Skip to content

Instantly share code, notes, and snippets.

@theKidOfArcrania

theKidOfArcrania/disasm

Created December 2, 2020 19:25
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save theKidOfArcrania/52e868ec7bac8cf6c089862c14ef7ab6 to your computer and use it in GitHub Desktop.
Save theKidOfArcrania/52e868ec7bac8cf6c089862c14ef7ab6 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
disasm
0000: r0 = 0x217000
0002: SYS_mmap(r0, 0x1, 0x7, 0x22, 0x0, 0x0)
0003: SYS_read(0x0, 0x217000, 0x20)
0004: init_sigstruct()
0024: init_sighand()
0050: r0 = 0x217050
0052: SYS_rt_sigaction(0x1f, r0, 0x0)
0053: SYS_prctl(0x26, 0x1, 0x0, 0x0, PASS)
0054: init_seccomp()
0294: SYS_prctl(0x16, 0x2, 0x217050, PASS, r0)
0295: r2 = 0x69a33fff
0297: r3 = 0x468932dc
0299: r4 = 0x2b0b575b
029b: r5 = 0x1e8b51cc
029d: memcpy(&r6, 0x217000, 0x10)
029f: r0 = 0xffffffff
02a1: r6 = (uint64_t) r0 & r6
02ab: memcpy(&r7, 0x217004, 0x10)
02ad: r0 = 0xffffffff
02af: r7 = (uint64_t) r0 & r7
02b9: r8 = 0x0
02bb: r9 = 0x51fdd41a
02bd: r10 = 0x0
02bf: r8 = r8 + r9
02c7: r11 = shuffle(inp=r7, key1=r2, key2=r3, round=r8)
02ff: r6 = r6 + r11
0307: r11 = shuffle(inp=r6, key1=r4, key2=r5, round=r8)
033f: r7 = r7 + r11
0347: r10 = r10 + 0x1
034f: r11 = r10 >> 0x5
0357: r11 = 0x1 - r11
035f: bne r11, 0x02bf
036a: *(0x217050) = r6
036e: *(0x217054) = r7
0372: r2 = 0x32e57ab6
0374: r3 = 0x7785df55
0376: r4 = 0x688620f9
0378: r5 = 0x8df954f3
037a: memcpy(&r6, 0x217008, 0x10)
037c: r0 = 0xffffffff
037e: r6 = (uint64_t) r0 & r6
0388: memcpy(&r7, 0x21700c, 0x10)
038a: r0 = 0xffffffff
038c: r7 = (uint64_t) r0 & r7
0396: r8 = 0x0
0398: r9 = 0x5c37a6db
039a: r10 = 0x0
039c: r8 = r8 + r9
03a4: r11 = shuffle(inp=r7, key1=r2, key2=r3, round=r8)
03dc: r6 = r6 + r11
03e4: r11 = shuffle(inp=r6, key1=r4, key2=r5, round=r8)
041c: r7 = r7 + r11
0424: r10 = r10 + 0x1
042c: r11 = r10 >> 0x5
0434: r11 = 0x1 - r11
043c: bne r11, 0x039c
0447: *(0x217058) = r6
044b: *(0x21705c) = r7
044f: r2 = 0xaca81571
0451: r3 = 0x2c19574f
0453: r4 = 0x1bd1fc38
0455: r5 = 0x14220605
0457: memcpy(&r6, 0x217010, 0x10)
0459: r0 = 0xffffffff
045b: r6 = (uint64_t) r0 & r6
0465: memcpy(&r7, 0x217014, 0x10)
0467: r0 = 0xffffffff
0469: r7 = (uint64_t) r0 & r7
0473: r8 = 0x0
0475: r9 = 0xb4f0b4fb
0477: r10 = 0x0
0479: r8 = r8 + r9
0481: r11 = shuffle(inp=r7, key1=r2, key2=r3, round=r8)
04b9: r6 = r6 + r11
04c1: r11 = shuffle(inp=r6, key1=r4, key2=r5, round=r8)
04f9: r7 = r7 + r11
0501: r10 = r10 + 0x1
0509: r11 = r10 >> 0x5
0511: r11 = 0x1 - r11
0519: bne r11, 0x0479
0524: *(0x217060) = r6
0528: *(0x217064) = r7
052c: r2 = 0x33f33fe0
052e: r3 = 0xf9de7e36
0530: r4 = 0xe9ab109d
