Project Sekai - ❌-reverse-64r2

Project Sekai

🔒 WolvCTF 2023 / ❌-reverse-64r2

64r2 - 500 points

Category: Reverse Description: I hear a dragon choking in the distance... is that ghidra? Files:

https://wolvctf.io/files/6d83caeaa1e460d58f25c2e1533daa95/main?token=eyJ1c2VyX2lkIjoyNjgsInRlYW1faWQiOjE3MCwiZmlsZV9pZCI6MzJ9.ZBTG9Q.vj3croDcdzzYo96Wozo5yebuh-g

Tags: opz#9839

Sutx pinned a message to this channel. 03/17/2023 1:00 PM

@Utaha wants to collaborate

oops idk how to deal with binary that have way too many functions

mips..

what's that?

some arch

oh how do you identify that XD

IDA identifies it

14:51

Image attachment

1

14:51

idk what tool to decompile it, IDA doesnt work

@Legoclones wants to collaborate

ghidra seems to take it just fine

15:18

well, kinda lol

15:20

binja doesn't like it at all lol

oh I do use ghidra, maybe I can help a bit (but not now :p)

I'm taking a quick break, but I'll be back on in like an hour (edited)

okay coming back to this

16:49

main function is at 100048b

16:56

I think one is a dynamic analysis sol problem

16:56

Flag fits inside 32-char malloc'ed buffer (dubbed malloc_var). End of main looks like this:

  FUN_10008370((ulonglong *)"Well since you\'re here anyway have a flag:\n%s\n",
               (ulonglong)malloc_var,param_3,param_4,param_5,param_6,param_7,
               "_s1_len > 1 && __result == 0) { __result = (((const unsigned char *) (const char *)  (&zone_names[info->idx]))[2] - __s2[2]); if (__s1_len > 2 && __result == 0) __result  = (((const unsigned char *) (const char *) (&zone_names[info->idx]))[3] - __s2[3]); }  } __result; }))) : (__builtin_constant_p (__tzname[tp->tm_isdst]) && ((size_t)(const  void *)((__tzname[tp->tm_isdst]) + 1) - (size_t)(const void *)(__tzname[tp->tm_isdst ]) == 1) && (__s2_len = strlen (__tzname[tp->tm_isdst]), __s2_len < 4) ? (__builtin_c onstant_p (&zone_names[info->idx]) && ((size_t)(const void *)((&zone_names[info->idx] ) + 1) - (size_t)(const void *)(&zone_names[info->idx]) == 1) ? __builtin_strcmp (&zo ne_names[info->idx], __tzname[tp->tm_isdst]) : (__extension__ ({ const unsigned char  *__s1 = (const unsigned char *) (const char *) (&zone_names[info->idx]); register int  __result = __s1[0] - ((const unsigned char *) (const char *) (__tzname[tp->tm_isdst] ))[0]; if (__s2_len > 0 && __result == 0) { __result = (__s1[1] - ((const unsigned ch ar *) (const char *) (__tzname[tp->tm_isdst]))[1]); if (__s2_len > 1 && __result == 0 ) { __result = (__s1[2] - ((const unsigned char *) (const char *) (__tzname[tp->tm_is dst]))[2]); if (__s2_len > 2 && __result == 0) __result = (__s1[3] - ((const unsigned  char *) (const char *) (__tzname[tp->tm_isdst]))[3]); } } __result; }))) : __builtin _strcmp (&zone_names[info->idx], __tzname[tp->tm_isdst])))); }) == 0"
              );

16:57

Since it takes in malloc_var, I'm guessing that's going to have the flag (or right sequence of bytes to produce the flag inside the function), where it will be printed out. I looked through the function at 10008370, and it calls another huge function that is an absolute mess that I don't want to analyze just statically

16:58

So I think the code before this has some sort of check that we need to reverse and find. I have a 32-bit MIPS machine on me, but not a 64-bit one. Gonna try to run through qemu

Running it will print the flag.

13:01

wtf

13:01

is this hint

Legoclones

So I think the code before this has some sort of check that we need to reverse and find. I have a 32-bit MIPS machine on me, but not a 64-bit one. Gonna try to run through qemu

able to run it?

No, I've tried lots of things but have not been able to get it to run

13:17

lol that's the whole chall??

13:17

Just run it?

Hint seems a bit confusing, like we just need try to run it?? opz — Today at 1:22 PM if you solve it and feel it belongs in another category feel free to mention what category

13:22

lolol

but idk how to run iot

13:23

it

The problem I'm running into when trying to run it with qemu is:

qemu: uncaught target signal 4 (Illegal instruction) - core dumped
Illegal instruction

first hint legit said "Weird it looks like this binary was stripped but there’s still some symbols in it." so it seems reverse is needed, but then they said run it for flag

opz — Today at 1:32 PM sorry 64r2 wasnt meant to be so hard :(( might be a third hint in bound at some point

13:34

bruh

new hint

14:25

WTF

14:25

@Legoclones

14:25

legit hint

14:26

Hmm, I wonder why your upstream Qemu is segfaulting?

upstream qemu?

asked him

14:28

its upstream qemu

14:29

https://wiki.xenproject.org/wiki/QEMU_Upstream

14:29

this

14:29

wait no

14:29

he said wait i just meant upstream in git

14:30

i just wanted to tell u ur on the right path with that hint

Hmm

14:30

I do see this:

$ file main
main: ELF 64-bit MSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), statically linked, for GNU/Linux 2.6.32, not stripped

14:31

The linux version is really old

14:31

maybe my qemu is too new?

