{ "version": "https://jsonfeed.org/version/1", "title": "yype.site", "home_page_url": "https://yype.site/", "feed_url": "https://yype.site/feed.json", "description": "hacking & exploring", "icon": "https://yype.site/apple-touch-icon.png", "favicon": "https://yype.site/favicon.ico", "expired": false, "author": "{"twitter"=>nil, "name"=>nil, "avatar"=>nil, "email"=>nil, "url"=>nil}", "items": [ { "id": "https://yype.site/2020/10/23/n1vault", "title": "N1CTF2020 n1vault, Thoughts & Solutions", "summary": null, "content_text": "IntroI designed the RE challenge n1vault in the recent CTF N1CTF2020. In this post, I will talk about details about this chal and offer some possible solutions.The core part of this challenge is to craft a file’s CRC to an arbitrary value(zero) by modifying some specified bytes (of the same bit size as the CRC value) in the file.As for the binary n1vault, it uses SHA256 to digest all the bytes inside the file(credencial.png) except for the even-numbered bytes in the last 25 bytes(some twists were added to the sha256_update function, paving the way for the backdoor). Once the file’s CRC is faked to 0, a secret logic(backdoor) will be triggered by an exception FPE_INTDIV, since the verification inside the function main has an unnecessary comparison 4764888639493207598 / (crc32_result | crc64_result) == 1, which will trigger an FPE_INTDIV when both crc32_result and crc64_result are zero, and will be evaluated to true when given the original file credential.png. Players’ job is to to craft an input to trigger the backdoor, send the crafted bytes to the judging bot and receive the flag.SolutionThe reverse engineering part of the binary program is quite easy. Some junk codes with fixed patterns are inserted into the main logic, which can be bypassed by a simple pattern searching & replacing. Afterward, the program logic is straightforward, and we only have to solve the math problem left.CRC has a property that the final result can be viewed as the linear combination of the influences of each bit in the message and an initial offset, on $GF(2)$. This can be described as follows:\\[f(x)=f(0) + \\sum_{i=0}^{CRC\\_SIZE-1} x_i \\cdot influence_i,\\]where $f(0)$ is the initial offset, specifically for this challenge, is the CRC of the credential with all the even-numbered bytes in the last 25 bytes set to zero. Given this property, if we have enough $x_i$ to control, we can easily construct a matrix and solve each $x_i$ using gaussian elimination. The trick here is we have to ensure that both $f(x)=CRC32(credential)$ and $g(x)=CRC64(credential)$ are equal to zero. In fact, if we let $h(x)=(f(x) < < 64)+g(x)$ and focus on making $h(x)=0$, it has the same effect as making both $f(x)$ and $g(x)$ zero.I wrote a tool based on this interesting property of CRC, allowing us to arbitrarily craft a file’s CRC by specifying certain bits available for modification. It can output all the available solutions and allows for fewer available bits than the bit size of the CRC result. You can check the tool here: https://github.com/yype/crcolliderUsing this tool we can easily solve the problem using the following Python code:from crcollider import collcrcfrom crc_funcs import crc64, crc32def crc96(m): return (crc32(m) << 64) + crc64(m)def solve_chal(): with open('credential.png', 'rb') as f: org_img = f.read() rg = list(range(len(org_img)*8)) available_bits = [] for i in range(12): # even bytes in the last 25 bytes available_bits += rg[len(rg)-16*i-16:len(rg)-16*i-8] sol_num, sols = collcrc(crc96, 96, org_img, available_bits, 0x0) print(f'{sol_num} solution(s) found') for i, each in enumerate(sols): file_out = f'credential_sol{i}.png' print(f'Outputting sol{i} to {file_out}...') with open(file_out, 'wb') as f: f.write(each)if __name__ == '__main__': solve_chal()There are totally 4 solutions available for this challenge. One of them contains only visible characters, which is n1vaultadmin(intentionally crafted), while others are not. It might be better if I put some constraints to ensure that only one solution is available though.solution> python3 .\\main.py4 solution(s) foundOutputting sol0 to credential_sol0.png...Outputting sol1 to credential_sol1.png...Outputting sol2 to credential_sol2.png...Outputting sol3 to credential_sol3.png...The source code of this challenge and a duplicate of this post are uploaded to GitHub. Check them out at: https://github.com/Nu1LCTF/n1ctf-2020/tree/main/RE/n1vault.", "content_html": "

Intro

I designed the RE challenge n1vault in the recent CTF N1CTF2020. In this post, I will talk about details about this chal and offer some possible solutions.

The core part of this challenge is to craft a file’s CRC to an arbitrary value(zero) by modifying some specified bytes (of the same bit size as the CRC value) in the file.

As for the binary n1vault, it uses SHA256 to digest all the bytes inside the file(credencial.png) except for the even-numbered bytes in the last 25 bytes(some twists were added to the sha256_update function, paving the way for the backdoor). Once the file’s CRC is faked to 0, a secret logic(backdoor) will be triggered by an exception FPE_INTDIV, since the verification inside the function main has an unnecessary comparison 4764888639493207598 / (crc32_result | crc64_result) == 1, which will trigger an FPE_INTDIV when both crc32_result and crc64_result are zero, and will be evaluated to true when given the original file credential.png. Players’ job is to to craft an input to trigger the backdoor, send the crafted bytes to the judging bot and receive the flag.

Solution

The reverse engineering part of the binary program is quite easy. Some junk codes with fixed patterns are inserted into the main logic, which can be bypassed by a simple pattern searching & replacing. Afterward, the program logic is straightforward, and we only have to solve the math problem left.

CRC has a property that the final result can be viewed as the linear combination of the influences of each bit in the message and an initial offset, on $GF(2)$. This can be described as follows:

\\[f(x)=f(0) + \\sum_{i=0}^{CRC\\_SIZE-1} x_i \\cdot influence_i,\\]

where $f(0)$ is the initial offset, specifically for this challenge, is the CRC of the credential with all the even-numbered bytes in the last 25 bytes set to zero. Given this property, if we have enough $x_i$ to control, we can easily construct a matrix and solve each $x_i$ using gaussian elimination. The trick here is we have to ensure that both $f(x)=CRC32(credential)$ and $g(x)=CRC64(credential)$ are equal to zero. In fact, if we let $h(x)=(f(x) < < 64)+g(x)$ and focus on making $h(x)=0$, it has the same effect as making both $f(x)$ and $g(x)$ zero.

I wrote a tool based on this interesting property of CRC, allowing us to arbitrarily craft a file’s CRC by specifying certain bits available for modification. It can output all the available solutions and allows for fewer available bits than the bit size of the CRC result. You can check the tool here:

https://github.com/yype/crcollider

Using this tool we can easily solve the problem using the following Python code:

from crcollider import collcrcfrom crc_funcs import crc64, crc32def crc96(m):    return (crc32(m) << 64) + crc64(m)def solve_chal():    with open('credential.png', 'rb') as f:        org_img = f.read()    rg = list(range(len(org_img)*8))    available_bits = []    for i in range(12):        # even bytes in the last 25 bytes        available_bits += rg[len(rg)-16*i-16:len(rg)-16*i-8]    sol_num, sols = collcrc(crc96, 96, org_img, available_bits, 0x0)        print(f'{sol_num} solution(s) found')    for i, each in enumerate(sols):        file_out = f'credential_sol{i}.png'        print(f'Outputting sol{i} to {file_out}...')        with open(file_out, 'wb') as f:            f.write(each)if __name__ == '__main__':    solve_chal()

There are totally 4 solutions available for this challenge. One of them contains only visible characters, which is n1vaultadmin(intentionally crafted), while others are not. It might be better if I put some constraints to ensure that only one solution is available though.

solution> python3 .\\main.py4 solution(s) foundOutputting sol0 to credential_sol0.png...Outputting sol1 to credential_sol1.png...Outputting sol2 to credential_sol2.png...Outputting sol3 to credential_sol3.png...

