Skip to content

Latest commit

 

History

History
154 lines (98 loc) · 8.85 KB

bhctf-season2.md

File metadata and controls

154 lines (98 loc) · 8.85 KB
Raw

As the captain of Team U-niverse, I participated to the Block Harbor x VicOne Automotive CTF Season 2 (2024). We couldn't make it to the final rounds. It was, however, a chance for us to learn new things. Personally, I was able to sharpen my reverse engineering skill a little bit. Here under I will place write-ups for the RE challenges that I solved: "Want a password", "Gameboy Game" and "Cargame". As for write-ups of other challenges, please refer to the bottom of this page.

1. "Want a password"

  • Overview: "passgen.zip" and "Encrypted.zip" are provided. "Encrypted.zip", which includes the flag, is locked with a secret password. The secret password is known to be generated by "passgen.zip" at some time between 2024/06/27 11:37:29 and 11:37:45 AM in EST timezone.

  • Solution

    • Unzip passgen.zip and run passgen.exe opened a GUI like below: image

    • Use dnSpy to disassemble passgen.exe file. image

    • The disassembled source code was quite simple. There is a function called button1_Click() that is triggered when we click on the button Generate Password. Modify the function so that it continuously generates random passwords. image

    • Save the changes and then set your local system time to 2024/06/27 11:37:00 for example. Please be careful with the timezone.

    • Start generating passwords until it ends.

    • After getting the list of passwords, I manually try one by one to open the locked .zip file (I can use Hydra or similar tools, but the small number of candidates didn't worth using the tools) and found the correct password.

    • The flag is:

      image

2. "Gameboy Game"

  • Overview: a Gameboy ROM was given. We are asked to score more than 32767 points to get the flag.

  • Solution

    • On a Kali machine, I installed wine, downloaded bgb. Run wine bgb64.exe to start the bgb debugger.

    • Load the provided Gameboy ROM to bgb.

      image

    • The game loaded. Open the "cheat searcher"

      image

    • The challenge asks us to score more than 32767, hence the score should be 16 bits. Set search value type to 16 bits. Click on Start to search for all 16 bits values in the app memory.

      image

    • Score 1 point or 2, then press start (Enter) button to view the score and pause the game.

      image

    • Open the cheat searcher again, set the target value as the score you earned above, and click Search to look for, among the list we got by the initial search, memory addresses of which value is the target value.

      image

    • The known shrinks down a little bit (in the case of the screenshot below, it is 257). Continue this process until the list remains unchanged.

      image

    • The final result looks like this:

      image

    • After this, the goal is to modify the memory where the score is stored so that our score is almost 32767. You can do that by right clicking on the address you want to view, select go here in debugger.

      image

    • The value at 0xCB93 was the score at that time (2). The score turns out to be stored as a 16-bit signed integer at 0xCB93 and 0xCB94

      image

    • Right clicking on the address you want to modify, select Modify code/data:

      image

    • Edit the memory such that 0xCB93 = ff and 0xCB94 = 7f. After that get back to the game, move the car to the arrow on the up left corner, and the flag appeared.

      image

3. "Car game"

  • Overview: a game written in SDL2 framework was provided. There was instructions on how should we run the game on Ubuntu 22.04 and the necessary libraries. We need to score more than 1337 points to get the flag.

  • Solution:

    • I heard after the CTF that we can solve the challenge using a cheat engine to hack the health. I didn't know about that, so I used GDB to debug, and Ghidra to understand the source code and identify the addresses I need to tamper with. It was probably way more tedious than using a cheat engine, but as a pay-off, I learned a little reverse engineering skills.
    • I would skip the reversing steps as you can search elsewhere. The strategy is to modify the source code such that the health is not decreased however we play. After the modification, we just need to wait for less than 20 mins to achieve the necessary points to get the flag.
    • I wrote a Python script that control GDB to achieve the above goal. Basically the script replaces the decreasing process at 0x403e6d and 0x403d63 by a sequence of NOPs (0x90) instructions so that the process does nothing. After collecting enough points, the script reverses back the modifications, continue running the game and get flag.

    ※ Only editing the score didn't work, as inside the game, it added a timestamp to estimate the playing time to detect cheating. The scoreboards, flags, etc. are stored on a server to which the game send requests.

    # --------- crack.py ------------
    import gdb
    import pyautogui
    import time
    import threading

    global score

    TIMEOUT = 1000

    # connect to the local GDB process
    gdb.execute("file cargame")
    gdb.Breakpoint("*0x4030ae")

    def waitUntilDone():
        time.sleep(TIMEOUT)
        gdb.Breakpoint("*0x403e6d")
        gdb.Breakpoint("*0x403d63")

    def bp_handler(event):
        global score

        if event.breakpoint.number == 1:
            gdb.execute("set *(unsigned char*)0x403e6d = 0x90")
            gdb.execute("set *(unsigned char*)0x403e6e = 0x90")
            gdb.execute("set *(unsigned char*)0x403e6f = 0x90")

            gdb.execute("set *(unsigned char*)0x403d63 = 0x90")
            gdb.execute("set *(unsigned char*)0x403d64 = 0x90")
            gdb.execute("set *(unsigned char*)0x403d65 = 0x90")

            t1 = threading.Thread(target=waitUntilDone, args=())
            t1.start()

            gdb.execute("continue")
        if event.breakpoint.number in (2,3):
            gdb.execute("set *(unsigned char*)0x403e6d = 0x89")
            gdb.execute("set *(unsigned char*)0x403e6e = 0x50")
            gdb.execute("set *(unsigned char*)0x403e6f = 0x18")

            gdb.execute("set *(unsigned char*)0x403d63 = 0x89")
            gdb.execute("set *(unsigned char*)0x403d64 = 0x50")
            gdb.execute("set *(unsigned char*)0x403d65 = 0x18")
            gdb.execute("continue")

    gdb.events.stop.connect(bp_handler)
    gdb.execute("set logging on")
    gdb.execute("set confirm off")

    gdb.execute("run -u trung")

The script is run by gdb -x crack.py.

  • The flag is:

    image

    image

Write-ups for other challenges:

  1. Challenge "Power": https://glatcher.ru/2024/09/09/BlockHarbor2024-Power
  2. Challenges "Scanning Plates", "Stego 1", "I know alot about cars", "Web RCE Anomaly", "What is the VIN?": https://github.com/OxT7723/CTFs/blob/main/BlockHarbor_CTF_Season2_2024/README.md
  3. Challenges "Walk in the park", "Can bus anomaly #1", "1 or 2?", "Lost in the echo", "ivi", "Siggy", "Stego 1": https://blog.hamayanhamayan.com/entry/2024/09/10/222143
  4. Challenges "VCAN", "Can bus anomaly #2", "DID Access", "What is the VIN?", "Steering Angle", "When were we driving?", "Radio", "Street Names", "Autosar E2E": https://laysakura.github.io/2024/09/09/automotive-ctf-2024-qual/