Guild icon
Project Sekai
🔒 UIUCTF 2023 / ❌-rev-pwnykey
Avatar
Sutx BOT 06/30/2023 5:15 PM
pwnykey - 500 points
Category: Rev Description: Can you obtain a valid pwnyOS activation key? Link Files:Tags: No tags.
06/30/2023 5:15 PM
Sutx pinned a message to this channel. 06/30/2023 5:15 PM
Avatar
Sutx BOT 06/30/2023 6:36 PM
@Violin wants to collaborate 🤝
Avatar
Sutx BOT 06/30/2023 11:11 PM
@Rench wants to collaborate 🤝
Avatar
Sutx BOT 07/01/2023 1:14 AM
@Lior 🟣🐑 wants to collaborate 🤝
01:15
@kanon wants to collaborate 🤝
Avatar
Sutx BOT 07/01/2023 6:01 AM
@joezid wants to collaborate 🤝
Avatar
sahuang 07/01/2023 7:50 AM
attachment is updated, old version isnt solvable lol
Avatar
Sutx BOT 07/01/2023 11:27 AM
@Iyed wants to collaborate 🤝
Avatar
sahuang 07/01/2023 11:34 AM
this chal maybe need dynamic analysis
11:34
not too sure
Avatar
Sutx BOT 07/01/2023 5:41 PM
@IceCreamMan wants to collaborate 🤝
Avatar
sahuang 07/01/2023 5:42 PM
@IceCreamMan js god arrived
Avatar
IceCreamMan 07/01/2023 5:55 PM
https://microsoft.github.io/devicescript/
DeviceScript | DeviceScript
TypeScript for Tiny IoT Devices
Avatar
sahuang 07/01/2023 6:02 PM
yeah
18:02
its essentially ts file
18:02
i think we need dynamic debug
18:02
or else need to interpret the .devs to asm
Avatar
IceCreamMan 07/01/2023 6:31 PM
https://microsoft.github.io/devicescript/getting-started/vscode/simulation
Simulation | DeviceScript
DeviceScript provides a rich support for simulating devices and peripherals.
18:32
user@user-virtual-machine:~/Desktop/1_July/pawykey/pwnykey$ ./node_modules/@devicescript/cli/devicescript run -t keychecker.devs using devs: v2.11.6, runtime: v2.11.6, node: v18.16.1 from /home/user/Desktop/1_July/pawykey/pwnykey/node_modules/@devicescript/cli/built WASM> DeviceScript Simulator (WASM) v2.11.6; file v2.11.6 WASM> start: (no name) (null) WASM> start! WASM> connecting to tcp://localhost:80 WASM> socket tcp://localhost:80 open undefined WASM> req: GET /check HTTP/1.1 WASM> user-agent: DeviceScript fetch() WASM> accept: */* WASM> host: localhost WASM> connection: close WASM> WASM> HTTP 200: OK WASM> server: Werkzeug/2.3.3 Python/3.10.6 WASM> date: Sun, 02 Jul 2023 01:32:32 GMT WASM> content-type: text/html; charset=utf-8 WASM> content-length: 29 WASM> connection: close WASM> fetched key: 00000-00000-00000-00000-00001 WASM> key format ok WASM> Unhandled exception WASM> Exception: Error WASM> message: Invalid key WASM> at main_F0 (pc:562) WASM> Unhandled exception PANIC 60005 test failed Error: test failed After starting the server, and running this command standalone, it looks something like this
Avatar
sahuang 07/01/2023 6:36 PM
yeah
18:36
the key command is in python script, the popen thing
18:42
i actually wonder how solver did it statically reversing devs file, since its not actually elf
18:43
the devscript doesnt decompile it to some disassembly too
Avatar
IceCreamMan 07/01/2023 6:58 PM
i cant figure out how to use the vscode extension
Avatar
sahuang 07/01/2023 6:59 PM
does it decompile code?
Avatar
IceCreamMan 07/01/2023 7:05 PM
nope the vscode extension is unresponsive lol
19:05
i will try again later
Avatar
sahuang 07/01/2023 7:06 PM
weird
19:08
a solver statically analysed it and wrote a python solve script
19:08
so i was wondering
19:08
how to decompile that devs file
Avatar
Avatar
IceCreamMan
user@user-virtual-machine:~/Desktop/1_July/pawykey/pwnykey$ ./node_modules/@devicescript/cli/devicescript run -t keychecker.devs using devs: v2.11.6, runtime: v2.11.6, node: v18.16.1 from /home/user/Desktop/1_July/pawykey/pwnykey/node_modules/@devicescript/cli/built WASM> DeviceScript Simulator (WASM) v2.11.6; file v2.11.6 WASM> start: (no name) (null) WASM> start! WASM> connecting to tcp://localhost:80 WASM> socket tcp://localhost:80 open undefined WASM> req: GET /check HTTP/1.1 WASM> user-agent: DeviceScript fetch() WASM> accept: */* WASM> host: localhost WASM> connection: close WASM> WASM> HTTP 200: OK WASM> server: Werkzeug/2.3.3 Python/3.10.6 WASM> date: Sun, 02 Jul 2023 01:32:32 GMT WASM> content-type: text/html; charset=utf-8 WASM> content-length: 29 WASM> connection: close WASM> fetched key: 00000-00000-00000-00000-00001 WASM> key format ok WASM> Unhandled exception WASM> Exception: Error WASM> message: Invalid key WASM> at main_F0 (pc:562) WASM> Unhandled exception PANIC 60005 test failed Error: test failed After starting the server, and running this command standalone, it looks something like this
sahuang 07/01/2023 7:08 PM
since its run as a input to /devicescript which is actually js code, idk how it parses the code
19:08
maybe we need to figure out the inner VM logic
19:09
devicescript is bytecode interpreter