0532: r5 = 0x8d4f04b2
0534: memcpy(&r6, 0x217018, 0x10)
0536: r0 = 0xffffffff
0538: r6 = (uint64_t) r0 & r6
0542: memcpy(&r7, 0x21701c, 0x10)
0544: r0 = 0xffffffff
0546: r7 = (uint64_t) r0 & r7
0550: r8 = 0x0
0552: r9 = 0xd3c45f8c
0554: r10 = 0x0
0556: r8 = r8 + r9
055e: r11 = shuffle(inp=r7, key1=r2, key2=r3, round=r8)
0596: r6 = r6 + r11
059e: r11 = shuffle(inp=r6, key1=r4, key2=r5, round=r8)
05d6: r7 = r7 + r11
05de: r10 = r10 + 0x1
05e6: r11 = r10 >> 0x5
05ee: r11 = 0x1 - r11
05f6: bne r11, 0x0556
0601: *(0x217068) = r6
0605: *(0x21706c) = r7
0609: memcpy(&r9, 0x217050, 0x10)
060b: r2 = 0x0
060d: r3 = r9 ^ 0x152ceed2
0615: r2 = r2 | r3
061d: memcpy(&r9, 0x217054, 0x10)
061f: r2 = 0x0
0621: r3 = r9 ^ 0xd6046dc3
0629: r2 = r2 | r3
0631: memcpy(&r9, 0x217058, 0x10)
0633: r2 = 0x0
0635: r3 = r9 ^ 0x4a9d3ffd
063d: r2 = r2 | r3
0645: memcpy(&r9, 0x21705c, 0x10)
0647: r2 = 0x0
0649: r3 = r9 ^ 0xbb541082
0651: r2 = r2 | r3
0659: memcpy(&r9, 0x217060, 0x10)
065b: r2 = 0x0
065d: r3 = r9 ^ 0x632a4f78
0665: r2 = r2 | r3
066d: memcpy(&r9, 0x217064, 0x10)
066f: r2 = 0x0
0671: r3 = r9 ^ 0xa9cb93d
0679: r2 = r2 | r3
0681: memcpy(&r9, 0x217068, 0x10)
0683: r2 = 0x0
0685: r3 = r9 ^ 0x58aae351
068d: r2 = r2 | r3
0695: memcpy(&r9, 0x21706c, 0x10)
0697: r2 = 0x0
0699: r3 = r9 ^ 0x92012a14
06a1: r2 = r2 | r3
06a9: r3 = 0x0 - r2
06b1: r2 = r2 & r3
06b9: r3 = r2 / 0x3
06c1: r3 = r3 * 0x3
06c9: r2 = r2 - r3
06d1: r2 = 0x2 ^ r2
06d9: r2 = r2 >> 0x1
06e1: *(0x217050) = 0x676e6f43
06e5: *(0x217054) = 0x75746172
06e9: *(0x217058) = 0x6974616c
06ed: *(0x21705c) = 0x21736e6f
06f1: *(0x217060) = 0x72654820
06f5: *(0x217064) = 0x73692065
06f9: *(0x217068) = 0x756f7920
06fd: *(0x21706c) = 0x6c662072
0701: *(0x217070) = 0x203a6761
0705: *(0x217020) = 0xa
0709: SYS_write(r2, 0x217050, 0x24)
070a: SYS_write(r2, 0x217000, 0x21)
Raw
disasm.py
from pwn import constants as cst, context
import struct
import collections
context.arch = 'amd64'
class Matcher:
def _match(self, vals, ctx):
raise ValueError('Abstract method')
def __repr__(self): return str(self)
class FieldsDict(Matcher):
def __init__(self, **fields):
self.fields = fields
def _match(self, val, ctx):
for key, fldPatt in self.fields.items():
fld = val[key]
if not match(fld, fldPatt, ctx): return False
return True
def __str__(self): return 'MI' + str(self.fields)
class Fields(Matcher):
def __init__(self, **fields):
self.fields = fields
def _match(self, val, ctx):
for key, fldPatt in self.fields.items():
fld = getattr(val, key)
if not match(fld, fldPatt, ctx): return False
return True
def __str__(self): return 'M' + str(self.fields)
class List(Matcher):