The source code of this challenge and a duplicate of this post are uploaded to GitHub. Check them out at: https://github.com/Nu1LCTF/n1ctf-2020/tree/main/RE/n1vault.

", "url": "https://yype.site/2020/10/23/n1vault", "tags": ["CTF","Reverse Engineering","N1CTF2020"], "date_published": "2020-10-23T00:00:00+00:00", "date_modified": "2020-10-23T00:00:00+00:00", "author": "{"twitter"=>nil, "name"=>nil, "avatar"=>nil, "email"=>nil, "url"=>nil}" } , { "id": "https://yype.site/2020/04/20/hypercard-over-windows", "title": "PlaidCTF2020 The Watness 2 Write-up", "summary": null, "content_text": " Intro Environment Challenge SolutionIntroRecently in PlaidCTF2020 there was an RE challenge called The Watness 2. This is a game that requires HyperCard to run. Since I did not have a Macbook computer, I had been struggling figuring out ways to run this game over my Windows 10 laptop. Here is how I finally managed to do that.Environment Install StuffitExpander Open the .rc1 file Follow this video tutorial Download StuffitExpander, add it to the volumes’ list, install it inside the VM Download HyperCard 2.4, install it inside the VM as described above Extract the .rc1 file from the .sit file and open it with a simple double-clickChallenge SolutionExtract the stack’s script code: Extract the stack’s script code on openCard Send colorMe to this card pass openCardend openCardon closeCard global prev_card get the id of this cd put it into prev_card lock screen pass closeCardend closeCardon colorMe AddColor colorCard,stamp,0end colorMeon openStack AddColor install setupMenu go to card \"tun-1-n\" pass openStackend openStackon closeStack AddColor remove pass closeStackend closeStackon genPuzzle send \"doMenu New Button\" to Hypercardend genPuzzleon initCard answer prev_cardend initCardon menuReset setupMenu pass menuResetend menuReseton setupMenu if there is not a menu \"Watness\" then create menu \"Watness\" put \"Generate Puzzle\"&return&\"Init Card\"&return&\"Set up Nav\"&return&\"Create Puzzle\" into menu \"Watness\" with menuMsg genPuzzle,initCard,setupNav,constructPuzzle end ifend setupMenuon setupNav ask \"What is the name of this card\" set name of this cd to it ask \"Where should the left go?\" put it into left_loc send \"doMenu New Button\" to Hypercard set height of the last button to 342 set width of the last button to 100 set topleft of the last button to \"0,0\" set style of the last button to \"transparent\" set name of the last button to \"\" put \"on mouseUp\"&return&\"go to card \"&quote&\"\"&left_loc&quote&return&\"end mouseUp\" into left_script set script of last button to left_script ask \"Where should the right go?\" put it into right_loc send \"doMenu New Button\" to Hypercard set height of the last button to 342 set width of the last button to 100 set topleft of the last button to \"412,0\" set style of the last button to \"transparent\" set name of the last button to \"\" put \"on mouseUp\"&return&\"go to card \"&quote&\"\"&right_loc&quote&return&\"end mouseUp\" into right_script set script of last button to right_script ask \"Where should fwd go?\" put it into fwd_loc send \"doMenu New Button\" to Hypercard set height of the last button to 342 set width of the last button to 311 set the top of the last button to 0 set the left of the last button to 100 set style of the last button to \"transparent\" set name of the last button to \"\" put \"on mouseUp\"&return&\"go to card \"&quote&\"\"&fwd_loc&quote&return&\"end mouseUp\" into fwd_script set script of last button to fwd_script get the script of this card put it into cd_script put cd_script&return into cd_script put cd_script&\"on arrowKey key\"&return into cd_script put cd_script&\" if key = \"&quote&\"left\"&quote&\"then\"&return into cd_script put cd_script&\" go to cd \"&quote&left_loc&quote&return into cd_script put cd_script&\" end if\"&return into cd_script put cd_script&\" if key = \"&quote&\"right\"&quote&\"then\"&return into cd_script put cd_script&\" go to cd \"&quote&right_loc&quote&return into cd_script put cd_script&\" end if\"&return into cd_script put cd_script&\" if key = \"&quote&\"up\"&quote&\"then\"&return into cd_script put cd_script&\" go to cd \"&quote&fwd_loc&quote&return into cd_script put cd_script&\" end if\"&return into cd_script put cd_script&\"end arrowKey\"&return into cd_script set the script of this cd to cd_scriptend setupNavon makeNode global node send \"doMenu New Button\" to Hypercard put the id of the last button into nodeend makeNodeon constructPuzzle global node,constraints ask \"What are the constraints\" put it into constraints get the script of this cd put it into cd_script put cd_script&return into cd_script put cd_script&\"on openCard\"&return into cd_script put cd_script&\" global constraints,path,cursor_x,cursor_y,\" into cd_script put 0 into i repeat for 8 put 0 into j repeat for 8 put cd_script&\"active_\"&i&\"_\"&j&\",\" into cd_script put j+1 into j end repeat put i+1 into i end repeat put cd_script&\"dummy\"&return into cd_script put cd_script&\" colorme\"&return into cd_script put cd_script&\" put -1 into cursor_x\"&return into cd_script put cd_script&\" put 0 into cursor_y\"&return into cd_script put cd_script&\" put \"&quote&quote&\" into path\"&return into cd_script put cd_script&\" put \"&quote&constraints&quote&\" into constraints\"&return into cd_script put 1 into c_i put 0 into i repeat for 7 put 0 into j repeat for 7 get char (j*7+i+1) of constraints put it into letter if letter <> \" \" then makeNode set the width of button id node to 10 set the height of button id node to 10 set the top of button id node to (76 + j * 30) set the left of button id node to (161 + i * 30) set the style of button id node to \"opaque\" set showName of button id node to false if letter = \"r\" then put \"65535,0,0\" into node_color end if if letter = \"g\" then put \"0,65535,0\" into node_color end if if letter = \"b\" then put \"0,0,65535\" into node_color end if if letter <> \" \" then addColor colorButton, cd, node, node_color put cd_script&\" addColor colorButton, cd, \"&node&\", \"&quote&node_color&quote&return into cd_script end if end if​ ​ put j+1 into j end repeat put i+1 into i end repeat put 0 into i repeat for 8 put 0 into j repeat for 8 put cd_script&\" put \"&quote&quote&\" into active_\"&i&\"_\"&j&return into cd_script put j+1 into j end repeat put i+1 into i end repeat makeNode set the width of button id node to 10 set the height of button id node to 15 set the left of button id node to 356 set the top of button id node to 276 set the name of button id node to \"path_extension\" set showName of button id node to false set the style of button id node to opaque addcolor colorButton, cd, node, \"37632,30208,12288\" put \"\" into node_script put node_script&\"on checkYoSelf\"&return into node_script put node_script&\" addcolor colorButton, cd, \"&node&\", \"&quote&\"65535,65535,30000\"&quote&return into node_script put node_script&\"end checkYoSelf\"&return into node_script set the script of button id node to node_script put cd_script&\" addcolor colorButton, cd, \"&node&\", \"&quote&\"37632,30208,12288\"&quote&return into cd_script makeNode set the width of button id node to 10 set the height of button id node to 10 set the left of button id node to 356 set the top of button id node to 286 set the name of button id node to \"finale\" set showName of button id node to false set the style of button id node to oval addcolor colorButton, cd, node, \"37632,30208,12288\" put \"\" into node_script put node_script&\"on mouseUp\"&return into node_script put node_script&\" global cursor_x, cursor_y\"&return into node_script put node_script&\" if (cursor_x = 7) and (cursor_y = 7) then\"&return into node_script put node_script&\" addcolor colorButton, cd, \"&node&\", \"&quote&\"65535,65535,30000\"&quote&return into node_script put node_script&\" send \"&quote&\"checkYoSelf\"&quote&\" to button path_extension\"&return into node_script put node_script&\" send \"&quote&\"checkSolution\"&quote&\" to this cd\"&return into node_script put node_script&\" end if\"&return into node_script put node_script&\"end mouseUp\"&return into node_script set the script of button id node to node_script put cd_script&\" addcolor colorButton, cd, \"&node&\", \"&quote&\"37632,30208,12288\"&quote&return into cd_script put 0 into i repeat for 7 put 0 into j repeat for 8 makeNode set the width of button id node to 30 set the height of button id node to 10 set the top of button id node to (61 + 30 * j) set the left of button id node to (151 + 30 * i) set the style of button id node to opaque set the name of button id node to \"h_path_\"&i&\"_\"&j set showName of button id node to false addcolor colorButton, cd, node, \"37632,30208,12288\" put cd_script&\" addcolor colorButton, cd, \"&node&\", \"&quote&\"37632,30208,12288\"&quote&return into cd_script get the script of button id node put it into node_script put \"active_\"&i&\"_\"&j into f_node put \"active_\"&(i+1)&\"_\"&j into s_node put node_script&return into node_script put node_script&\"on checkYoSelf\"&return into node_script put node_script&\" global \"&f_node&\",\"&s_node&return into node_script put node_script&\" if (\"&f_node&\" = true) and (\"&s_node&\" = true) then\"&return into node_script put node_script&\" addcolor colorButton, cd, \"&node&\", \"&quote&\"65535,65535,30000\"&quote&return into node_script put node_script&\" end if\"&return into node_script put node_script&\"end checkYoSelf\"&return into node_script set the script of button id node to node_script put j+1 into j end repeat put i+1 into i end repeat put 0 into i repeat for 8 put 0 into j repeat for 7 makeNode set the width of button id node to 10 set the height of button id node to 30 set the top of button id node to (66 + 30 * j) set the left of button id node to (146 + 30 * i) set the style of button id node to opaque set the name of button id node to \"v_path_\"&i&\"_\"&j set showName of button id node to false addcolor colorButton, cd, node, \"37632,30208,12288\" put cd_script&\" addcolor colorButton, cd, \"&node&\", \"&quote&\"37632,30208,12288\"&quote&return