{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-uiuctf-2023-en","result":{"data":{"markdownRemark":{"id":"fec32077-9102-5876-bdf3-ee504b2e590f","html":"
\n

This page has been machine-translated from the original page.

\n
\n

I participated in UIUCTF 2023, which started on 7/1, as part of 0nePadding, and we placed 124th out of 818 teams.

\n

\n \n ) {\n pbVar1 = pbVar1 + CONCAT11(*pbVar1,local_20[2]);\n }\n local_20 = pbVar1;\n local_20 = local_20 + 2;\n break;\n case 0xc:\n if (local_18[-1] == 0) {\n pbVar1 = pbVar1 + CONCAT11(*pbVar1,local_20[2]);\n }\n local_20 = pbVar1;\n local_20 = local_20 + 2;\n break;\n case 0xd:\n local_20 = pbVar1 + (long)CONCAT11(*pbVar1,local_20[2]) + 2;\n break;\n case 0xe:\n local_18 = local_18 + -1;\n local_20 = pbVar1;\n break;\n case 0xf:\n *local_18 = local_18[-1];\n local_18 = local_18 + 1;\n local_20 = pbVar1;\n break;\n case 0x10:\n local_20 = local_20 + 2;\n bVar2 = *pbVar1;\n if ((long)local_18 - (long)pbVar5 < (long)(ulong)bVar2) {\n printf(\"Stack underflow in reverse at 0x%04lx\\n\",(long)local_20 - (long)param_1);\n }\n for (local_24 = 0; (int)local_24 < (int)(uint)(bVar2 >> 1); local_24 = local_24 + 1) {\n bVar3 = local_18[(int)(local_24 - bVar2)];\n local_18[(int)(local_24 - bVar2)] = local_18[(int)~local_24];\n local_18[(int)~local_24] = bVar3;\n }\n break;\n default:\n printf(\"Unknown opcode: 0x%02x at 0x%04lx\\n\",(ulong)*local_20,(long)local_20 - (long)param_1);\n return 1;\n case 0x28:\n FUN_00101370(param_1,pbVar5,local_18,(long)pbVar1 - (long)param_1);\n local_20 = pbVar1;\n }\n if (local_18 < pbVar5) break;\n if (pbVar5 + 0x1000 < local_18) {\n printf(\"Stack overflow at 0x%04lx\\n\",(long)local_20 - (long)param_1);\n return 1;\n }\n }\n printf(\"Stack underflow at 0x%04lx\\n\",(long)local_20 - (long)param_1);\n return 1;\n}\n

Looking at this code, you can see that when the opcode is 0x08, the getchar function is called and the input is read one character at a time.

\n

So I extracted the 0x08 instructions from program, and found the following periodic pattern.

\n

\n \n \n \n \n \n \n \n \n

\n

Tracing the following byte sequence shows that after the input value is saved by the 0xf handler, it is transformed by the 0x7 and 0x5 handlers, XORed with a hardcoded byte value, and then verified one character at a time by the 0xc handler.

\n

Once I had narrowed it down that far, I could brute-force it with dynamic analysis.

\n

Using the following script, I identified characters that satisfy the 0xc condition one by one from the beginning, which let me recover the flag.

\n
# gdb -x solver.py\nimport gdb\nfrom pprint import pprint\n\n# pprint(dir(gdb))\nBINDIR = \"/home/ubuntu/Hacking/CTF/2023/UIUCTF/Rev/vmwhere1/\"\nBIN = \"chal\"\n\ngdb.execute('file {}/{}'.format(BINDIR, BIN))\n# gdb.execute('b *{}'.format(0x555555555587))\ngdb.execute('b *{}'.format(0x55555555569f))\n\nflag = \"uiuctf{\" + \"A\"*150\nfor i in range(150):\n    for j in range(0x21,0x126):\n        flag = flag[:i] + chr(j) + \"A\"*(30-i)\n        with open(\"in.txt\", \"w\") as f:\n            f.write(flag)\n        \n        gdb.execute(\"run program < in.txt\")\n        gdb.execute(\"continue {}\".format(51+i))\n        res = int(gdb.parse_and_eval(\"$al\"))\n        if res == 0:\n            print(flag)\n            print(chr(j),flag)            \n            break\n        else:\n            continue\n\nprint(flag)\ngdb.execute('quit')
\n

Solving it properly with static analysis

\n

For vmwhere1, it was enough to identify that 0xc checks the input one character at a time, and that alone was enough to recover the flag, but if you move on without understanding more than that, you get stuck on vmwhere2.

