARM<span class=\"token punctuation\">)</span>\ndisasm <span class=\"token operator\">=</span> engine<span class=\"token punctuation\">.</span>disasm<span class=\"token punctuation\">(</span>bytecode<span class=\"token punctuation\">[</span><span class=\"token number\">4</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x10000</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">for</span> item <span class=\"token keyword\">in</span> disasm<span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>item<span class=\"token punctuation\">.</span>address<span class=\"token punctuation\">:</span><span class=\"token format-spec\">#08x</span><span class=\"token punctuation\">}</span></span><span class=\"token string\">: </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>item<span class=\"token punctuation\">.</span>mnemonic<span class=\"token punctuation\">:</span><span class=\"token format-spec\">8</span><span class=\"token punctuation\">}</span></span><span class=\"token string\"> </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>item<span class=\"token punctuation\">.</span>op_str<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>True to its name “polyglot,” this binary is a polyglot of x86_64 and ARM64.</p>\n<p>Running the script produces the following assembly.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">0x010000: adr      x0, <span class=\"token comment\">#0x10040</span>\n0x010004: <span class=\"token function\">add</span>      x3, x0, <span class=\"token comment\">#0x1c</span>\n0x010008: mov      x2, <span class=\"token comment\">#0</span>\n0x01000c: sub      sp, sp, <span class=\"token comment\">#0x20</span>\n0x010010: ldrb     w1, <span class=\"token punctuation\">[</span>x0, x2<span class=\"token punctuation\">]</span>\n0x010014: ldrb     w4, <span class=\"token punctuation\">[</span>x3, x2<span class=\"token punctuation\">]</span>\n0x010018: <span class=\"token function\">add</span>      x2, x2, <span class=\"token comment\">#1</span>\n0x01001c: eor      w1, w1, w4\n0x010020: strb     w1, <span class=\"token punctuation\">[</span>sp, x2<span class=\"token punctuation\">]</span>\n0x010024: <span class=\"token function\">cmp</span>      x2, <span class=\"token comment\">#0x1c</span>\n0x010028: b.ne     <span class=\"token comment\">#0x10010</span>\n0x01002c: mov      x8, <span class=\"token comment\">#0x40</span>\n0x010030: mov      x0, <span class=\"token comment\">#1</span>\n0x010034: <span class=\"token function\">add</span>      x1, sp, <span class=\"token comment\">#1</span>\n0x010038: mov      x2, <span class=\"token comment\">#0x1c</span>\n0x01003c: svc      <span class=\"token comment\">#0</span></code></pre></div>\n<p>The code is short enough to solve by hand, but let’s use Unicorn again.</p>\n<p>I based the ARM64 emulation script on the following sample.</p>\n<p>Reference: <a href=\"https://github.com/unicorn-engine/unicorn/blob/master/bindings/python/sample_arm64eb.py\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">unicorn/sample_arm64eb.py at master · unicorn-engine/unicorn</a></p>\n<p>The flow is almost the same as for x86_64, but this time the disassembly tells us the decrypted flag string is stored in the x1 register.</p>\n<p>So I ran emulation up to 0x3c and then read 0x1c bytes from x1.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\">#!/usr/bin/env python</span>\n<span class=\"token comment\"># Sample code for ARM64 of Unicorn. Nguyen Anh Quynh &lt;aquynh@gmail.com></span>\n<span class=\"token comment\"># Python sample ported by Loi Anh Tuan &lt;loianhtuan@gmail.com></span>\n<span class=\"token comment\"># AARCH64 Python sample ported by zhangwm &lt;rustydaar@gmail.com></span>\n\n<span class=\"token keyword\">from</span> __future__ <span class=\"token keyword\">import</span> print_function\n<span class=\"token keyword\">from</span> unicorn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n<span class=\"token keyword\">from</span> unicorn<span class=\"token punctuation\">.