OH

and that's why he's saying upstream? I need an older version of qemu to run it?

could be

14:31

right

14:32

he said hint 1 isnt worthless

14:32

OH

14:32

maybe symbol has version

14:32

so u get the version to download and run

14:32

could it

14:32

let me check

14:33

that sounds legit

I don't see qemu string in there at all, but I do see GCC: (Cavium Inc. Version: SDK_BUILD build 52) 4.7.0

in symbols?

yeah

14:34

from strings

sahuang

used /chatgpt

How do I retrieve all symbols with ghidra for MIPS stripped binary? As an AI language model, I don't have the capability to use Ghidra software. However, I can suggest you the below steps to retrieve all symbols with Ghidra for MIPS stripped binary. 1. Load the MIPS stripped binary into Ghidra. 2. Analyze the binary with Ghidra's auto-analysis feature. 3. Use Ghidra's symbol table feature to retrieve all symbols. Go to View -> Symbol Table or press the hotkey "M". 4. In the symbol table, you can see all the symbols extracted from the binary. You can filter the symbol table to only show MIPS symbols by clicking on the "Filter" button and selecting "MIPS" from the "Language" dropdown. 5. To export the symbol table to a file, select "Export Table" from the "Options" dropdown menu in the symbol table window. 6. Choose a location to save the exported symbol table file and select the file type (e.g., CSV, HTML, or TXT). 7. Click "OK" to export the symbol table. Note: If the binary is heavily stripped, it may not contain any symbols. In this case, you may need to analyze the binary manually or use other reverse engineering tools.

huh are 2 and 3 even real

14:37

i dont have ghidra

14:39

this is prob version check? not sure

Image attachment

sahuang

used /chatgpt

I'm using QEMU to simulate 64-bit MIPS system and running an elf binary gives me segfault. The hints given are: 1. Weird it looks like this binary was stripped but there’s still some symbols in it. 2. I wonder why your upstream Qemu is segfaulting? Could you let me know what hint can indicate and what can I do to make it not segfault and run successfully? Hint 1 suggests that the binary has been stripped of its debug symbols but some symbols remain, which can indicate that the program was not compiled with debugging information. To debug this issue, you will need to use additional tools like gdb, which can help you analyze the memory dump and find the root cause of the segmentation fault. Hint 2 means that the upstream version of Qemu that you are using might have a bug or an issue that is causing the segmentation fault. To fix this issue, you can try updating Qemu to the latest version or installing a different version to see if that resolves the issue. Additionally, you can try to run the binary on a different architecture or platform to see if it runs successfully, which can help identify whether it's a Qemu issue or a problem with the binary itself.

yeah if I get some time tonight I'll try using an older version of qemu and see if that works

yeah i will try dl one

14:53

but im researching on compatibility

14:53

it doesnt say qemu version

14:53

just MPIS build version and gcc version

14:56

https://www.mips.com/partner/cavium/

Raja PurplePatch

Cavium (NASDAQ: CAVM) is a provider of highly integrated semiconductor processors that enable intelligent networking, communications, storage, video and security applications. Cavium offers a broad portfolio of integrated, software compatible processors ranging in performance from 1Gbps to 100Gbps that enable secure, intelligent functionality in...

14:56

prob cavium 52 matters

yeah that would make sense

sahuang

used /chatgpt

Cavium Inc. Version: SDK_BUILD build 45 Do you know when this was released? As an AI language model, I do not have the exact release date of Cavium Inc. Version: SDK_BUILD build 45. However, I can tell you that Cavium, a subsidiary of Marvell Technology Group, releases software updates periodically. It is recommended that you check the company's website or contact their support team for more information.

https://github.com/HighW4y2H3ll/OCTEON-im8724-SDK/blob/45fe77bbbc785a3cd7b8889604f02d68ab4a25b3/tools-gcc-4.7/lib/gcc/mips64-octeon-linux-gnu/4.7.0/plugin/include/configargs.h#L2

OCTEON-im8724-SDK/configargs.h at 45fe77bbbc785a3cd7b8889604f02d68a...

Contribute to HighW4y2H3ll/OCTEON-im8724-SDK development by creating an account on GitHub.

