Compare commits
14 Commits
f6e533cc94
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
| 666511e258 | |||
| f80a532888 | |||
| 473cbf2002 | |||
| 6587b460d6 | |||
| 018262bdaa | |||
|
|
fe3992f758 | ||
|
|
5375ec0688 | ||
| 7f3d793f9c | |||
| ebbccfb7ae | |||
| 65da1f0093 | |||
| 926d7bbad8 | |||
| 69b16bf09d | |||
| 197cc3098d | |||
| b2b2189c51 |
12
Dockerfile
Normal file
12
Dockerfile
Normal file
@@ -0,0 +1,12 @@
|
||||
FROM alpine:3.20
|
||||
|
||||
RUN apk add --no-cache gdb strace
|
||||
|
||||
WORKDIR /challenge
|
||||
COPY main ./main
|
||||
RUN chmod +x ./main
|
||||
|
||||
COPY license ./license
|
||||
|
||||
|
||||
CMD ["/bin/sh"]
|
||||
49
Makefile
49
Makefile
@@ -11,6 +11,7 @@ FLAG_FORMAT ?= ctf{FLAG_GOES_HERE}
|
||||
FLAG_SEED ?= false
|
||||
|
||||
PYTHON_EXE ?= python
|
||||
BUILD_DIR ?= build
|
||||
|
||||
# Compilation variables
|
||||
RISCV_CC ?= riscv64-unknown-elf-gcc
|
||||
@@ -20,16 +21,18 @@ HOST_CFLAGS ?= -Wall -Wextra -O3 -g
|
||||
HOST_LDFLAGS ?= -Wl,-s
|
||||
|
||||
EMU_SRC_FILES := $(wildcard src/emulated/*.c)
|
||||
EMU_OBJ_FILES := $(EMU_SRC_FILES:src/emulated/%.c=build/%.riscv.o)
|
||||
EMU_OBJ := build/emulated.riscv.elf
|
||||
EMU_OBJ_LICENSE ?= build/license
|
||||
EMU_OBJ_FILES := $(EMU_SRC_FILES:src/emulated/%.c=$(BUILD_DIR)/%.riscv.o)
|
||||
EMU_OBJ := $(BUILD_DIR)/emulated.riscv.elf
|
||||
EMU_OBJ_LICENSE ?= $(BUILD_DIR)/license
|
||||
EMU_OBJ_LICENSE_IF_EXISTS := $(wildcard $(EMU_OBJ_LICENSE))
|
||||
|
||||
ZIP_FILE ?= build/challenge.zip
|
||||
README_FILE ?= $(BUILD_DIR)/README.txt
|
||||
DOCKERFILE ?= $(BUILD_DIR)/Dockerfile
|
||||
ZIP_FILE ?= $(BUILD_DIR)/challenge.zip
|
||||
ZIP_FILE_IF_EXISTS := $(wildcard $(ZIP_FILE))
|
||||
|
||||
|
||||
GENERATED := build/include/generated.h
|
||||
GENERATED := $(BUILD_DIR)/include/generated.h
|
||||
|
||||
HOST_SRC_EXTRA := src/elf.c src/hwinfo.c src/util.c tiny-AES-c/aes.c
|
||||
HOST_SRC := src/main.c $(HOST_SRC_EXTRA)
|
||||
@@ -39,18 +42,18 @@ HOST_SRC_SPOOFER := src/spoof/spoofer.c
|
||||
|
||||
|
||||
ifeq ($(OS),Windows_NT)
|
||||
HOST_EXE ?= build/main.exe
|
||||
HOST_EXE ?= $(BUILD_DIR)/main.exe
|
||||
else
|
||||
HOST_EXE ?= build/main
|
||||
HOST_EXE ?= $(BUILD_DIR)/main
|
||||
endif
|
||||
|
||||
ifeq ($(OS),Windows_NT)
|
||||
HOST_EXE_ENCRYPTOR ?= build/encryptor.exe
|
||||
HOST_EXE_ENCRYPTOR ?= $(BUILD_DIR)/encryptor.exe
|
||||
else
|
||||
HOST_EXE_ENCRYPTOR ?= build/encryptor
|
||||