def __init__(self, *vals):
self.vals = vals
def __len__(self):
return len(self.vals)
def _match(self, vals, ctx):
if len(vals) != len(self.vals):
raise ValueError('Unexhaustable pattern matching')
for v, p in zip(vals, self.vals):
if not match(v, p, ctx): return False
return True
def __str__(self): return 'M' + str(self.vals)
class Wildcard(Matcher):
def __init__(self): pass
def _match(self, val, ctx): return True
def __str__(self): return '_'
class Var(Matcher):
def __init__(self, name):
self.name = name
def _match(self, val, ctx):
if self.name in ctx:
if ctx[self.name] != val:
return False
else:
ctx[self.name] = val
return True
def __str__(self): return 'var_' + self.name
def match(val, pattern, ctx=None):
if ctx == None:
ctx = {'_matched': True}
if isinstance(pattern, Matcher) and val != None:
ret = pattern._match(val, ctx)
else:
ret = (val == pattern)
if ret: return ctx
else: return None
sys_consts = {}
for name in dir(cst):
if name.startswith('SYS_'):
sys_consts[getattr(cst, name)] = name
sys_args = {}
sys_useless = set()
sys_args[cst.SYS_set_tid_address] = 1
sys_args[cst.SYS_prctl] = 5
sys_args[cst.SYS_read] = 3
sys_args[cst.SYS_write] = 3
sys_args[cst.SYS_rt_sigaction] = 3
sys_ops = {
cst.SYS_getpgrp: '*',
cst.SYS_getpid: '+',
cst.SYS_getuid: '>>',
cst.SYS_getegid: '-',
cst.SYS_getgid: '&',
cst.SYS_geteuid: '^',
cst.SYS_gettid: '|',
cst.SYS_getppid: '<<',
cst.SYS_fork: '/',
}
class Bits:
def __init__(self, val):
self.val = val
def get(self, size):
ret = self.val & ((1<<size) - 1)
self.val >>= size
return ret
class Arg:
def __init__(self, pc, bits):
self.mode = bits.get(2)
if self.mode == 0: # REG
self.val = bits.get(4)
if self.val == 15:
self.mode = 2
self.val = pc
self._repr = hex(self.val) + '(pc)'
else:
self._repr = 'r' + str(self.val)
elif self.mode == 1: # REG REF
self.val = bits.get(4)
if self.val == 15:
self._repr = '&pc'
else:
self._repr = f'&r{self.val}'
elif self.mode == 2: # IMM
sz = bits.get(5)
self.val = bits.get(sz + 1)
self._repr = hex(self.val)
else:
self.val = 0
self._repr = 'PASS'
def __eq__(self, other): return type(self) == type(other) and self._repr == other._repr
def __str__(self): return self._repr
def __repr__(self): return self._repr
class Oper:
def __init__(self, op, a1, a2, a3):
self.sysnum = -2
self.op = op
self.a1 = a1
self.a2 = a2
self.a3 = a3
self._repr = f'PUSH {self.a1} {self.op} {self.a2}, SHL {self.a3}'
def __str__(self): return self._repr
def __repr__(self): return self._repr
def lvalOpStr(lval):
if lval.mode == 0:
lval = '*' + str(lval)
elif lval.mode == 1:
lval = str(lval)[1:]
else:
lval = f'*({lval})'
return lval
class Bne(collections.namedtuple('Bne', ['reg', 'target'])):