\n

So at the vmwhere1 stage, I dug a little deeper to better understand how the binary works.

\n

To understand the behavior of the VM, the following function called by the 0x28 handler is a useful clue.

\n
void FUN_00101370(undefined8 param_1,long param_2,long param_3,undefined8 param_4)\n{\n  int local_c;\n  \n  param_3 = param_3 + -1;\n  printf(\"Program counter: 0x%04lx\\n\",param_4);\n  printf(\"Stack pointer: 0x%04lx\\n\",param_3 - param_2);\n  puts(\"Stack:\");\n  for (local_c = 0; local_c < 0x10; local_c = local_c + 1) {\n    if (-1 < (param_3 - param_2) - (long)local_c) {\n      printf(\"0x%04lx: 0x%04x\\n\",(param_3 - param_2) - (long)local_c,\n             (ulong)*(byte *)(param_3 - local_c));\n    }\n  }\n  return;\n}
\n

If you make a binary that pushes some arbitrary values onto the stack and then invokes the 0x28 handler, you get output like this.

\n

This shows that the variable passed as param_3 is the stack pointer.

\n
echo -n -e \"\\x0a\\x21\\x0a\\x22\\x0a\\x23\\x0a\\x24\\x28\" > test\n./chal test\n>\nProgram counter: 0x0009\nStack pointer: 0x0003\nStack:\n0x0003: 0x0024\n0x0002: 0x0023\n0x0001: 0x0022\n0x0000: 0x0021\nProgram terminated unexpectedly. Last instruction: 0x0009
\n

Once I had identified the stack pointer and program counter, the rest was to work through the necessary operations.

\n

After 0x8 reads one character of the flag, the following sequence runs.

\n
08 0f 0a 04 07 05 05 0f 0a 72 05 0c 00 03 0d 04 0d 0e
\n

As a starting point, I rewrote the processing up to 0xc in Python like this.

\n
op = prog[pic]\n\nif op == 1:\n    a = stack.pop()\n    b = stack.pop()\n    stack.append(a+b)\n    pic += 1\n\nif op == 5:\n    a = stack.pop()\n    b = stack.pop()\n    n = a ^ b\n    stack.append(n)\n    pic += 1\n\nif op == 7:\n    a = stack.pop()\n    b = stack.pop()\n    n = b >> (a & 0x1f)\n    stack.append(n)\n    pic += 1\n\nif op == 8:\n    c = flag[seek]\n    seek += 1\n    stack.append(c)\n    pic += 1\n\nif op == 0xa:\n    data = prog[pic+1]\n    stack.append(data)\n    pic += 2\n\nif op == 0xf:\n    stack.append(stack[-1])\n    pic += 1
\n

Rephrased in order, it does the following.

\n\n

If you actually evaluate this sequence, you can see that when the first character is u, it returns the correct value 0 as shown below.

\n

\n \n \n \n \n \n \n \n \n

\n

Apart from the value pushed by 0a 72, the rest of this processing is shared for every character.

\n

In other words, if we extract the hardcoded verification value for each character, we should be able to reconstruct the correct flag.

\n

\n \n \n \n \n \n \n \n \n

\n

The following script can be used to extract those keys.

\n
with open(\"program\", \"rb\") as f:\n    prog = f.read()\n\npattern = b\"\\x05\\x0f\\x0a\"\nkey = []\nfor i in range(3, len(prog)):\n    if prog[i-3:i] == pattern:\n        key.append(prog[i])\n\nprint(key)
\n

Then, based on the analysis, I ran the following solver and obtained the correct flag.

\n

The reason chr((a>>4)^a) recovers the flag is that the correct input keeps its upper bits unchanged, while its lower bits are XORed with the upper bits.