HOST_EXE_ENCRYPTOR ?= $(BUILD_DIR)/encryptor
|
||||
endif
|
||||
|
||||
HOST_EXE_SPOOFER ?= build/spoofer
|
||||
HOST_EXE_SPOOFER ?= $(BUILD_DIR)/spoofer
|
||||
|
||||
|
||||
# Disassembly
|
||||
@@ -69,40 +72,43 @@ emulated-riscv: $(EMU_OBJ_LICENSE)
|
||||
host: $(HOST_EXE) $(HOST_EXE_SPOOFER)
|
||||
|
||||
# Build the main challenge executable
|
||||
$(HOST_EXE): $(HOST_SRC) | build
|
||||
$(HOST_EXE): $(HOST_SRC) | $(BUILD_DIR)
|
||||
$(HOST_CC) $(HOST_CFLAGS) $(HOST_LDFLAGS) $(HOST_INCLUDE) $(HOST_SRC) -o $@
|
||||
|
||||
# Build the spoofer
|
||||
$(HOST_EXE_SPOOFER): $(HOST_SRC_SPOOFER) | build
|
||||
$(HOST_EXE_SPOOFER): $(HOST_SRC_SPOOFER) | $(BUILD_DIR)
|
||||
$(HOST_CC) $(HOST_CFLAGS) $(HOST_LDFLAGS) -shared -fPIC $^ -o $@ -ldl
|
||||
|
||||
# Build the encryptor
|
||||
$(HOST_EXE_ENCRYPTOR): $(HOST_SRC_ENCRYPTOR) | build
|
||||
$(HOST_EXE_ENCRYPTOR): $(HOST_SRC_ENCRYPTOR) | $(BUILD_DIR)
|
||||
$(HOST_CC) $(HOST_CFLAGS) $(HOST_LDFLAGS) $(HOST_INCLUDE) $(HOST_SRC_ENCRYPTOR) -o $@
|
||||
|
||||
# Build emulated object files
|
||||
$(EMU_OBJ_FILES): $(EMU_SRC_FILES) $(GENERATED) | build
|
||||
$(EMU_OBJ_FILES): $(EMU_SRC_FILES) $(GENERATED) | $(BUILD_DIR)
|
||||
$(RISCV_CC) $(RISCV_ARCH_FLAGS) -I $(dir $(GENERATED)) -I src/emulated -c $(EMU_SRC_FILES) -o $@
|
||||
|
||||
|
||||
# Encrypt license file
|
||||
$(EMU_OBJ_LICENSE): $(EMU_OBJ) $(HOST_EXE_ENCRYPTOR) | build
|
||||
$(EMU_OBJ_LICENSE): $(EMU_OBJ) $(HOST_EXE_ENCRYPTOR) | $(BUILD_DIR)
|
||||
ifneq ($(EMU_OBJ_LICENSE_IF_EXISTS),)
|
||||
rm $(EMU_OBJ_LICENSE_IF_EXISTS)
|
||||
endif
|
||||
$(HOST_EXE_ENCRYPTOR) $(EMU_OBJ) $@
|
||||
$(HOST_EXE_ENCRYPTOR) $(EMU_OBJ) $@ $(README_FILE)
|
||||
|
||||
# Build (unencrypted) license file
|
||||
$(EMU_OBJ): $(EMU_OBJ_FILES) | build
|
||||
$(EMU_OBJ): $(EMU_OBJ_FILES) | $(BUILD_DIR)
|
||||
$(RISCV_CC) $(RISCV_ARCH_FLAGS) -nostdlib -Wl,-e,entry -Wl,-Ttext=0 -Wl,--emit-relocs $(EMU_OBJ_FILES) -o $@
|
||||
|
||||
# Copy Dockerfile into build dir
|
||||
$(DOCKERFILE): Dockerfile | $(BUILD_DIR)
|
||||
cp $< $@
|
||||
|
||||
# Bundle the challenge
|
||||
$(ZIP_FILE): $(HOST_EXE) $(EMU_OBJ_LICENSE) | build
|
||||
$(ZIP_FILE): $(HOST_EXE) $(EMU_OBJ_LICENSE) $(README_FILE) $(DOCKERFILE) | $(BUILD_DIR)
|
||||
ifneq ($(ZIP_FILE_IF_EXISTS),)
|
||||
rm $(ZIP_FILE_IF_EXISTS)
|
||||
endif
|
||||
cd build && 7z a -bso0 $(CURDIR)/$@ $(notdir $^)
|
||||
cd $(BUILD_DIR) && 7z a -bso0 $(CURDIR)/$@ $(notdir $^)
|
||||
|
||||