into cd_script get the script of button id node put it into node_script put \"active_\"&i&\"_\"&j into f_node put \"active_\"&i&\"_\"&(j+1) into s_node put node_script&return into node_script put node_script&\"on checkYoSelf\"&return into node_script put node_script&\" global \"&f_node&\",\"&s_node&return into node_script put node_script&\" if (\"&f_node&\" = true) and (\"&s_node&\" = true) then\"&return into node_script put node_script&\" addcolor colorButton, cd, \"&node&\", \"&quote&\"65535,65535,30000\"&quote&return into node_script put node_script&\" end if\"&return into node_script put node_script&\"end checkYoSelf\"&return into node_script set the script of button id node to node_script put j+1 into j end repeat put i+1 into i end repeat put 0 into i repeat for 8 put 0 into j repeat for 8 makeNode set the width of button id node to 10 set the height of button id node to 10 set the top of button id node to (61 + 30 * j) set the left of button id node to (146 + 30 * i) set the style of button id node to oval set the name of button id node to \"button_\"&i&\"_\"&j set showName of button id node to false addcolor colorButton, cd, node, \"37632,30208,12288\" put \"active_\"&i&\"_\"&j into v_name put \"\" into node_script put node_script&\"on mouseUp\"&return into node_script put node_script&\" global \"&v_name&\",cursor_x,cursor_y\"&return into node_script put node_script&\" put cursor_x into prev_x\"&return into node_script put node_script&\" put cursor_y into prev_y\"&return into node_script put node_script&\" put abs(cursor_x-\"&i&\") into dx\"&return into node_script put node_script&\" put abs(cursor_y-\"&j&\") into dy\"&return into node_script put node_script&\" if (\"&v_name&\" = \"&quote&quote&\") and ((dx = 1 and dy = 0) or (dx = 0 and dy = 1)) then\"&return into node_script put node_script&\" put true into \"&v_name&return into node_script put node_script&\" send \"&quote&\"updateState \"&i&\",\"&j&quote&\" to this cd\"&return into node_script put node_script&\" addcolor colorButton, cd, \"&node&\", \"&quote&\"65535,65535,30000\"&quote&return into node_script put node_script&\" end if\"&return into node_script put node_script&\"end mouseUp\"&return into node_script set the script of button id node to node_script put cd_script&\" addcolor colorButton, cd, \"&node&\", \"&quote&\"37632,30208,12288\"&quote&return into cd_script put j+1 into j end repeat put i+1 into i end repeat set the width of button button_0_0 to 30 set the height of button button_0_0 to 30 set the top of button button_0_0 to 51 set the left of button button_0_0 to 136 get the id of button button_0_0 addColor colorButton, cd, it, \"37632,30208,12288\" put cd_script&\"end openCard\"&return into cd_script set the script of this cd to cd_scriptend constructPuzzleon checkSolution global puzzle_id,path,constraints,flag_1,flag_2,flag_3 watnesssolver constraints,path put the result into success if success = \"true\" then if puzzle_id = 1 then decoder path,\"clrtffxpry\" put the result into flag_1 end if if puzzle_id = 2 then decoder path,\"nyghq7xksg\" put the result into flag_2 end if if puzzle_id = 3 then decoder path,\"ppyyvn}1{7\" put the result into flag_3 end if else send opencard to this cd end ifend checkSolutionon updateState i,j global path,cursor_x,cursor_y if (i <> 0) or (j <> 0) then if (cursor_y = j+1) and (cursor_x = i) then put path&\"U\" into path end if if (cursor_y = j) and (cursor_x = i - 1) then put path&\"R\" into path end if if (cursor_y = j-1) and (cursor_x = i) then put path&\"D\" into path end if if (cursor_y = j) and (cursor_x = i + 1) then put path&\"L\" into path end if end if if cursor_x >= 0 and cursor_y >= 0 then put \"h_path_\"&min(cursor_x, i)&\"_\"&min(cursor_y, j) into h_path put \"v_path_\"&min(cursor_x, i)&\"_\"&min(cursor_y, j) into v_path if i = cursor_x then send checkYoSelf to button v_path end if if j = cursor_y then send checkYoSelf to button h_path end if end if put i into cursor_x put j into cursor_yend updateState The card’s script code can also be extracted (puzzle 1): on openCard global puzzle_id,constraints,path,cursor_x,cursor_y,active_0_0,active_0_1,active_0_2,active_0_3,active_0_4,active_0_5,active_0_6,active_0_7,active_1_0,active_1_1,active_1_2,active_1_3,active_1_4,active_1_5,active_1_6,active_1_7,active_2_0,active_2_1,active_2_2,active_2_3,active_2_4,active_2_5,active_2_6,active_2_7,active_3_0,active_3_1,active_3_2,active_3_3,active_3_4,active_3_5,active_3_6,active_3_7,active_4_0,active_4_1,active_4_2,active_4_3,active_4_4,active_4_5,active_4_6,active_4_7,active_5_0,active_5_1,active_5_2,active_5_3,active_5_4,active_5_5,active_5_6,active_5_7,active_6_0,active_6_1,active_6_2,active_6_3,active_6_4,active_6_5,active_6_6,active_6_7,active_7_0,active_7_1,active_7_2,active_7_3,active_7_4,active_7_5,active_7_6,active_7_7,dummy colorme put 1 into puzzle_id put -1 into cursor_x put 0 into cursor_y put \"\" into path put \"rbrr rgb rb r brgrbrgb grrgbbg grg bgrg bbgrbg\" into constraints addColor colorButton, cd, 1, \"65535,0,0\" ...end openCardon arrowKey key if key = \"left\"then go to cd \"entry-3-n\" end if if key = \"right\"then go to cd \"entry-3-n\" end if if key = \"up\"then go to cd \"\" end ifend arrowKey Now we get the constraint string of this puzzle \"rbrr rgb rb r brgrbrgb grrgbbg grg bgrg bbgrbg\", these constraints, along with the path that goes to the lower right corner, are passed into one thing called XCMD which checks the path’s correctness natively (it contains binary instructions that directly run over the 68k CPU). There are 2 XCMD binaries which can be extracted by this tool, which seem can only run under MacOS. So I’m using the extracted binary from this great post for now instead.What’s more, I found that I can set breakpoints in the script and debug the game, I could even watch the variables on the fly:   DebuggingAs for the XCMD part, it’s basically just a few hours’ reverse engineering work. Since there are currently no reliable decompilers for the 68k architecture, I have to read the assembly. It wasn’t too hard, but I did spend several hours learning the basic concepts of 68k’s instruction set.After the reverse engineering work, the watnesssolver’s checking methods can be rewritten in Python as:def build_automaton(constraints: str): trans = str.maketrans(' rgb', '0123') return [int(c) for c in constraints.translate(trans)]def choose_empty(r, g, b): if g == 0 and b == 0: return 0 if b < g: return 2 else: return 3def choose_red(r, g, b): if r != 2 and r != 3: return 0 if b == 0 or g == 0: return 0 return 1def choose_green(r, g, b): if r <= 4: if b <= 4: if r == 2 or r == 3: return 1 else: return 2 else: return 3 else: return 0def choose_blue(r, g, b): if r <= 4: if g <= 4: if r == 2 or r == 3: return 1 else: return 3 else: return 2 else: return 0def is_red(constraints, x, y): if not (x >= 0 and x < 7 and y >= 0 and y < 7): return False return constraints[x+y*7] == 1def get_neighbors(constraints, x, y, color): sum = 0 for bias_y in range(-1, 2): for bias_x in range(-1, 2): if (bias_x != 0 or bias_y != 0) and (y + bias_y >= 0 and y + bias_y < 7) and \\ (x + bias_x >= 0 and x + bias_x < 7) and constraints[(x+bias_x)+(y+bias_y)*7] == color: sum += 1 return sumdef step_automaton(constraints): new_constraints = constraints[:] for y in range(7): for x in range(7): r, g, b = \\ get_neighbors(constraints, x, y, 1), \\ get_neighbors(constraints, x, y, 2), \\ get_neighbors(constraints, x, y, 3) if constraints[x+y*7] == 0: new_constraints[x+y*7] = choose_empty(r, g, b) elif constraints[x+y*7] == 1: new_constraints[x+y*7] = choose_red(r, g, b) elif constraints[x+y*7] == 2: new_constraints[x+y*7] = choose_green(r, g, b) elif constraints[x+y*7] == 3: new_constraints[x+y*7] = choose_blue(r, g, b) return new_constraintsdef perform_move(constraints, mem, x, y, d): bias_x, bias_y = 0, 0 if d == 'U': bias_x, bias_y = 0, -1 elif d == 'D': bias_x, bias_y = 0, 1 elif d == 'L': bias_x, bias_y = -1, 0 elif d == 'R': bias_x, bias_y = 1, 0 if not (x+bias_x >= 0 and x+bias_x < 8 and y+bias_y >= 0 and y+bias_y < 8): return False, x, y min_x = min(x, x+bias_x) min_y = min(y, y+bias_y) if bias_y == 0: if not (is_red(constraints, min_x, y) or is_red(constraints, min_x, y-1)): return False, x, y else: if not (is_red(constraints, x, min_y) or is_red(constraints, x-1, min_y)): return False, x, y if mem[x+bias_x][y+bias_y] == 1: return False, x, y mem[x+bias_x][y+bias_y] = 1 return True, x+bias_x, y+bias_ydef solver(path, constraints): x = y = 0 constraints = build_automaton(constraints) mem = [[0 for i in range(8)] for j in range(8)] # been to or not mem[0][0] = 1 for each in path: yes, new_x, new_y = perform_move(constraints, mem, x, y, each) if yes: if new_x == 7 and new_y == 7: # print(f'Path `{path}` is great ' + '!' * 20) return True, True x, y = new_x, new_y constraints = step_automaton(constraints) else: #print(f'Path `{path}` is bad') return False, False return True, FalseLooking around in the game, we’ll know that there are 3 puzzles we need to solve. So we can simply run 3 DFS searches on these contraints and three unique solutions will be printed out.def dfs(depth, path, constraints): if depth > 24: # figured out after multiple tests return mov, end = solver(path, constraints) if end == True: print(f'Path {path} is ok') if mov == False: return for d in 'LRUD': n_path = path + d dfs(depth+1, n_path, constraints)if __name__ == '__main__': constraints_stage1 = 'rbrr rgb rb r brgrbrgb grrgbbg grg bgrg bbgrbg' constraints_stage2 = 'rbr bbggrgrggb bggbb b b bbrbbgg gbrrbgrbbb g' constraints_stage3 = 'rrbrb rg g bgrbgggr ggrgr gr rg brr b bggrbgbb' print('Stage1 solution:') dfs(0, '', constraints_stage1) print('Stage2 solution:') dfs(0, '', constraints_stage2) print('Stage3 solution:') dfs(0, '', constraints_stage3)Output:Stage1 solution:Path RDDDRURRRDLLDLDRRURRDDDR is okStage2 solution:Path RDDRURDDDRURULURRDDDDDRD is okStage3 solution:Path DRDDDDRUURRRULURRDDDDDDR is okInput these solutions to each puzzle, after that, we could go to the lock-like thing on the white gate to reveal the flag:   flag", "content_html": "