15:09

static const char configuration_arguments[] = "/usr/local/Cavium_Networks/octsw/toolchain/scripts/../src/configure --disable-fixed-point --without-ppl --without-python --disable-werror --with-lto-plugin-source=/usr/local/Cavium_Networks/octsw/toolchain/scripts/../gits/gcc/lto-plugin --enable-64-bit-bfb --enable-plugins --with-sysroot --with-local-prefix=/usr/local/Cavium_Networks/octsw/toolchain/scripts/../tools/mips64-octeon-linux-gnu/sys-root --disable-sim --enable-symvers=gnu --enable-__cxa_atexit --enable-symvers=gnu --enable-__cxa_atexit --with-mips-plt --disable-sim --target=mips64-octeon-linux-gnu --enable-languages=c,c++ --prefix=/usr/local/Cavium_Networks/octsw/toolchain/scripts/../tools --with-pkgversion='Cavium Inc. Version: SDK_BUILD build 52' --with-bugurl=http://www.cavium.com/support.html --with-libexpat-prefix=/usr/local/Cavium_Networks/octsw/toolchain/scripts/../libs";
static const char thread_model[] = "posix";

static const struct {
  const char *name, *value;
} configure_default_options[] = { { "llsc", "llsc" }, { "mips-plt", "plt" }, { "synci", "no-synci" } };

15:11

probably late 2019 version can do, or early 2020

15:12

wait build 54 exists in 2019 may

Image attachment

17:27

https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/Processors/MIPS/src/main/java/ghidra/app/util/bin/format/elf/extend/MIPS_ElfExtension.java

17:27

ghidra can export MIPS symbols (edited)

wtf is in hint 1 lol

Image attachment

21:08

bruh

Image attachment

08:27

LOL

@Legoclones your qemu is 64 bit? (edited)

08:38

seems we just need to apply the patch

08:41

It's Octeon MIPS, which has special memory segments.

Yeah

09:19

I won't be free for another 2 hours but I will try it then

opz — Today at 11:00 AM try to see if u can leverage some of the functions that weren’t stripped

okay I'm here now

11:54

https://github.com/amir-mehmood/QEMU-Octeon-MIPS64 what kind of a git repo is this?

11:54

instructions are so confusing

11:59

lol you have to download 5-year old version of qemu, install glib 2.0, build with python2, and it looks like manually patching just to run with octeon

oh rip, not worth time then

have built and now working on patching

thought its like a plugin

patch command is having issues tho

its fine ig, the v8 chall also doesnt work for me and i think we are safe

i applied the patch but there is still one issue when remaking

12:50

then it should hopefully be usable

12:50

The patch adds in the definition of multiple variables in a .h file, and is linked to 2 different .o libraries

12:50

So each library has their own definition of these variables

12:51

Then when those two libraries are linked together into the final qemu-system-mips64 binary, it breaks because it's defined twice

oh

12:51

use #ifdef or sth at header

I guess a workaround would be to move those definitions to a separate .c file and only keep declaration in the header file, but then idk how to ensure that .c file is included right

sahuang

use #ifdef or sth at header

oooh

12:52

lemme try that

ifndef i think

I wrapped the entire header file in it and it didn't like it

12:54

lemme try just those lines

12:55

nope didn't help

hmm

12:57

yeah i think it might take some time to resolve it, but i think the one-def rule should work, or just rename variables in one file

12:59

id love to know if it works though if you gonna finish it

12:59

or you can send me the file and i can resolve it

so I tried doing it around only definitions and it didn't work

ic

13:00

hmm

13:00

so changing variable name in theory wont work too?

13:00

because in that way no naming conflictions

well idk how to change variable name in only one library and not the other

13:01

both libraries had #include <file.h> in it

13:01

and file.h had declaration in both

oh i see what you mean

13:02

seems patch is broke by itself then

oh absolutely

do you mind sharing the steps to install with its instruction?

I had already fixed a few other things

13:02

yeah one sec

oh

So i used https://github.com/amir-mehmood/QEMU-Octeon-MIPS64 as my base. The steps were confusing and no distinction between commands made, but I did this:

# get qemu-1.0.1 and install
wget https://download.qemu.org/qemu-1.0.1.tar.gz
tar -xf qemu-1.0.1.tar.gz
cd qemu-1.0.1
export CFLAGS='-lm -lrt'
sudo apt install libglib2.0-dev # required dependency
./configure --target-list=mips64-softmmu --python=$(which python2)
make
# added the line `#include <sys/sysmacros.h>` to `hw/9pfs/virtio-9p.c`

# patch from outside the qemu directory
cd ..
wget https://raw.githubusercontent.com/amir-mehmood/QEMU-Octeon-MIPS64/master/host.patch
patch -p1 < host.patch
# at this point, there will be several times where you will have to specify the file because of weird parsing issues I don't understand, but it will display the filename and ask "what filename" and you just gotta paste it
# now, you have to manually create `hw/mips_octeon.c` because somehow it's gone. You can get the content from the patch file, just delete the + symbol at the beginning of each sign
make # this will fail for the reason we went over

13:08

but theoretically, if make worked, we could've run it

ok

13:09

ill redo it later if i get time to

13:09

also need to understand other challs xx

haha no worries

Exported 151 message(s)