def __init__(self, *args, **kwargs):
self.sysnum = -6
self._repr = f'bne {self.reg}, 0x{self.target:04x}'
def __str__(self): return self._repr
def __repr__(self): return self._repr
class OperAssign(collections.namedtuple('OperAssign', ['cast', 'op', 'dst', 'src1', 'src2'])):
def __init__(self, *args, **kwargs):
self.sysnum = -3
self._repr = f'{lvalOpStr(self.dst)} = {self.cast}{self.src1} {self.op} {self.src2}'
def __str__(self): return self._repr
def __repr__(self): return self._repr
class Copy(collections.namedtuple('OperAssign', ['lval', 'rval'])):
def __init__(self, *args, **kwargs):
self.sysnum = -4
self._repr = f'memcpy({self.lval}, {self.rval}, 0x10)'
def __str__(self): return self._repr
def __repr__(self): return self._repr
class Assign(collections.namedtuple('Assign', ['lval', 'rval'])):
def __init__(self, *args, **kwargs):
self.sysnum = -1
self._repr = f'{lvalOpStr(self.lval)} = {self.rval}'
def __str__(self): return self._repr
def __repr__(self): return self._repr
class Special():
def __init__(self, _name, *args, **kwargs):
self.sysnum = -5
self.name = _name
self.args = args
self.kwargs = kwargs
lst = list(map(str, self.args)) + [f'{k}={v}' for k, v in kwargs.items()]
lst = ', '.join(lst)
self._repr = f'{self.name}({lst})'
def __str__(self): return self._repr
def __repr__(self): return self._repr
Insn_ = collections.namedtuple('Insn', ['sysnum', 'a1', 'a2', 'a3', 'a4', 'a5', 'a6'])
class Insn(Insn_):
def __str__(self):
sys = sys_consts[self.sysnum]
args = self[1:][:sys_args.get(self.sysnum, 6)]
args = ', '.join(map(str, args))
return f'{sys}({args})'
def fetchInsn(pc, insn):
b = Bits(insn)
return Insn(b.get(8), *[Arg(pc, b) for i in range(6)])
def p_opasgn(dst, src1, op, src2):
return Fields(sysnum=-3, op=op, dst=dst, src1=src1, src2=src2)
def p_asgn(lval, rval): return Fields(sysnum=-1, lval=lval, rval=rval)
def p_reg(r): return Fields(mode=0, val=r)
def p_xreg(r): return Fields(mode=1, val=r)
def p_imm(v): return Fields(mode=2, val=v)
bc = open('./sop_bytecode', 'rb').read()
insns = [fetchInsn(pc, insn) for (pc, (insn,)) in
enumerate(struct.iter_unpack('<Q', bc))]
p_assign2 = List(
Fields(sysnum=cst.SYS_set_tid_address, a1=Var('rval')),
Fields(sysnum=cst.SYS_prctl, a1=Fields(mode=2, val=0x28), a2=Var('lval')))
p_assign4 = List(
Fields(sysnum=-1, lval=Fields(mode=1, val=Var('_reg')), rval=Var('lval')), None,
Fields(sysnum=-1, lval=Fields(mode=0, val=Var('_reg')), rval=Var('rval')), None)
p_copy16 = List(
Fields(sysnum=cst.SYS_prctl, a1=Fields(mode=2, val=0x0f), a2=Var('rval')),
Fields(sysnum=cst.SYS_prctl, a1=Fields(mode=2, val=0x10), a2=Var('lval')))
p_oper32 = List(