Intro

Recently in PlaidCTF2020 there was an RE challenge called The Watness 2. This is a game that requires HyperCard to run. Since I did not have a Macbook computer, I had been struggling figuring out ways to run this game over my Windows 10 laptop. Here is how I finally managed to do that.

Environment

\"Install Install StuffitExpander

\"Open Open the .rc1 file

Challenge Solution

Extract the stack’s script code:

\"Extract Extract the stack’s script code

on openCard  Send colorMe to this card  pass openCardend openCardon closeCard  global prev_card  get the id of this cd  put it into prev_card  lock screen  pass closeCardend closeCardon colorMe  AddColor colorCard,stamp,0end colorMeon openStack  AddColor install  setupMenu  go to card \"tun-1-n\"  pass openStackend openStackon closeStack  AddColor remove  pass closeStackend closeStackon genPuzzle  send \"doMenu New Button\" to Hypercardend genPuzzleon initCard  answer prev_cardend initCardon menuReset  setupMenu  pass menuResetend menuReseton setupMenu  if there is not a menu \"Watness\" then    create menu \"Watness\"    put \"Generate Puzzle\"&return&\"Init Card\"&return&\"Set up Nav\"&return&\"Create Puzzle\" into menu \"Watness\" with menuMsg genPuzzle,initCard,setupNav,constructPuzzle  end ifend setupMenuon setupNav  ask \"What is the name of this card\"  set name of this cd to it  ask \"Where should the left go?\"  put it into left_loc  send \"doMenu New Button\" to Hypercard  set height of the last button to 342  set width of the last button to 100  set topleft of the last button to \"0,0\"  set style of the last button to \"transparent\"  set name of the last button to \"\"  put \"on mouseUp\"&return&\"go to card \"&quote&\"\"&left_loc&quote&return&\"end mouseUp\" into left_script  set script of last button to left_script  ask \"Where should the right go?\"  put it into right_loc  send \"doMenu New Button\" to Hypercard  set height of the last button to 342  set width of the last button to 100  set topleft of the last button to \"412,0\"  set style of the last button to \"transparent\"  set name of the last button to \"\"  put \"on mouseUp\"&return&\"go to card \"&quote&\"\"&right_loc&quote&return&\"end mouseUp\" into right_script  set script of last button to right_script  ask \"Where should fwd go?\"  put it into fwd_loc  send \"doMenu New Button\" to Hypercard  set height of the last button to 342  set width of the last button to 311  set the top of the last button to 0  set the left of the last button to 100  set style of the last button to \"transparent\"  set name of the last button to \"\"  put \"on mouseUp\"&return&\"go to card \"&quote&\"\"&fwd_loc&quote&return&\"end mouseUp\" into fwd_script  set script of last button to fwd_script  get the script of this card  put it into cd_script  put cd_script&return into cd_script  put cd_script&\"on arrowKey key\"&return into cd_script  put cd_script&\" if key = \"&quote&\"left\"&quote&\"then\"&return into cd_script  put cd_script&\"  go to cd \"&quote&left_loc&quote&return into cd_script  put cd_script&\" end if\"&return into cd_script  put cd_script&\" if key = \"&quote&\"right\"&quote&\"then\"&return into cd_script  put cd_script&\"  go to cd \"&quote&right_loc&quote&return into cd_script  put cd_script&\" end if\"&return into cd_script  put cd_script&\" if key = \"&quote&\"up\"&quote&\"then\"&return into cd_script  put cd_script&\"  go to cd \"&quote&fwd_loc&quote&return into cd_script  put cd_script&\" end if\"&return into cd_script  put cd_script&\"end arrowKey\"&return into cd_script  set the script of this cd to cd_scriptend setupNavon makeNode  global node  send \"doMenu New Button\" to Hypercard  put the id of the last button into nodeend makeNodeon constructPuzzle  global node,constraints  ask \"What are the constraints\"  put it into constraints  get the script of this cd  put it into cd_script  put cd_script&return into cd_script  put cd_script&\"on openCard\"&return into cd_script  put cd_script&\"  global constraints,path,cursor_x,cursor_y,\" into cd_script  put 0 into i  repeat for 8        put 0 into j    repeat for 8      put cd_script&\"active_\"&i&\"_\"&j&\",\" into cd_script            put j+1 into j    end repeat        put i+1 into i  end repeat  put cd_script&\"dummy\"&return into cd_script  put cd_script&\"  colorme\"&return into cd_script  put cd_script&\"  put -1 into cursor_x\"&return into cd_script  put cd_script&\"  put 0 into cursor_y\"&return into cd_script  put cd_script&\"  put \"&quote&quote&\" into path\"&return into cd_script  put cd_script&\"  put \"&quote&constraints&quote&\" into constraints\"&return into cd_script  put 1 into c_i  put 0 into i  repeat for 7        put 0 into j    repeat for 7      get char (j*7+i+1) of constraints      put it into letter            if letter <> \" \" then        makeNode                set the width of button id node to 10        set the height of button id node to 10                set the top of button id node to (76 + j * 30)        set the left of button id node to (161 + i * 30)                set the style of button id node to \"opaque\"        set showName of button id node to false                if letter = \"r\" then          put \"65535,0,0\" into node_color        end if        if letter = \"g\" then          put \"0,65535,0\" into node_color        end if        if letter = \"b\" then          put \"0,0,65535\" into node_color        end if                if letter <> \" \" then          addColor colorButton, cd, node, node_color                    put cd_script&\"  addColor colorButton, cd, \"&node&\", \"&quote&node_color&quote&return into cd_script        end if      end if​      ​            put j+1 into j    end repeat        put i+1 into i  end repeat    put 0 into i  repeat for 8        put 0 into j    repeat for 8      put cd_script&\"  put \"&quote&quote&\" into active_\"&i&\"_\"&j&return into cd_script            put j+1 into j    end repeat        put i+1 into i  end repeat  makeNode  set the width of button id node to 10  set the height of button id node to 15  set the left of button id node to 356  set the top of button id node to 276  set the name of button id node to \"path_extension\"  set showName of button id node to false  set the style of button id node to opaque  addcolor colorButton, cd, node, \"37632,30208,12288\"  put \"\" into node_script  put node_script&\"on checkYoSelf\"&return into node_script  put node_script&\"  addcolor colorButton, cd, \"&node&\", \"&quote&\"65535,65535,30000\"&quote&return into node_script  put node_script&\"end checkYoSelf\"&return into node_script  set the script of button id node to node_script  put cd_script&\"  addcolor colorButton, cd, \"&node&\", \"&quote&\"37632,30208,12288\"&quote&return into cd_script  makeNode  set the width of button id node to 10  set the height of button id node to 10  set the left of button id node to 356  set the top of button id node to 286  set the name of button id node to \"finale\"  set showName of button id node to false  set the style of button id node to oval  addcolor colorButton, cd, node, \"37632,30208,12288\"  put \"\" into node_script  put node_script&\"on mouseUp\"&return into node_script  put node_script&\"  global cursor_x, cursor_y\"&return into node_script  put