\n
with open(\"program\", \"rb\") as f:\n    prog = f.read()\n\npattern = b\"\\x05\\x0f\\x0a\"\nkey = []\nfor i in range(3, len(prog)):\n    if prog[i-3:i] == pattern:\n        key.append(prog[i])\n\n# print([hex(i) for i in key])\n\nflag = \"\"\nkey = key[::-1]\nfor i in range(len(key)-1):\n    k = key[i]\n    a = k ^ key[i+1]\n    flag += chr((a>>4)^a)\nprint(\"c\" + flag[::-1])\n\n# ciuctf{ar3_y0u_4_r3al_vm_wh3r3_(gpt_g3n3r4t3d_th1s_f14g)}
\n

vmwhere2(Rev)

\n

This challenge gives you a binary almost identical to vmwhere1 along with a new program file.

\n

Unlike vmwhere1, this ELF added the following two handlers.

\n
case 0x11:\n  local_30 = sp[-1];\n  for (j = 0; j < 8; j = j + 1) {\n    (sp + -1)[j] = local_30 & 1;\n    local_30 = local_30 >> 1;\n  }\n  sp = sp + 7;\n  current_pic = next_pic;\n  break;\n\ncase 0x12:\n  local_2f = 0;\n  for (k = 7; -1 < k; k = k + -1) {\n    local_2f = local_2f << 1 | (sp + -8)[k] & 1;\n  }\n  sp[-8] = local_2f;\n  sp = sp + -7;\n  current_pic = next_pic;\n  break;
\n

The 0x11 handler splits the input character into individual bits and pushes them onto the stack.

\n

Meanwhile, 0x12 appears to reorder the bit sequence stored by 0x11 in reverse and pack it back again.

\n

The rest looks the same as vmwhere1, so next I looked at the program itself.

\n

In vmwhere2, unlike vmwhere1, it seems to read all of the input first and only then verify the flag.

\n

First, just like before, let’s look at the processing after 0x08 reads a character.

\n

\n \n \n \n \n \n \n \n \n

\n

The handling of the first input character looked like this.

\n

There is a lot more here than before.

\n
08 11 0a ff 10 09 10 08 0a 00 10 02 0f 0a ff 05 0c 00 04 0e 0d 00 04 0e 0d 00 16 10 02 10 02 0c 00 07 0e 0a 01 01 0d 00 01 0e 0f 0f 01 01 0d ff d9 0e
\n

To make each step easier to follow, I arranged it by opcode and operand.

\n
08\n11\n0a ff\n10 09\n10 08\n0a 00\n10 02\n0f\n0a ff\n05\n0c 00 04 \n0e \n0d 00 04\n0e 0d 00 16 \n10 02 \n10 02 \n0c 00 07 0e 0a 01 01 0d 00 01 \n0e \n0f \n0f \n01 \n01 \n0d ff d9\n0e
\n\n

I got this far, but the remaining amount of processing was so huge that I gave up trying to trace it manually.

\n

So I decided to reimplement the binary and observe its behavior with print debugging.

\n

My Python version was not good enough to reproduce the behavior completely, so I wrote it in C instead.

\n

The code I wrote is as follows.

