Monday, 8 October 2018

mast3r - InCTF 2018

Hope all of you had fun playing InCTF 2018!

We had a variety of challenges this year. I made the challenge mast3r, it's based on unicorn engine, the platform emulation framework. Sometime back I was trying to write a binary analysis tool using unicorn engine and had found the framework to be awesome. So this time I thought of making a challenge using unicorn. You can find the challenge files here.

There are 2 files given in this challenge. The file mast3r is the challenge file, if you dont have unicorn engine installed, you will need to use the second file libunicorn.so.1 to run the challenge, just set the environment variable LD_LIBRARY_PATH to the path of libunicorn.so.1 and after that you will be able to run the challenge.


Briefly speaking, there are 2 stages for this challenge. The checks in the first stage happens in emulated ARM code and the checks in second stage happens in x64 and emulated MIPS code. The user needs to pass both the stages to get the flag.

If you are not familiar with unicorn I suggest you to take a look at this tutorial. Just get a basic idea on how the emulation happens and continue reading.

The main function clearly shows that there are two stages, check1 takes input1 as parameter whereas check2 takes input2 as patameter, if both checks are passed then the printflag function is called, which prints out the flag by wrapping input1 and input2 between inctf{}.

While running the challenge, we saw that the program prints out invalid length. So, lets see what happens inside the first check. Below is the check1 function.



Check1: In this check, first of all, the length of input is checked, if the length is not equal to 20, the program exits by printing invalid length. If the length is correct then an instance of unicorn engine is created using the function uc_open, it takes architecture, mode as first, second arguments respectively. In the compiled binary you can see only the enum constant and not the string. So, you will have to refer the source to find it. You can find all the details related to architecture and mode there.

Now, we know that 1 is for ARM and 0 is for little endian mode. If the uc_open function was successful then memory is mapped and some data is written at addresses 0x10000, 0x11000 and 0x12000. From the arguments of uc_emu_start function we know that code being emulated starts at address 0x10000 and ends at address 0x100044. Your input gets copied to the address 0x11000 and at address 0x12000 a const string "xt=aok}x=~as}a~<<xw}" is written. Then the emulation starts, if it was successful then register r11 (enum const 77) is read and the value is copied to v6. The same value is returned as result and from the main function we know that the return value must not be equal to zero. Let's fire up radare2 and dump the code being emulated.


The offsets in the above image does not start from 0x10000, you can use rasm2 to make the base address 0x10000.


We can write a small python script to pass the above check.



Let's give this input to the program and see what happens.


Yay! We passed the first stage. So the correct input was th3_mast3r_is_r00tus. But we have reached half way only, need to pass the next stage as well to get the flag.

Check2: Diving into check2 we see lot more code. Following the same procedure as check1, we can find that MIPS code is being emulated here. The input must be of length 24. It is divided into several parts and is copied into few registers and other memory locations which are used during code emulation. All details regarding MIPS registers in unicorn can be found here. Emulated code starts at address 0x10000. After emulation some register values are being checked. Try to understand the following pseudocode to get a better idea about the check.


We can see a hook function in the above code. Let's take a look at that as well. We can understand that instructions are getting hooked and a number of registers are being read. At addresses 0x10010, 0x10020, 0x10030, 0x100D0 few more check are happening and we need to pass those as well.


Let's dump the code being emulated and try to understand it. I dumped the code (at address 0x00401758, size 0xf8) using rasm2 and beautified it a bit to view the addresses.

There are different types of checks happening in this stage. Some checks happen before emulation, some during and some after emulation.

Remember the length of input in this stage is 24. The following check happens before emulation. The last 8 characters of the input must be "un1c0rn!", found during the begining of check2, compared using strcmp. Next, two different types of checks happen during emulation. As I said before, few checks happen by instruction hooking see the hook function to find at which addresses these checks happen, other checks happen in the MIPS code itself, some character by character comparisons. The final check, in the MIPS code, some characters of the input are incremented and stored into registers then checked after the emulation. See the final part of check2 function. You can solve all these checks without any scripts.

We need to find an input which will satisfy all these checks and that input is 3r_and_h3_l0v3s_un1c0rn!.

Once we pass this stage the printflag function is called.


Lets run the program and see what happens.


Finally, the flag is printed out:
inctf{th3_mast3r_is_r00tus3r_and_h3_l0v3s_un1c0rn!}


I hope you had fun while reversing it. Please let me know if you have any doubts.

Happy hacking!