node_script&\"  if (cursor_x = 7) and (cursor_y = 7) then\"&return into node_script  put node_script&\"    addcolor colorButton, cd, \"&node&\", \"&quote&\"65535,65535,30000\"&quote&return into node_script  put node_script&\"    send \"&quote&\"checkYoSelf\"&quote&\" to button path_extension\"&return into node_script  put node_script&\"    send \"&quote&\"checkSolution\"&quote&\" to this cd\"&return into node_script  put node_script&\"  end if\"&return into node_script  put node_script&\"end mouseUp\"&return into node_script  set the script of button id node to node_script  put cd_script&\"  addcolor colorButton, cd, \"&node&\", \"&quote&\"37632,30208,12288\"&quote&return into cd_script  put 0 into i  repeat for 7        put 0 into j    repeat for 8      makeNode            set the width of button id node to 30      set the height of button id node to 10            set the top of button id node to (61 + 30 * j)      set the left of button id node to (151 + 30 * i)            set the style of button id node to opaque      set the name of button id node to \"h_path_\"&i&\"_\"&j            set showName of button id node to false            addcolor colorButton, cd, node, \"37632,30208,12288\"            put cd_script&\"  addcolor colorButton, cd, \"&node&\", \"&quote&\"37632,30208,12288\"&quote&return into cd_script            get the script of button id node      put it into node_script            put \"active_\"&i&\"_\"&j into f_node      put \"active_\"&(i+1)&\"_\"&j into s_node            put node_script&return into node_script      put node_script&\"on checkYoSelf\"&return into node_script      put node_script&\"  global \"&f_node&\",\"&s_node&return into node_script      put node_script&\"  if (\"&f_node&\" = true) and (\"&s_node&\" = true) then\"&return into node_script      put node_script&\"    addcolor colorButton, cd, \"&node&\", \"&quote&\"65535,65535,30000\"&quote&return into node_script      put node_script&\"  end if\"&return into node_script      put node_script&\"end checkYoSelf\"&return into node_script            set the script of button id node to node_script            put j+1 into j    end repeat        put i+1 into i  end repeat  put 0 into i  repeat for 8        put 0 into j    repeat for 7      makeNode            set the width of button id node to 10      set the height of button id node to 30            set the top of button id node to (66 + 30 * j)      set the left of button id node to (146 + 30 * i)            set the style of button id node to opaque      set the name of button id node to \"v_path_\"&i&\"_\"&j            set showName of button id node to false            addcolor colorButton, cd, node, \"37632,30208,12288\"            put cd_script&\"  addcolor colorButton, cd, \"&node&\", \"&quote&\"37632,30208,12288\"&quote&return into cd_script            get the script of button id node      put it into node_script            put \"active_\"&i&\"_\"&j into f_node      put \"active_\"&i&\"_\"&(j+1) into s_node            put node_script&return into node_script      put node_script&\"on checkYoSelf\"&return into node_script      put node_script&\"  global \"&f_node&\",\"&s_node&return into node_script      put node_script&\"  if (\"&f_node&\" = true) and (\"&s_node&\" = true) then\"&return into node_script      put node_script&\"    addcolor colorButton, cd, \"&node&\", \"&quote&\"65535,65535,30000\"&quote&return into node_script      put node_script&\"  end if\"&return into node_script      put node_script&\"end checkYoSelf\"&return into node_script            set the script of button id node to node_script            put j+1 into j    end repeat        put i+1 into i  end repeat  put 0 into i  repeat for 8        put 0 into j    repeat for 8      makeNode            set the width of button id node to 10      set the height of button id node to 10            set the top of button id node to (61 + 30 * j)      set the left of button id node to (146 + 30 * i)            set the style of button id node to oval      set the name of button id node to \"button_\"&i&\"_\"&j            set showName of button id node to false            addcolor colorButton, cd, node, \"37632,30208,12288\"            put \"active_\"&i&\"_\"&j into v_name            put \"\" into node_script      put node_script&\"on mouseUp\"&return into node_script      put node_script&\"  global \"&v_name&\",cursor_x,cursor_y\"&return into node_script      put node_script&\"  put cursor_x into prev_x\"&return into node_script      put node_script&\"  put cursor_y into prev_y\"&return into node_script      put node_script&\"  put abs(cursor_x-\"&i&\") into dx\"&return into node_script      put node_script&\"  put abs(cursor_y-\"&j&\") into dy\"&return into node_script      put node_script&\"  if (\"&v_name&\" = \"&quote&quote&\") and ((dx = 1 and dy = 0) or (dx = 0 and dy = 1)) then\"&return into node_script      put node_script&\"    put true into \"&v_name&return into node_script      put node_script&\"    send \"&quote&\"updateState \"&i&\",\"&j&quote&\" to this cd\"&return into node_script      put node_script&\"    addcolor colorButton, cd, \"&node&\", \"&quote&\"65535,65535,30000\"&quote&return into node_script      put node_script&\"  end if\"&return into node_script      put node_script&\"end mouseUp\"&return into node_script            set the script of button id node to node_script            put cd_script&\"  addcolor colorButton, cd, \"&node&\", \"&quote&\"37632,30208,12288\"&quote&return into cd_script            put j+1 into j    end repeat        put i+1 into i  end repeat  set the width of button button_0_0 to 30  set the height of button button_0_0 to 30  set the top of button button_0_0 to 51  set the left of button button_0_0 to 136  get the id of button button_0_0  addColor colorButton, cd, it, \"37632,30208,12288\"  put cd_script&\"end openCard\"&return into cd_script  set the script of this cd to cd_scriptend constructPuzzleon checkSolution  global puzzle_id,path,constraints,flag_1,flag_2,flag_3  watnesssolver constraints,path  put the result into success  if success = \"true\" then    if puzzle_id = 1 then      decoder path,\"clrtffxpry\"      put the result into flag_1    end if    if puzzle_id = 2 then      decoder path,\"nyghq7xksg\"      put the result into flag_2    end if    if puzzle_id = 3 then      decoder path,\"ppyyvn}1{7\"      put the result into flag_3    end if  else    send opencard to this cd  end ifend checkSolutionon updateState i,j  global path,cursor_x,cursor_y  if (i <> 0) or (j <> 0) then    if (cursor_y = j+1) and (cursor_x = i) then      put path&\"U\" into path    end if    if (cursor_y = j) and (cursor_x = i - 1) then      put path&\"R\" into path    end if    if (cursor_y = j-1) and (cursor_x = i) then      put path&\"D\" into path    end if    if (cursor_y = j) and (cursor_x = i + 1) then      put path&\"L\" into path    end if  end if  if cursor_x >= 0 and cursor_y >= 0 then    put \"h_path_\"&min(cursor_x, i)&\"_\"&min(cursor_y, j) into h_path    put \"v_path_\"&min(cursor_x, i)&\"_\"&min(cursor_y, j) into v_path        if i = cursor_x then      send checkYoSelf to button v_path    end if        if j = cursor_y then      send checkYoSelf to button h_path    end if  end if  put i into cursor_x  put j into cursor_yend updateState