Fields(sysnum=-1, lval=Fields(mode=2, val=0x217022),
rval=Var('dst')), None,
Fields(sysnum=-1, lval=Fields(mode=1, val=0), rval=Var('src1')), None,
Fields(sysnum=-1, lval=Fields(mode=1, val=1), rval=Var('src2')), None,
Fields(sysnum=-2, op=Var('op'), a1=Fields(mode=0, val=0),
a2=Fields(mode=0, val=1), a3=Fields(mode=2, val=0)),
Fields(sysnum=-2, op=Var('op'), a1=Fields(mode=0, val=0),
a2=Fields(mode=0, val=1), a3=Fields(mode=2, val=0x10))
)
p_oper32_64 = List(
Fields(sysnum=-1, lval=Fields(mode=2, val=0x217022),
rval=Var('dst')), None,
Fields(sysnum=-1, lval=Fields(mode=1, val=0), rval=Var('src1')), None,
Fields(sysnum=-1, lval=Fields(mode=1, val=1), rval=Var('src2')), None,
Fields(sysnum=-2, op=Var('op'), a1=Fields(mode=0, val=0),
a2=Fields(mode=0, val=1), a3=Fields(mode=2, val=0)),
Fields(sysnum=-2, op=Var('op'), a1=Fields(mode=0, val=0),
a2=Fields(mode=0, val=1), a3=Fields(mode=2, val=0x10)),
Fields(sysnum=-2, op=Wildcard(), a1=Fields(mode=2, val=0),
a2=Fields(mode=2, val=0), a3=Wildcard()),
Fields(sysnum=-2, op=Wildcard(), a1=Fields(mode=2, val=0),
a2=Fields(mode=2, val=0), a3=Wildcard())
)
p_shuffle = List(
p_opasgn(p_xreg(11), Var('inp'), '<<', p_imm(4)), *[None] * 7,
p_opasgn(p_xreg(11), p_reg(11), '+', Var('key1')), *[None] * 7,
p_opasgn(p_xreg(12), Var('inp'), '>>', p_imm(5)), *[None] * 7,
p_opasgn(p_xreg(12), p_reg(12), '+', Var('key2')), *[None] * 7,
p_opasgn(p_xreg(11), p_reg(11), '^', p_reg(12)), *[None] * 7,
p_opasgn(p_xreg(12), Var('inp'), '+', Var('round')), *[None] * 7,
p_opasgn(p_xreg(11), p_reg(11), '^', p_reg(12)), *[None] * 7,
)
p_myst = List(
p_asgn(p_xreg(2), p_imm(Var('key1'))), None,
p_asgn(p_xreg(3), p_imm(Var('key2'))), None,
p_asgn(p_xreg(4), p_imm(Var('key3'))), None,
p_asgn(p_xreg(5), p_imm(Var('key4'))), None,
Fields(sysnum=-4, lval=p_xreg(6), rval=p_imm(Var('inp1'))), None,
p_asgn(p_xreg(0), p_imm(0xffffffff)), None,
p_opasgn(p_xreg(6), p_reg(0), '&', p_reg(6)), *[None] * 9,
Fields(sysnum=-4, lval=p_xreg(7), rval=p_imm(Var('inp2'))), None,
p_asgn(p_xreg(0), p_imm(0xffffffff)), None,
p_opasgn(p_xreg(7), p_reg(0), '&', p_reg(7)), *[None] * 9,
p_asgn(p_xreg(8), p_imm(0)), None,
p_asgn(p_xreg(9), p_imm(Var('x5'))), None,
p_asgn(p_xreg(10), p_imm(0)), None,
p_opasgn(p_xreg(8), p_reg(8), '+', p_reg(9)), *[None] * 7,
Fields(sysnum=-5, name='r11 = shuffle'), *[None] * 55,
p_opasgn(p_xreg(6), p_reg(6), '+', p_reg(11)), *[None] * 7,
Fields(sysnum=-5, name='r11 = shuffle'), *[None] * 55,
p_opasgn(p_xreg(7), p_reg(7), '+', p_reg(11)), *[None] * 7,
p_opasgn(p_xreg(10), p_reg(10), '+', p_imm(1)), *[None] * 7,
p_opasgn(p_xreg(11), p_reg(10), '>>', p_imm(5)), *[None] * 7,