\n
#include <stdio.h>\n#include <stdlib.h>\n\nvoid main()\n{\n    char bVar1;\n    char bVar2;\n    int iVar3;\n    char *stack;\n    char local_30;\n    char local_2f;\n    uint i;\n    int j;\n    int k;\n    char *current_pic;\n    char *sp;\n    char *next_pic;\n\n    FILE *f;\n    void *prog;\n    long f_size;\n\n    // Read file\n    f = fopen(\"program\",\"r\");\n    if (f == (FILE *)0x0) {\n        prog = (void *)0x0;\n    }\n    else {\n        fseek(f,0,2);\n        f_size = ftell(f);\n        rewind(f);\n        prog = malloc(f_size);\n        if (prog == (void *)0x0) {\n            prog = (void *)0x0;\n        }\n        else {\n            fread(prog,1,f_size,f);\n            fclose(f);\n        }\n    }\n\n    // Run program\n    stack = (char *)malloc(0x1000);\n    current_pic = prog;\n    int start = (int)current_pic;\n    sp = stack;\n    while(1) {\n    if ((current_pic < prog) || (prog + f_size <= current_pic)) {\n        printf(\"Program terminated unexpectedly. Last instruction: 0x%04lx\\n\",\n                (long)current_pic - (long)prog);\n        return 1;\n    }\n    printf(\"[0x%x] OP:0x%x  \", current_pic - start, *current_pic);\n    next_pic = current_pic + 1;\n    switch(*current_pic) {\n    case 0:\n        return 0;\n    case 1:\n        printf(\"ADD %x, %x = %x\\n\", sp[-2], sp[-1], sp[-2] + sp[-1]);\n        sp[-2] = sp[-2] + sp[-1];\n        sp = sp + -1;\n        current_pic = next_pic;\n        break;\n    case 2:\n        printf(\"SUB %x, %x = %x\\n\", sp[-2], sp[-1], sp[-2] - sp[-1]);\n        sp[-2] = sp[-2] - sp[-1];\n        sp = sp + -1;\n        current_pic = next_pic;\n        break;\n    case 3:\n        printf(\"AND %x, %x = %x\\n\", sp[-2], sp[-1], sp[-2] & sp[-1]);\n        sp[-2] = sp[-2] & sp[-1];\n        sp = sp + -1;\n        current_pic = next_pic;\n        break;\n    case 4:\n        printf(\"OR %x, %x = %x\\n\", sp[-2], sp[-1], sp[-2] | sp[-1]);\n        sp[-2] = sp[-2] | sp[-1];\n        sp = sp + -1;\n        current_pic = next_pic;\n        break;\n    case 5:\n        printf(\"XOR %x, %x = %x\\n\", sp[-2], sp[-1], sp[-2] ^ sp[-1]);\n        sp[-2] = sp[-2] ^ sp[-1];\n        sp = sp + -1;\n        current_pic = next_pic;\n        break;\n    case 6:\n        printf(\"LSH %x, %x = %x\\n\", sp[-2], (sp[-1] & 0x1f), sp[-2] >> (sp[-1] & 0x1f));\n        sp[-2] = sp[-2] << (sp[-1] & 0x1f);\n        sp = sp + -1;\n        current_pic = next_pic;\n        break;\n    case 7:\n        printf(\"RSH %x, %x = %x\\n\", sp[-2], (sp[-1] & 0x1f), sp[-2] << (sp[-1] & 0x1f));\n        sp[-2] = (char)((int)(uint)sp[-2] >> (sp[-1] & 0x1f));\n        sp = sp + -1;\n        current_pic = next_pic;\n        break;\n    case 8:\n        iVar3 = getchar();\n        *sp = (char)iVar3;\n        printf(\"READ %c\\n\", *sp);\n        sp = sp + 1;\n        current_pic = next_pic;\n        break;\n    case 9:\n        sp = sp + -1;\n        printf(\"PUTCHAR %c\\n\", *sp);\n        // putchar((uint)*sp);\n        current_pic = next_pic;\n        break;\n    case 10:\n        printf(\"PUSH %x\\n\", *next_pic);\n        *sp = *next_pic;\n        sp = sp + 1;\n        current_pic = current_pic + 2;\n        break;\n    case 0xb:\n        if ((char)sp[-1] < '\\0') {\n            next_pic = next_pic + (*next_pic << 8 | current_pic[2]);\n        }\n        current_pic = next_pic;\n        current_pic = current_pic + 2;\n        printf(\"JPM %x\\n\", current_pic);\n        break;\n    case 0xc:\n        if (sp[-1] == 0) {\n            next_pic = next_pic + (*next_pic << 8 | current_pic[2]);\n        }\n        current_pic = next_pic;\n        current_pic = current_pic + 2;\n        printf(\"JPM %x\\n\", current_pic);\n        break;\n    case 0xd:\n        current_pic = next_pic + (*next_pic << 8 | current_pic[2]) + 2;\n        printf(\"JPM %x\\n\", current_pic);\n        break;\n    case 0xe:\n        printf(\"POP\\n\");\n        sp = sp + -1;\n        current_pic = next_pic;\n        break;\n    case 0xf:\n        printf(\"DUP %x\\n\", sp[-1]);\n        *sp = sp[-1];\n        sp = sp + 1;\n        current_pic = next_pic;\n        break;\n    case 0x10:\n        printf(\"REVERSE TOP %x\\n\", *next_pic);\n        current_pic = current_pic + 2;\n        bVar1 = *next_pic;\n        if ((long)sp - (long)stack < (long)(ulong)bVar1) {\n            printf(\"Stack underflow in reverse at 0x%04lx\\n\",(long)current_pic - (long)prog);\n        }\n        for (i = 0; (int)i < (int)(uint)(bVar1 >> 1); i = i + 1) {\n            bVar2 = sp[(int)(i - bVar1)];\n            sp[(int)(i - bVar1)] = sp[(int)~i];\n            sp[(int)~i] = bVar2;\n        }\n        break;\n    case 0x11:\n        printf(\"SPLIT BYTE TO BITS\\n\");\n        local_30 = sp[-1];\n        for (j = 0; j < 8; j = j + 1) {\n        (sp + -1)[j] = local_30 & 1;\n        local_30 = local_30 >> 1;\n        }\n        sp = sp + 7;\n        current_pic = next_pic;\n        break;\n    case 0x12:\n        printf(\"POP 8 VALUES, NEW VALUE = LSB OF LAST 8\\n\");\n        local_2f = 0;\n        for (k = 7; -1 < k; k = k + -1) {\n        local_2f = local_2f << 1 | (sp + -8)[k] & 1;\n        }\n        sp[-8] = local_2f;\n        sp = sp + -7;\n        current_pic = next_pic;\n        break;\n    default:\n        printf(\"Unknown opcode: 0x%02x at 0x%04lx\\n\",(ulong)*current_pic,\n                (long)current_pic - (long)prog);\n        return 1;\n    }\n    if (sp < stack) break;\n    if (stack + 0x1000 < sp) {\n        printf(\"Stack overflow at 0x%04lx\\n\",(long)current_pic - (long)prog);\n        return 1;\n    }\n    }\n    printf(\"Stack underflow at 0x%04lx\\n\",(long)current_pic - (long)prog);\n    return 1;\n}
\n