The card’s script code can also be extracted (puzzle 1):

on openCard  global puzzle_id,constraints,path,cursor_x,cursor_y,active_0_0,active_0_1,active_0_2,active_0_3,active_0_4,active_0_5,active_0_6,active_0_7,active_1_0,active_1_1,active_1_2,active_1_3,active_1_4,active_1_5,active_1_6,active_1_7,active_2_0,active_2_1,active_2_2,active_2_3,active_2_4,active_2_5,active_2_6,active_2_7,active_3_0,active_3_1,active_3_2,active_3_3,active_3_4,active_3_5,active_3_6,active_3_7,active_4_0,active_4_1,active_4_2,active_4_3,active_4_4,active_4_5,active_4_6,active_4_7,active_5_0,active_5_1,active_5_2,active_5_3,active_5_4,active_5_5,active_5_6,active_5_7,active_6_0,active_6_1,active_6_2,active_6_3,active_6_4,active_6_5,active_6_6,active_6_7,active_7_0,active_7_1,active_7_2,active_7_3,active_7_4,active_7_5,active_7_6,active_7_7,dummy  colorme  put 1 into puzzle_id  put -1 into cursor_x  put 0 into cursor_y  put \"\" into path  put \"rbrr rgb rb  r brgrbrgb  grrgbbg grg bgrg  bbgrbg\" into constraints  addColor colorButton, cd, 1, \"65535,0,0\"  ...end openCardon arrowKey key  if key = \"left\"then    go to cd \"entry-3-n\"  end if  if key = \"right\"then    go to cd \"entry-3-n\"  end if  if key = \"up\"then    go to cd \"\"  end ifend arrowKey

Now we get the constraint string of this puzzle \"rbrr rgb rb r brgrbrgb grrgbbg grg bgrg bbgrbg\", these constraints, along with the path that goes to the lower right corner, are passed into one thing called XCMD which checks the path’s correctness natively (it contains binary instructions that directly run over the 68k CPU). There are 2 XCMD binaries which can be extracted by this tool, which seem can only run under MacOS. So I’m using the extracted binary from this great post for now instead.

