CTFtime.org

Special Instructions

by terrynini / DoubleSigma

Rating: 3.0

- [murmur](#murmur)
- [Runme](#runme)
- [Special Instructions](#special-instructions)
- [Special Device File](#special-device-file)
- [block](#block)
- [shooter](#shooter)
- [tctkToy](#tctktoy)

# murmur

Thrilling to see the OSASK, I have a copy of 30日でできる! OS自作入門, which teach you to implement a simple OS in 30 days.

# Runme

Compare the result of GetCommandLineA() to `C:\Temp\SECCON2018Online.exe" SECCON{Runn1n6_P47h}`

The flag is `SECCON{Runn1n6_P47h}`

# Special Instructions

The architecture of the elf is `moxie`, can be known by `strings`.

The binary would print :

```sh
This program uses special instructions.

SETRSEED: (Opcode:0x16)
RegA -> SEED

GETRAND: (Opcode:0x17)
xorshift32(SEED) -> SEED
SEED -> RegA
```

Indeed, we can find some weird instructions in binary dump:

```
0000154a <set_random_seed>:
154a: 16 20 bad
154c: 04 00 ret

0000154e <get_random_value>:
154e: 17 20 bad
1550: 04 00 ret

00001552 <decode>:
1552: 06 18 push $sp, $r6
1554: 06 19 push $sp, $r7
1556: 06 1a push $sp, $r8
1558: 06 1b push $sp, $r9
155a: 06 1c push $sp, $r10
155c: 06 1d push $sp, $r11
```

Here, the implement of xorshift32 is differ from [wiki](https://en.wikipedia.org/wiki/Xorshift) ( I'll show you the reason in the next section )

```c
uint32_t xorshift32(uint32_t state[static 1])
{
/* Algorithm "xor" from p. 4 of Marsaglia, "Xorshift RNGs" */
uint32_t x = state[0];
x ^= x << 13;
x ^= x >> 17;
x ^= x << 15; //the original version is << 5
state[0] = x;
return x;
}
```

Xor `flag`, `randval`, `get_random_value` to get the flag.

The flag is `SECCON{MakeSpecialInstructions}`

# Special Device File

This binary should be more easy to understand, because all you need to do is dragging it into IDA.

The key point is how `/dev/xorshift64` work, there are serveral implementation online, it's time comsuming to test everyone.

But, the SECCON is hold by japanese, where a japanese engineer would go for searching the information about things they don't understand ?

Wiki, but in japanese......

```c
x = x ^ (x << 13);
x = x ^ (x >> 7);
return x = x ^ (x << 17);
```

Again, xor `flag`, `randval`, `get_random_value` to get the flag.

The flag is `SECCON{UseTheSpecialDeviceFile}`

# block

My first time to reverse a unity game, it seems not so hard.

Decompress the `.apk`, the `C#` script of game is located at `assets/bin/Data/Managed/Assembly-CSharp.dll`.

There are only two methods ,`Start` and `Update`, obviously, the `Update` keep rotate the flag behind, let's modify them to :

```csharp
#the axis of object seems not parellel or vertical to camera

public void Start()
{
base.transform.position = new Vector3(0f, -4.5f, 2f);
base.transform.Rotate(new Vector3(0f, -90f, 0f));
}

public void Update()
{
}
```

Pack it back and launch it.

![flag](./block.png)

The flag is `SECCON{4R3_Y0U_CH34+3R?}`

# shooter

Again,a unity game.

Basically, it's arcade game, and the players would be ranked **online** with other players.

This one was builded by IL2CPP.

How I found that it was builded by IL2CPP (it's also my first time to reverse such thing):

First, there is no `Assembly-CSharp.dll`.

It may implies the possibility of 2 things (or more) :

- The `dll` was some how being packed or obfuscated
- The game was build in a different way

Second, the layout of diretory seems to be different with last challenge, block.

Then I found that there are lots of keywords in `assets/bin/Data/Managed/Metadata/global-metadata.dat`

After google it, I could dump the pseudo code from `global-metadata.dat` and `libil2cpp.so` ( main logic ) by [Il2CppDumper](https://github.com/Perfare/Il2CppDumper).

But there is nothing valuable in the game logic......

Observing strings, I found there are some weird strings :

```
shooter.pwn.seccon.jp
staging.shooter.pwn.seccon.jp
develop.shooter.pwn.seccon.jp
/admin
/api/v1/score
```

Now, I can get the highest score by sending:

```
POST /api/v1/scores HTTP/1.1
Expect: 100-continue
X-Unity-Version: 2018.2.11f1
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
User-Agent: Dalvik/2.1.0 (Linux; U; Android 8.1.0; Android SDK built for x86 Build/OSM1.180201.007)
Host: shooter.pwn.seccon.jp
Connection: Keep-Alive
Accept-Encoding: gzip

score=2147483647&name=zzzzzzzzzzzzzzzzzzzzzzzz
```

It's useless, server won't send flag back.

And I don't think that the command injection would work.

Then, I found that http://staging.shooter.pwn.seccon.jp/admin will redirect you to http://staging.shooter.pwn.seccon.jp/admin/sessions/new

![admin](./admin.png)

SQL injection works....

We can login as admin by sending `' ))) UNION (SElECT 1)#` as password.

What's more, we can do the time base SQL injection.

This part was done by [kaibro](https://github.com/w181496), my teamate.

1. leak first db : `shooter_staging`

1. leak first table in it : `ar_internal_metadata`

1. leak second table in it : `flags`

1. columns in `flags`:
- `id`
- `value`
- `created_at`
- `updated_a t`

The flag is `SECCON{1NV4L1D_4DM1N_P4G3_4U+H3NT1C4T10N}`
# tctkToy

I overdozed, only left an hour to solve this lol

By a quick glance, I guess the binary would execute an tcl script, and the goal is to build a window similar to the picture ?

Original writeup (https://github.com/terrynini/CTF-writeup/tree/master/SECCON-2018-quals#special-instructions).

Comments