.FORCE:
|
||||
|
||||
@@ -111,12 +117,11 @@ $(GENERATED): .FORCE
|
||||
$(PYTHON_EXE) codegen/generate.py $(FLAG_FORMAT) $(FLAG_LEN) $(FLAG_SEED) > $@
|
||||
|
||||
|
||||
build:
|
||||
$(BUILD_DIR):
|
||||
mkdir -p $@
|
||||
|
||||
clean:
|
||||
rm -rf build
|
||||
rm -rf $(BUILD_DIR)
|
||||
|
||||
disas-risc: $(_DISAS_FILES)
|
||||
$(RISCV_OBJDUMP) -d $^
|
||||
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
import random
|
||||
import sys
|
||||
import os
|
||||
|
||||
def generate_flag(length):
|
||||
characters = list("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789")
|
||||
@@ -13,7 +14,7 @@ def custom_op_xor(value, amount):
|
||||
return (((value << amount) ^ 0xFF) >> amount)
|
||||
|
||||
|
||||
manglers = [
|
||||
hard_manglers = [
|
||||
(lambda value: custom_op_xor(value, 5), lambda value: f"trunc_xor({value}, 5)"),
|
||||
(lambda value: custom_op_xor(value, 3), lambda value: f"trunc_xor({value}, 3)"),
|
||||
(lambda value: custom_op_xor(value, 2), lambda value: f"trunc_xor({value}, 2)"),
|
||||
@@ -26,7 +27,17 @@ manglers = [
|
||||
# (lambda value: value, lambda value: f"{value}")
|
||||
]
|
||||
|
||||
def mangle(value):
|
||||
easy_manglers = [
|
||||
(lambda value: value + 1, lambda value: f"{value} + 1"),
|
||||
(lambda value: value - 1, lambda value: f"{value} - 1"),
|
||||
(lambda value: value * 2, lambda value: f"{value} * 2"),
|
||||
(lambda value: value ^ 0xAB, lambda value: f"({value} ^ 0xAB)"),
|
||||
(lambda value: value, lambda value: f"{value}")
|
||||
]
|
||||
|
||||
|
||||
|
||||
def mangle(value, manglers):
|
||||
result = b""
|
||||
c_manglers = []
|
||||
|
||||
@@ -42,11 +53,18 @@ def mangle(value):
|
||||
|
||||
return (result, c_manglers)
|
||||
|
||||
def get_check_code(flag_part, user_part, c_mangler):
|
||||
def get_check_code(flag_part, user_part, c_mangler, difficulty):
|
||||
|
||||
if difficulty == "HARD":
|
||||
variations = [
|
||||
f"custom_jmp_neq({flag_part} ^ 0x7C, {c_mangler(user_part)}, label_false);",
|
||||
f"custom_jmp_neq({flag_part}, {c_mangler(user_part)} ^ 0x7C, label_false);"
|
||||
]
|
||||
else:
|
||||
variations = [
|
||||
f"if({flag_part} != {c_mangler(user_part)}) {{ return false; }}"
|
||||
]
|
||||
|
||||
return random.choice(variations)
|
||||
|
||||
def main():
|
||||
@@ -64,6 +82,8 @@ def main():
|
||||
if flag_seed.lower() != "false":
|
||||
random.seed("totallysecurepadding" + flag_seed + "sonoonecanguesstheflag!")