What’s more, I found that I can set breakpoints in the script and debug the game, I could even watch the variables on the fly:

 

\"Debugging\" Debugging

As for the XCMD part, it’s basically just a few hours’ reverse engineering work. Since there are currently no reliable decompilers for the 68k architecture, I have to read the assembly. It wasn’t too hard, but I did spend several hours learning the basic concepts of 68k’s instruction set.

After the reverse engineering work, the watnesssolver’s checking methods can be rewritten in Python as:

def build_automaton(constraints: str):    trans = str.maketrans(' rgb', '0123')    return [int(c) for c in constraints.translate(trans)]def choose_empty(r, g, b):    if g == 0 and b == 0:        return 0    if b < g:        return 2    else:        return 3def choose_red(r, g, b):    if r != 2 and r != 3:        return 0    if b == 0 or g == 0:        return 0    return 1def choose_green(r, g, b):    if r <= 4:        if b <= 4:            if r == 2 or r == 3:                return 1            else:                return 2        else:            return 3    else:        return 0def choose_blue(r, g, b):    if r <= 4:        if g <= 4:            if r == 2 or r == 3:                return 1            else:                return 3        else:            return 2    else:        return 0def is_red(constraints, x, y):    if not (x >= 0 and x < 7 and y >= 0 and y < 7):        return False    return constraints[x+y*7] == 1def get_neighbors(constraints, x, y, color):    sum = 0    for bias_y in range(-1, 2):        for bias_x in range(-1, 2):            if (bias_x != 0 or bias_y != 0) and (y + bias_y >= 0 and y + bias_y < 7) and \\                    (x + bias_x >= 0 and x + bias_x < 7) and constraints[(x+bias_x)+(y+bias_y)*7] == color:                sum += 1    return sumdef step_automaton(constraints):    new_constraints = constraints[:]    for y in range(7):        for x in range(7):            r, g, b = \\                get_neighbors(constraints, x, y, 1), \\                get_neighbors(constraints, x, y, 2), \\                get_neighbors(constraints, x, y, 3)            if constraints[x+y*7] == 0:                new_constraints[x+y*7] = choose_empty(r, g, b)            elif constraints[x+y*7] == 1:                new_constraints[x+y*7] = choose_red(r, g, b)            elif constraints[x+y*7] == 2:                new_constraints[x+y*7] = choose_green(r, g, b)            elif constraints[x+y*7] == 3:                new_constraints[x+y*7] = choose_blue(r, g, b)    return new_constraintsdef perform_move(constraints, mem, x, y, d):    bias_x, bias_y = 0, 0    if d == 'U':        bias_x, bias_y = 0, -1    elif d == 'D':        bias_x, bias_y = 0, 1    elif d == 'L':        bias_x, bias_y = -1, 0    elif d == 'R':        bias_x, bias_y = 1, 0    if not (x+bias_x >= 0 and x+bias_x < 8 and y+bias_y >= 0 and y+bias_y < 8):        return False, x, y        min_x = min(x, x+bias_x)    min_y = min(y, y+bias_y)        if bias_y == 0:        if not (is_red(constraints, min_x, y) or is_red(constraints, min_x, y-1)):            return False, x, y    else:        if not (is_red(constraints, x, min_y) or is_red(constraints, x-1, min_y)):            return False, x, y        if mem[x+bias_x][y+bias_y] == 1:        return False, x, y        mem[x+bias_x][y+bias_y] = 1        return True, x+bias_x, y+bias_ydef solver(path, constraints):    x = y = 0    constraints = build_automaton(constraints)    mem = [[0 for i in range(8)] for j in range(8)]  # been to or not    mem[0][0] = 1    for each in path:        yes, new_x, new_y = perform_move(constraints, mem, x, y, each)        if yes:            if new_x == 7 and new_y == 7:                # print(f'Path `{path}` is great ' + '!' * 20)                return True, True            x, y = new_x, new_y            constraints = step_automaton(constraints)        else:            #print(f'Path `{path}` is bad')            return False, False    return True, False

Looking around in the game, we’ll know that there are 3 puzzles we need to solve. So we can simply run 3 DFS searches on these contraints and three unique solutions will be printed out.

def dfs(depth, path, constraints):    if depth > 24: # figured out after multiple tests        return    mov, end = solver(path, constraints)    if end == True:        print(f'Path {path} is ok')    if mov == False:        return    for d in 'LRUD':        n_path = path + d        dfs(depth+1, n_path, constraints)if __name__ == '__main__':    constraints_stage1 = 'rbrr rgb rb  r brgrbrgb  grrgbbg grg bgrg  bbgrbg'    constraints_stage2 = 'rbr  bbggrgrggb   bggbb b  b bbrbbgg gbrrbgrbbb g'    constraints_stage3 = 'rrbrb rg g  bgrbgggr ggrgr gr rg brr  b  bggrbgbb'    print('Stage1 solution:')    dfs(0, '', constraints_stage1)    print('Stage2 solution:')    dfs(0, '', constraints_stage2)    print('Stage3 solution:')    dfs(0, '', constraints_stage3)

Output:

Stage1 solution:Path RDDDRURRRDLLDLDRRURRDDDR is okStage2 solution:Path RDDRURDDDRURULURRDDDDDRD is okStage3 solution:Path DRDDDDRUURRRULURRDDDDDDR is ok

Input these solutions to each puzzle, after that, we could go to the lock-like thing on the white gate to reveal the flag:

 