</span>arm64_const <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\n\n<span class=\"token comment\"># code to be emulated</span>\ncode <span class=\"token operator\">=</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"polyglot\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"rb\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># memory address where emulation starts</span>\nADDRESS <span class=\"token operator\">=</span> <span class=\"token number\">0x0</span>\n\n<span class=\"token comment\"># Test ARM64</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">arm64</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Emulate ARM64 Big-Endian code\"</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">try</span><span class=\"token punctuation\">:</span>\n        <span class=\"token comment\"># Initialize emulator in ARM mode</span>\n        mu <span class=\"token operator\">=</span> Uc<span class=\"token punctuation\">(</span>UC_ARCH_ARM64<span class=\"token punctuation\">,</span> UC_MODE_ARM <span class=\"token operator\">|</span> UC_MODE_BIG_ENDIAN<span class=\"token punctuation\">)</span>\n\n        mu<span class=\"token punctuation\">.</span>mem_map<span class=\"token punctuation\">(</span>ADDRESS<span class=\"token punctuation\">,</span> <span class=\"token number\">0x100000</span><span class=\"token punctuation\">)</span>\n        mu<span class=\"token punctuation\">.</span>mem_write<span class=\"token punctuation\">(</span>ADDRESS<span class=\"token punctuation\">,</span> code<span class=\"token punctuation\">)</span>\n\n        mu<span class=\"token punctuation\">.</span>mem_map<span class=\"token punctuation\">(</span>ADDRESS <span class=\"token operator\">+</span> <span class=\"token number\">0x100000</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x100000</span><span class=\"token punctuation\">)</span>\n        mu<span class=\"token punctuation\">.</span>reg_write<span class=\"token punctuation\">(</span>UC_ARM64_REG_SP<span class=\"token punctuation\">,</span> <span class=\"token number\">0x100000</span><span class=\"token operator\">+</span><span class=\"token number\">0x100000</span><span class=\"token punctuation\">)</span>\n\n        <span class=\"token comment\"># emulate machine code in infinite time</span>\n        mu<span class=\"token punctuation\">.</span>emu_start<span class=\"token punctuation\">(</span>ADDRESS<span class=\"token punctuation\">,</span> ADDRESS <span class=\"token operator\">+</span> <span class=\"token number\">0x3c</span><span class=\"token punctuation\">)</span>\n\n        x1 <span class=\"token operator\">=</span> mu<span class=\"token punctuation\">.</span>reg_read<span class=\"token punctuation\">(</span>UC_ARM64_REG_X1<span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>mu<span class=\"token punctuation\">.</span>mem_read<span class=\"token punctuation\">(</span>x1<span class=\"token punctuation\">,</span> <span class=\"token number\">0x1c</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">b'\\x00'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n    <span class=\"token keyword\">except</span> UcError <span class=\"token keyword\">as</span> e<span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"ERROR: %s\"</span> <span class=\"token operator\">%</span> e<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">if</span> __name__ <span class=\"token operator\">==</span> <span class=\"token string\">'__main__'</span><span class=\"token punctuation\">:</span>\n    arm64<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>Running this solver outputs <code class=\"language-text\">bytearray(b'idek{__Why_50_m4nY_4rch5_l1k')</code>, giving us the first half of the flag.</p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>It feels a little unfair that the difficulty changes so drastically depending on whether you have IDA Pro, but it was an extremely educational challenge.</p>\n<p>I want to get more proficient with both Unicorn and Capstone going forward.</p>","fields":{"slug":"/ctf-idek-2022-en","tagSlugs":["/tag/ctf-en/","/tag/rev-en/","/tag/english/"]},"frontmatter":{"date":"2023-01-19","description":"Idek CTF 2022 Writeup","tags":["CTF (en)","Rev (en)","English"],"title":"Idek CTF 2022 Writeup","socialImage":{"publicURL":"/static/dc6fc9e2553de2a2f2c5c718f4700e38/ctf-idek-2023.png"}}}},"pageContext":{"slug":"/ctf-idek-2022-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}