p_opasgn(p_xreg(11), p_imm(1), '-', p_reg(11)), *[None] * 7,
Fields(sysnum=-6), *[None] * 10,
p_asgn(p_imm(Var('oup1')), p_reg(6)), *[None] * 3,
p_asgn(p_imm(Var('oup2')), p_reg(7)))
p_bne = List(
p_opasgn(p_xreg(Var('reg')), p_reg(Var('reg')), '*', p_imm(Var('off'))),
*[None] * 7,
p_asgn(p_imm(0x217022), p_xreg(15)), None,
Fields(sysnum=-2, op='-', a1=p_imm(Var('pc')), a2=p_reg(Var('reg')),
a3=p_imm(0))
)
sigstruct = [0x217020, 0x0, 0x4000004, 0x0, 0x217044, 0x0, 0x0, 0x0]
sighand = [0x342cb948, 0x95f5793a, 0x568b3f84, 0x11896604, 0xeb0d8d48,
0x48ffffff, 0xff4801ff, 0xccccc301, 0xcccccccc, 0xfb0c031, 0xcccc050f]
seccomp = [0x47, None, 0x217060, None, 0x20, 0x0, 0xd0035, 0x40000000, 0xa0015,
0x1, 0x200015, 0x68, 0x150015, 0x66, 0x280015, 0xba, 0xe0015, 0x27,
0x170015, 0x6c, 0x70015, 0x6f, 0x290015, 0x6e, 0x1e0015, 0x6b, 0x2c0015,
0x39, 0x6, 0x7fff0000, 0x20, 0x10, 0x37000015, 0x0, 0x6, 0x0, 0x20,
0x18, 0x7, 0x0, 0x20, 0x10, 0x2c, 0x0, 0x28280015, 0x0, 0x20, 0x18, 0x7,
0x0, 0x20, 0x10, 0xc, 0x0, 0x23230015, 0x0, 0x20, 0x18, 0x7, 0x0, 0x20,
0x10, 0x7c, 0x0, 0x1e1e0015, 0x0, 0x20, 0x18, 0x7, 0x0, 0x20, 0x10,
0x1c, 0x0, 0x19190015, 0x0, 0x20, 0x18, 0x7, 0x0, 0x20, 0x10, 0x5c, 0x0,
0x14140015, 0x0, 0x20, 0x18, 0x7, 0x0, 0x20, 0x10, 0xac, 0x0, 0xf0f0015,
0x0, 0x20, 0x18, 0x7, 0x0, 0x20, 0x10, 0x4c, 0x0, 0xa0a0015, 0x0, 0x20,
0x18, 0x7, 0x0, 0x20, 0x10, 0x6c, 0x0, 0x5050015, 0x0, 0x20, 0x18, 0x7,
0x0, 0x20, 0x10, 0x3c, 0x0, 0x15, 0x0, 0x2, 0x0, 0x20, 0x20, 0x7, 0x0,
0x60, 0x0, 0x7c, 0x0, 0x1, 0x30000, 0x54, 0xffff, 0x4c, 0x0, 0x16, 0x0,
0x6, 0x7fff0000]
def match_write(base, data):
insns = []
for i, word in enumerate(data):
if word == None: continue
insns += [Fields(sysnum=-1, lval=Fields(mode=2, val=base + i * 4),
rval=Fields(mode=2, val=word)), None, None, None]
return List(*insns)
rw_assign = lambda ctx: Assign(**ctx)
rewrites = [
(p_assign2, rw_assign),
(p_assign4, rw_assign),
(p_oper32_64, lambda ctx: OperAssign(cast='(uint64_t) ', **ctx)),
(p_oper32, lambda ctx: OperAssign(cast='', **ctx)),
(p_copy16, lambda ctx: Copy(**ctx)),
(p_shuffle, lambda ctx: Special('r11 = shuffle', **ctx)),
(p_bne, lambda ctx: Bne(reg='r' + str(ctx['reg']),
target=ctx['pc'] - ctx['off'] + 1)),
(p_myst, lambda ctx: Special('full_shuffle', **ctx)),
(match_write(0x217050, sigstruct), lambda ctx: Special('init_sigstruct')),
(match_write(0x217020, sighand), lambda ctx: Special('init_sighand')),
(match_write(0x217050, seccomp), lambda ctx: Special('init_seccomp')),
]
for num, op in sys_ops.items():
def anony(op2):
rewrites.append((List(Fields(sysnum=num, a1=Var('a1'), a2=Var('a2'),
a3=Var('a3'))), lambda ctx: Oper(op=op2, **ctx)))