|
||||
|
||||
difficulty = os.getenv("DIFFICULTY", "EASY")
|
||||
|
||||
# Generate a secret
|
||||
secret = generate_flag(flag_len)
|
||||
secret = flag_format.replace("FLAG_GOES_HERE", secret)
|
||||
@@ -71,7 +91,7 @@ def main():
|
||||
eprint(f"Generated Flag: {secret}")
|
||||
|
||||
# Change the bytes of the secret
|
||||
mangled_secret, c_manglers = mangle(secret)
|
||||
mangled_secret, c_manglers = mangle(secret, easy_manglers if difficulty == "EASY" else hard_manglers)
|
||||
|
||||
# Shuffle the secret, but keep track of the order
|
||||
# We need this so we know the real location of the characters to compare
|
||||
@@ -89,7 +109,7 @@ def main():
|
||||
|
||||
checks = []
|
||||
for i, c_mangler in enumerate(c_manglers):
|
||||
checks.append(get_check_code(f"MANGLED[{i}]", f"userflag[{secret_shuffleorder[i]}]", c_mangler))
|
||||
checks.append(get_check_code(f"MANGLED[{i}]", f"userflag[{secret_shuffleorder[i]}]", c_mangler, difficulty))
|
||||
|
||||
random.shuffle(checks)
|
||||
check = "\n".join(checks)
|
||||
@@ -108,7 +128,7 @@ def main():
|
||||
static volatile uint8_t MANGLED[] = "{mangled_secret}";
|
||||
|
||||
bool check(char* userflag, uint8_t len) {{
|
||||
custom_jmp_neq(len ^ 0x7C, {len(secret)}, label_false);
|
||||
{f"custom_jmp_neq(len ^ 0x7C, {len(secret)}, label_false);" if difficulty == "HARD" else f"if (len != {len(secret)}) {{ return false; }}"}
|
||||
|
||||
{check}
|
||||
|
||||
|
||||
@@ -8,12 +8,13 @@
|
||||
#include "util.h"
|
||||
|
||||
int main(int argc, char** argv) {
|
||||
if (argc != 3) {
|
||||
if (argc != 4) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
char* input = argv[1];
|
||||
char* output = argv[2];
|
||||
char* readme = argv[3];
|
||||
|
||||
hw_info_t hwinfo = {0};
|
||||
if(get_hw_info(&hwinfo) != 0){
|
||||
@@ -103,5 +104,17 @@ int main(int argc, char** argv) {
|
||||
|
||||
fprintf(stderr, "Wrote encrypted license file to %s\n", output);
|
||||
|
||||
FILE* f_readme = fopen(readme, "w+");
|
||||
fprintf(f_readme, "Oh, and one more thing you should know...\n");
|
||||
fprintf(f_readme, "This doesn't just run on any hardware, I don't know how they did it\n");
|
||||
fprintf(f_readme, "but it only works on my %s processor\n", hwinfo.model_name);
|
||||
fprintf(f_readme, "running linux (version %s) with %s kb of RAM\n", hwinfo.os_version, hwinfo.mem_total);
|
||||
fprintf(f_readme, "I also included a dockerfile so you can run all that shi easier.\n");
|
||||
fprintf(f_readme, "Just unzip that thang and run docker build . -t local-dev and then docker run -it local-dev in the folder you unzipped to.\n");
|
||||
fprintf(f_readme, "You'll find a way, slime. I'm sorry that I can't give you any more details\n");
|
||||
fprintf(f_readme, "this is the last message I could get out before they... you know... ⛓️👮♂️\n");
|
||||
fprintf(f_readme, "\n");
|
||||
fprintf(f_readme, "- ASNT aka. Apfelsaftnaturtrüb\n");
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -80,6 +80,7 @@ int main(){
|
||||
if(memcmp(begin, expected, sizeof(begin)) != 0) {
|
||||
// This happens when decryption fails
|
||||
printf(MESSAGE_UNAUTHORIZED);
|
||||
fflush(stdout);
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
@@ -2,6 +2,7 @@
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <dlfcn.h>
|
||||
#include <unistd.h>
|
||||
|
||||
static FILE *(*real_fopen)(const char *path, const char *mode) = NULL;
|
||||
|
||||
@@ -38,3 +39,19 @@ FILE *fopen(const char *path, const char *mode) {
|
||||
|
||||
return real_fopen(path, mode);
|
||||
}
|
||||
|
||||
FILE *tmpfile(void) {
|
||||
char path[] = "./tmpfile_XXXXXX";
|
||||
int fd = mkstemp(path);
|
||||
if (fd == -1) {
|
||||
fprintf(stderr, "proc_redirect: mkstemp failed\n");
|
||||
abort();
|
||||
}
|
||||
fprintf(stderr, "proc_redirect: tmpfile created at %s\n", path);
|
||||
FILE *f = fdopen(fd, "w+");
|
||||
if (!f) {
|
||||
close(fd);
|
||||
abort();
|
||||
}
|
||||
return f;
|
||||
}
|
||||
Reference in New Issue
Block a user