When I compiled and ran this, it eventually executed up to the instruction at offset 0xbed and printed the string Incorrect password!.

\n

\n \n \n \n \n \n \n \n \n

\n

From there, I could extract the keys, build a table in Python mapping each character to its transformed value, and use that to recover the flag.

\n

I wrote the following solver.

\n
import subprocess\n\nkey = [0xc6,0x8b,0xd9,0xcf,0x63,0x60,0xd8,0x7b,0xd8,0x60,0xf6,0xd3,0x7b,0xf6,0xd8,0xc1,0xcf,0xd0,0xf6,0x72,0x63,0x75,0xbe,0xf6,0x7f,0xd8,0x63,0xe7,0x6d,0xf6,0x63,0xcf,0xf6,0xd8,0xf6,0xd8,0x63,0xe7,0x6d,0xb4,0x88,0x72,0x70,0x75,0xb8,0x75]\nkey = key[::-1]\ntable = {}\n\nfor i in range(0x21, 0xfd):\n    cmd = 'echo \"{}\" | ./a.out | grep 0xb90 | cut -d \" \" -f 5'.format(chr(i))\n    result = subprocess.run(cmd, capture_output=True, shell=True)\n    table[result.stdout.decode().replace(\",\\n\", \"\")] = chr(i)\n\nfor k in key:\n    print(table[hex(k).replace(\"0x\", \"\")], end=\"\")
\n

Running this recovers the flag.

\n

\n \n \n \n \n \n \n \n \n

\n

Summary

\n

This time I really felt how lacking my pure reversing skills are.

\n

Just like in the recent Google CTF, I have been running into more and more problems lately that I still cannot solve even after reading writeups.

\n

To solve the kinds of problems I still cannot solve now and aim for a higher placement, I strongly feel that I need to build the raw ability to read binaries and understand their behavior, rather than relying on tool usage alone.

","fields":{"slug":"/ctf-uiuctf-2023-en","tagSlugs":["/tag/ctf-en/","/tag/rev-en/","/tag/english/"]},"frontmatter":{"date":"2023-07-05","description":"This is my writeup for UIUCTF 2023.","tags":["CTF (en)","Rev (en)","English"],"title":"UIUCTF 2023 Writeup","socialImage":{"publicURL":"/static/cb5ed04abfdd2e10f676bb43deb53b87/ctf-uiuctf-2023.png"}}}},"pageContext":{"slug":"/ctf-uiuctf-2023-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}