anony(op)
change = True
while change:
change = False
pc = 0
while pc < len(insns):
for (pattern, rewriter) in rewrites:
if pc + len(pattern) >= len(insns): continue
m = match(insns[pc:pc+len(pattern)], pattern)
if m:
change = True
for key in list(m.keys()):
if key[0] == '_': del m[key]
insns[pc] = rewriter(m)
for i in range(1, len(pattern)):
insns[pc + i] = None
pc += len(pattern)
break
else:
pc += 1
for pc, insn in enumerate(insns):
if insn == None: continue
print(f'{pc:04x}: {insn}')
Raw
solve.py
from Crypto.Util.number import long_to_bytes
def x(**kwargs):
return kwargs
params = [x(key1=1772306431, key2=1183396572, key3=722163547, key4=512446924,
round_incr=1375589402, oup1=0x152ceed2, oup2=0xd6046dc3),
x(key1=853899958, key2=2005262165, key3=1753620729, key4=2381927667,
round_incr=1547151067, oup1=0x4a9d3ffd, oup2=0xbb541082),
x(key1=2896696689, key2=739858255, key3=466746424, key4=337774085,
round_incr=3035673851, oup1=0x632a4f78, oup2=0xa9cb93d),
x(key1=871579616, key2=4192108086, key3=3920302237, key4=2370766002,
round_incr=3552862092, oup1=0x58aae351, oup2=0x92012a14)]
def shuffle(inp, key1, key2, round):
a = ((inp << 0x4) + key1) & 0xffffffff
# b = LShR(inp, 0x5) + key2
b = ((inp >> 0x5) + key2) & 0xffffffff
return (a ^ b) ^ (inp + round)
# r6 r7 r2 r3 r4 r5 r9
def full_shuffle(inp1, inp2, key1, key2, key3, key4, round_incr):
round = 0 # r8
for i in range(32): # r10
round = (round + round_incr) & 0xffffffff
inp1 = (inp1 + shuffle(inp2, key1, key2, round)) & 0xffffffff
inp2 = (inp2 + shuffle(inp1, key3, key4, round)) & 0xffffffff
return inp1, inp2
def full_shuffle_solve(key1, key2, key3, key4, round_incr,
oup1, oup2):
round = 0 # r8
for i in reversed(range(32)): # r10
round = round_incr * (i + 1) & 0xffffffff
oup2 = (oup2 - shuffle(oup1, key3, key4, round)) & 0xffffffff
oup1 = (oup1 - shuffle(oup2, key1, key2, round)) & 0xffffffff
return oup1, oup2
for i in range(4):
print(''.join(long_to_bytes(e).decode()[::-1] for e in full_shuffle_solve(**params[i])), end="")
# hitcon{SysCallOP57289ca4ce57585}
Raw
writeup.md

For this challenge, I worked on trying to simplifying the list of system calls that were made here via a pattern matching on the AST of the syscalls, combining them with higher and higher level code. The code is setting up seccomp rules to compute the arithmetric operations in seccomp and pushing these values to the stack.

It reads the flag, does some shuffling algorithm with it and then accumulates the output values. I believe the actual flag checker is actually broken, but we ended up getting the flag.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment