ForbiddenBITS CTF 2013 – Old 50 Write up

We were provided with a bin.bin file, which size is 512 bytes. Doing $ file bin.bin shows us that the file is a boot sector.

In order to run the boot sector I’ve followed an article from the developers of MikeOS (Note that I’ve linked to the Google Cache copy since the original site appears to be down).

So I downloaded a floppy disk image, renamed it to floppy.flp, and then I copied the boot sector of this challenge to the floppy disk image:

$ dd status=noxfer conv=notrunc if=bin.bin of=floppy.flp

Then I started QEMU using the floppy disk image containing the CTF boot sector:

$ qemu-system-i386 -fda floppy.img

QEMU boots from our floppy disk image, and the boot sector asks for a password:

boot-sector
Continue reading

Advertisements

Burning a bootloader to an Arduino Nano using another Arduino

Recently I have bought a cheap clone of Arduino Nano from the Chinese site Deal Extreme. Unfortunately, that product (SKU 81877) comes without a bootloader. The main sign that indicates you that the Arduino doesn’t have a bootloader is that the “L” LED, next to the Power LED, doesn’t blink when the Arduino is connected to the power source or when the Reset button is pressed.

It is possible to use your Arduino without a bootloader, but it won’t work with the Arduino IDE and you will need an external AVR Programmer like this one in order to upload sketches.

So I needed to follow two main steps in order to get my Arduino Nano working without buying an AVR programmer:

  1. Solder the six ICSP pins. These pins are provided in the same package, but you need to solder them to the Arduino board.
  2. Use another Arduino (a working one) as an ISP programmer in order to burn a bootloader onto the non-working one. I borrowed another Arduino Nano from my friend Nahuel (let me say thank you to him and Dani, who helped me with all of this), but other models shoud work too.

The Arduino board I bought looked like this. Notice that the ICSP header slot, highlighted in red, doesn’t have any pins soldered to it:

icsp

Continue reading

Nullcon HackIM CTF 2013 – Reverse Engineering 300 Write up

Reverse Engineering 300

This Reverse Engineering challenge was a virtual machine implemented in Javascript:

/*
	+---------------------------+
	| Custom Javascript Crackme |
	+---------------------------+

[+] Tested on : Safari, Google-Chrome, Opera, Firefox. (IE ?? O..puhleez!)
[+] No obfuscation, nothing. Just plain code. 🙂
[?] Should be an easy one, eh? 😉
[+] Best of luck!
(c) HackIM2013

*/

var key=[];
var code=[901, 340, 505, 140, 305, 461, 901, 722, 340, 539, 723, 241, 339, 540, 238, 142, 342, 901, 722, 901, 722, 606, 000, 542, 243, 243, 244, 340, 830, 653, 553, 140, 145, 353, 546, 140, 653, 000, 17, 10, 000, 001, 000, 400, 60, 459, 41, 22, 76, 76, 75, 75, 37, 417, 560, 140, 145, 360, 547, 140, 417, 567, 140, 145, 367, 548, 140, 417, 574, 140, 145, 374, 549, 140, 417, 581, 140, 145, 381, 550, 140, 417, 588, 140, 145, 388, 551, 140, 417, 595, 140, 145, 395, 552, 140, 417, 423];
var output=[];

function msg()
{
var message=output.toString().replace(/\,/gi,"");;
document.getElementById("key").value=message;
}

function LMC()
{
	var accumulator=0;
	var inp_counter=0;
	var code_counter=0;
	var pc=code[code_counter];
	while(code[code_counter]>0)
	{
		pc=code[code_counter];
		var mailbox=parseInt(pc%100);
		var opcode=parseInt(pc/100);
		switch(opcode)
		{
			case 1:
  						accumulator=accumulator+code[mailbox];
  						code_counter++;
  						break;
			case 2:
  						accumulator=accumulator-code[mailbox];
  						code_counter++;
  						break;
			case 3:
  						code[mailbox]=accumulator;
  						code_counter++;
  						break;
			case 5:
  						accumulator=code[mailbox];
  						code_counter++;
  						break;
			case 6:
  						code_counter=mailbox;
  						break;
			case 7:
  						if(accumulator==0)
  							{code_counter=mailbox;}
  						else{code_counter++;}
  						break;
			case 8:
  						if(accumulator>=0)
  							{code_counter=mailbox;}
  						else{code_counter++;}
  						break;
			case 9:
  						if(pc==901)
  						{
  							if(inp_counter<key.length)
  							{
  								accumulator=key[inp_counter];
  							 	inp_counter++;
  							 }
  							 else
  							 {
  							 	accumulator=0;
  							 }
  						}
  						else if(pc== 902)
  						{
  							output.push(String.fromCharCode(accumulator));
   						}
  						code_counter++;
  						break;
  		case 0:
  						code[0]=0;
  						code_counter=0;
  						break;
    	default:
  						code[0]=0;
              code_counter=0;
              break;
		}
	}
}

function setup()
{
	 var temp=document.getElementById("key").value;
	 for(var i=0; i<temp.length; ++i)
	 {
	 	key.push(temp.charCodeAt(i));
	 }
	 LMC();
	 msg();
}

Let’s dissect this virtual machine!

Continue reading

Nullcon HackIM CTF 2013 – Reverse Engineering 100 Write up

Reverse Engineering 100

We were provided with this highly obfuscated code:

''=~('('.'?'.'{'.('`'|'%').('['^'-').('`'|'!').('`'|',').'"'.('['^'.').('['^'(').('`'|'%').('{'^'[')
.('['^'(').('['^'/').('['^')').('`'|')').('`'|'#').('['^'/').';'.('['^'.').('['^'(').('`'|'%').('{'^
'[').('['^',').('`'|'!').('['^')').('`'|'.').('`'|')').('`'|'.').('`'|"'").('['^'(').';'.('`'|')').(
'`'|'&').'('.'\\'.'$'.'#'.('`'^'!').('{'^')').('`'^"'").('{'^'-').'='.'='.('^'^('`'|','))."\)".'\\'.
'{'.('`'|')').('`'|'&').'('.'\\'.'$'.('`'^'!').('{'^')').('`'^"'").('{'^'-').'['.('^'^('`'|'.')).']'
.'.'.'\\'.'$'.('`'^'!').('{'^')').('`'^"'").('{'^'-').'['.('^'^('`'|'/')).']'.('`'|'%').('['^('*')).
'\\'.'$'.('`'^'%').('`'^'.').('{'^'-').'\\'.'{'."'".('{'^'.').('{'^'(').('`'^'%').('{'^')')."'".'\\'
.'}'.')'.'\\'.'{'.('['^'+').('['^')').('`'|')').('`'|'.').('['^'/').'\\'.'"'.('`'^'&').('`'|(',')).(
'`'|'!').('`'|"'").'='."'".('`'^"'").('`'|'/').('`'|',').('`'|'$').('`'|'%').('`'|'.').('`'^('$')).(
'`'|'!').('['^'"').('['^'(').('`'^'!').('['^')').('`'|'%').('`'^'"').('`'|'!').('`'|'#').('`'|"\+").
"'".'\\'.'"'.'\\'.'}'.'\\'.'}'.'"'.'}'.')');$:='.'^'~';$~='@'|'(';$^=')'^'[';$/='`'|'.';$,='('^"\}";

It looks like a lot of XOR and OR logical operations between characters, plus a bunch of concatenations of strings.
This is probably Perl or PHP code, and since I’m not fluent in any of them I decided to translate it to Python code to better understand it.
Continue reading

Nullcon HackIM 2013 CTF – Trivia 100/200/400/500 Write ups

Trivia 100
What feature, introduced in DirectX 11, makes in-game textures appear rounder and better defined?

Answer [from http://en.wikipedia.org/wiki/DirectX#DirectX_11]:

Microsoft unveiled DirectX 11 at the Gamefest 08 event in Seattle, with the major scheduled features including GPGPU support (DirectCompute), and Direct3D11 with tessellation support.

So the flag for Trivia 100 was: tessellation

 

 

Trivia 200
What socket was used in the first Sandy Bridge chips?
Continue reading