Avatar
IceCreamMan 07/01/2023 7:13 PM
going out now, will try again in a few hours
19:14
i see some strings in the keycheck.devs, maybe i will hook it on debugger and break on read of that strings to see how its used
Avatar
sahuang 07/01/2023 7:30 PM
im still trying to osint tool to decompile it
Avatar
IceCreamMan 07/02/2023 2:14 AM
node --print-wasm-code ./node_modules/@devicescript/cli/devicescript run -t keychecker.devs > wasm_code.txt
Avatar
IceCreamMan 07/02/2023 2:35 AM
i think i extracted the wasm
02:36
download.wasm
245.9 KB
02:39
this is the JS file
02:39
test.js
3.45 MB
02:41
var _jd_em_set_device_id_2x_i32 = Module2["_jd_em_set_device_id_2x_i32"] = createExportWrapper("jd_em_set_device_id_2x_i32"); var _jd_em_set_device_id_string = Module2["_jd_em_set_device_id_string"] = createExportWrapper("jd_em_set_device_id_string");
02:44
oh damn it is actually hosted https://pwnykey-web.chal.uiuc.tf/
02:45
).option("--gc-stress", "stress-test the GC").option("--device-id <string>", "set device ID").option("--devtools", "set when spawned from devtools").option("--stateless", "disable 'flash'").option("--clear-flash", "clear flash before starting").action(startVm); Should be from a cmd line
02:46
oh no
02:46
i think we need to input a right device ID on the hosted website, then it will print the flag
02:46
so there is multiple device id
02:48
message.txt
2.59 KB
02:49
ok i dont think relevant, i will try to RE the wasm...
Avatar
Avatar
IceCreamMan
).option("--gc-stress", "stress-test the GC").option("--device-id <string>", "set device ID").option("--devtools", "set when spawned from devtools").option("--stateless", "disable 'flash'").option("--clear-flash", "clear flash before starting").action(startVm); Should be from a cmd line
IceCreamMan 07/02/2023 3:10 AM
this device-id should be related to devicescript, not the challenge
Avatar
IceCreamMan 07/02/2023 4:15 AM
lol i am terribly wrong, the wasm and javascript is useless (edited)
Avatar
Iyed 07/02/2023 4:26 AM
i guess it got you the wasm of the devicescript itself
04:26
the problem is the disassembler that came with devicescript
04:26
is not really working
04:26
https://github.com/microsoft/devicescript/blob/main/compiler/src/disassemble.ts
devicescript/compiler/src/disassemble.ts at main · microsoft/device...
TypeScript for Tiny IoT Devices (ESP32, RP2040, ...) - devicescript/compiler/src/disassemble.ts at main · microsoft/devicescript
Thumbnail
Avatar
IceCreamMan 07/02/2023 4:57 AM
yeah it seems like the wasm of the devicescript LOL
05:02
node ./node_modules/@devicescript/cli/devicescript disasm keychecker.devs
05:02
this can get the asm
05:02
idk lol but the output looks bad
Avatar
Avatar
Iyed
https://github.com/microsoft/devicescript/blob/main/compiler/src/disassemble.ts
IceCreamMan 07/02/2023 5:15 AM
oh this may be the thing call by disasm
Avatar
Avatar
IceCreamMan
idk lol but the output looks bad
Iyed 07/02/2023 5:39 AM
it gave me some lines with ???oops
05:39
is it clean for you?
Avatar
IceCreamMan 07/02/2023 5:46 AM
nope
05:46
the output is ugly..
05:47
but it does show this
Image attachment
05:47
https://microsoft.github.io/devicescript/language/runtime
Runtime implementation | DeviceScript
DeviceScript compiler takes TypeScript files and generates bytecode files, which are then executed by
Avatar
IceCreamMan 07/02/2023 6:23 AM
this shuld be the only way..
Avatar
sahuang 07/02/2023 6:44 AM
did teams just read asm 🤣
Avatar
IceCreamMan 07/02/2023 7:19 AM
yeah probably just read asm but its another compiler 🥹
Avatar
sahuang 07/02/2023 7:43 AM
crazy
Avatar
Avatar
IceCreamMan
the output is ugly..
sahuang 07/02/2023 9:16 AM
can you paste it?
Avatar
IceCreamMan 07/02/2023 9:25 AM
dump.txt
191.72 KB
Avatar
sahuang 07/02/2023 9:26 AM
oh rip
09:26
all ??'s
09:26
seems not the correct thing
Avatar
IceCreamMan 07/02/2023 9:30 AM
yea thats a problem with the disassembler
Avatar
sahuang 07/02/2023 9:30 AM
is it because node version is wrong?
Avatar
IceCreamMan 07/02/2023 9:35 AM
not too sure, i tried on latest node
Avatar
Avatar
Iyed
the problem is the disassembler that came with devicescript
IceCreamMan 07/02/2023 9:35 AM
@Iyed was mentioning that the disassembler doesnt work
Avatar
Iyed 07/02/2023 11:46 AM
tried some other versions still getting invalid jumps
Avatar
sahuang 07/02/2023 11:48 AM
yeah no idea
11:48
idk how other teams did it, pretty sure we missed sth that can decompile, will check solution
Avatar
Iyed 07/02/2023 12:55 PM
I was trying to extract compiled code based on the file structure there is a definition of it on github
12:56
but not really well explained
12:56
I feel like it's not the right way either
Exported 87 message(s)