\"flag\" flag

", "url": "https://yype.site/2020/04/20/hypercard-over-windows", "tags": ["Write-up","Reverse Engineering","Hypercard","CTF","PlaidCTF2020"], "date_published": "2020-04-20T00:00:00+00:00", "date_modified": "2020-04-20T00:00:00+00:00", "author": "{"twitter"=>nil, "name"=>nil, "avatar"=>nil, "email"=>nil, "url"=>nil}" } , { "id": "https://yype.site/2020/02/20/ancient-game-v2", "title": "D^3CTF2019 Ancient Game V2, Thoughts & Solutions", "summary": null, "content_text": "IntroI designed the RE challenge Ancient Game V2 in D^3CTF2019. This post talks about some designs behind this challenge along with its solution.ChallengeThe challenge uses a virtual architecture similar to OISC to implement a classic Sudoku verification algorithm. There are four types of instructions: input, output, jcc, and NAND. As a whole, they can be seen as a NAND OISC with two I/O interrupts.All logical operations such as XOR, AND, and OR are implemented through combinations of NAND gates. For example:xor x,y =>xor_tmp[0] = y NAND yxor_tmp[1] = x NAND xor_tmp[0]xor_tmp[2] = x NAND xxor_tmp[3] = y NAND xor_tmp[2]x = xor_tmp[1] NAND xor_tmp[3]This is based on the fact that:Q = A XOR B = [ B NAND ( A NAND A ) ] NAND [ A NAND ( B NAND B ) ]The following is an excerpt of the Sudoku verification algorithm written in a custom DSL:welcome = mkstr(\"**************************\\n** Welcome To D^3CTF **\\n** Ancient Game V2 **\\n**************************\\n\\nInput Flag:\")wrong = mkstr(\"\\nSorry, please try again.\\n\")correct = mkstr(\"\\nCorrect.\\n\")flag = new(50)// distract = new(1000)grid = new(81)// initialize the puzzleset(grid[0],9)set(grid[5],8)set(grid[9],1)set(grid[10],3)set(grid[14],9)set(grid[16],7)...set(grid[71],6)set(grid[75],9)set(grid[80],1)__code_start__// print the welcome messageprint(welcome)// get inputinput(flag[0])input(flag[1])input(flag[2])input(flag[3])input(flag[4])input(flag[5])...input(flag[46])input(flag[47])input(flag[48])input(flag[49])// transfer chars in the flag into the gridslong_transfer(flag[0],grid[1])long_transfer(flag[1],grid[2])...long_transfer(flag[47],grid[77])long_transfer(flag[48],grid[78])long_transfer(flag[49],grid[79])// xor with xor_table, which is introduced // for generating different flags to different teamsgrid[1] = grid[1] ^ xor_table[0]grid[2] = grid[2] ^ xor_table[1]grid[3] = grid[3] ^ xor_table[2]grid[4] = grid[4] ^ xor_table[3]grid[6] = grid[6] ^ xor_table[4]grid[7] = grid[7] ^ xor_table[5]...grid[77] = grid[77] ^ xor_table[47]grid[78] = grid[78] ^ xor_table[48]grid[79] = grid[79] ^ xor_table[49]// verify the sudoku game// rowsjmp _label_wrong if grid[4] == grid[5]jmp _label_wrong if grid[4] == grid[6]jmp _label_wrong if grid[4] == grid[7]...jmp _label_wrong if grid[3] == grid[7]jmp _label_wrong if grid[3] == grid[8]// columnsjmp _label_wrong if grid[0] == grid[9]jmp _label_wrong if grid[0] == grid[18]jmp _label_wrong if grid[0] == grid[27]...jmp _label_wrong if grid[62] == grid[80]jmp _label_wrong if grid[71] == grid[80]// subgridsjmp _label_wrong if grid[0] == grid[1]jmp _label_wrong if grid[0] == grid[2]jmp _label_wrong if grid[0] == grid[9]jmp _label_wrong if grid[0] == grid[10]...jmp _label_wrong if grid[78] == grid[79]jmp _label_wrong if grid[78] == grid[80]jmp _label_wrong if grid[79] == grid[80]// check rangejmp _label_wrong if outofnumbers(grid[1])jmp _label_wrong if outofnumbers(grid[2])jmp _label_wrong if outofnumbers(grid[3])jmp _label_wrong if outofnumbers(grid[4])...jmp _label_wrong if outofnumbers(grid[76])jmp _label_wrong if outofnumbers(grid[77])jmp _label_wrong if outofnumbers(grid[78])jmp _label_wrong if outofnumbers(grid[79])_label_correct:print(correct)return_label_wrong:print(wrong)returnI wrote a compiler for this DSL, which was then used to compile the algorithm into an OISC program executable by the OISC VM. The OISC program is then packed together with the OISC VM as a standalone binary, which is delievered to the players.Multiple Solutions - Behind the ScenesDuring the competition, I was surprised to notice that multiple solutions exist. A quick debugging revealed the cause: the implementation of outofnumbers (var) in the compiler was incorrectly written in a way similar to return var not in range [0...9]. Since the Sudoku map is supposed to only contain 1 ~ 9, the correct implementation should be return var not in range [1...9]. Under such a scenario, multiple solutions exist because we allow the grids to be filled with 0.Sudoku Map Sudoku MapSolutionTo solve this challenge, there is no need to simplify all the logical operations. Since there is no complicated loop in the actual control flow, we can locate the conditions preventing the control flow from jumping to the part which outputs “Sorry” through simple control flow tracing and (manual/automated) symbolic analysis. Along the way, we extract the constraints for the non-Sorry branches. Finally, we can use an SMT solver to solve the constraints. (That’s how ThinerDAS solved this challenge.)Flag: d3ctf{g5lk9t28zz47y3l6m2kosbajd2vk9e2dwghxgfktcki} Referenceable solution script: sol.py by ByaiduThe source code of this challenge (except for the compiler) and a duplicate of this post are uploaded to GitHub, check them out at: https://github.com/yype/D3CTF_Rev/tree/master/AncientGameV2.More..I’ve always found OISC interesting. This challenge is just a demo of one of my ideas. I’m considering doing more interesting works related to OISC in the upcoming future.", "content_html": "

Intro

I designed the RE challenge Ancient Game V2 in D^3CTF2019. This post talks about some designs behind this challenge along with its solution.

Challenge

The challenge uses a virtual architecture similar to OISC to implement a classic Sudoku verification algorithm. There are four types of instructions: input, output, jcc, and NAND. As a whole, they can be seen as a NAND OISC with two I/O interrupts.

All logical operations such as XOR, AND, and OR are implemented through combinations of NAND gates. For example:

xor x,y =>xor_tmp[0] = y NAND yxor_tmp[1] = x NAND xor_tmp[0]xor_tmp[2] = x NAND xxor_tmp[3] = y NAND xor_tmp[2]x = xor_tmp[1] NAND xor_tmp[3]

This is based on the fact that:

Q = A XOR B = [ B NAND ( A NAND A ) ] NAND [ A NAND ( B NAND B ) ]

The following is an excerpt of the Sudoku verification algorithm written in a custom DSL:

welcome = mkstr(\"**************************\\n**  Welcome To D^3CTF   **\\n**   Ancient Game V2    **\\n**************************\\n\\nInput Flag:\")wrong = mkstr(\"\\nSorry, please try again.\\n\")correct = mkstr(\"\\nCorrect.\\n\")flag = new(50)// distract = new(1000)grid = new(81)// initialize the puzzleset(grid[0],9)set(grid[5],8)set(grid[9],1)set(grid[10],3)set(grid[14],9)set(grid[16],7)...set(grid[71],6)set(grid[75],9)set(grid[80],1)__code_start__// print the welcome messageprint(welcome)// get inputinput(flag[0])input(flag[1])input(flag[2])input(flag[3])input(flag[4])input(flag[5])...input(flag[46])input(flag[47])input(flag[48])input(flag[49])// transfer chars in the flag into the gridslong_transfer(flag[0],grid[1])long_transfer(flag[1],grid[2])...long_transfer(flag[47],grid[77])long_transfer(flag[48],grid[78])long_transfer(flag[49],grid[79])// xor with xor_table, which is introduced //   for generating different flags to different teamsgrid[1] = grid[1] ^ xor_table[0]grid[2] = grid[2] ^ xor_table[1]grid[3] = grid[3] ^ xor_table[2]grid[4] = grid[4] ^ xor_table[3]grid[6] = grid[6] ^ xor_table[4]grid[7] = grid[7] ^ xor_table[5]...grid[77] = grid[77] ^ xor_table[47]grid[78] = grid[78] ^ xor_table[48]grid[79] = grid[79] ^ xor_table[49]// verify the sudoku game// rowsjmp _label_wrong if grid[4] == grid[5]jmp _label_wrong if grid[4] == grid[6]jmp _label_wrong if grid[4] == grid[7]...jmp _label_wrong if grid[3] == grid[7]jmp _label_wrong if grid[3] == grid[8]// columnsjmp _label_wrong if grid[0] == grid[9]jmp _label_wrong if grid[0] == grid[18]jmp _label_wrong if grid[0] == grid[27]...jmp _label_wrong if grid[62] == grid[80]jmp _label_wrong if grid[71] == grid[80]// subgridsjmp _label_wrong if grid[0] == grid[1]jmp _label_wrong if grid[0] == grid[2]jmp _label_wrong if grid[0] == grid[9]jmp _label_wrong if grid[0] == grid[10]...jmp _label_wrong if grid[78] == grid[79]jmp _label_wrong if grid[78] == grid[80]jmp _label_wrong if grid[79] == grid[80]// check rangejmp _label_wrong if outofnumbers(grid[1])jmp _label_wrong if outofnumbers(grid[2])jmp _label_wrong if outofnumbers(grid[3])jmp _label_wrong if outofnumbers(grid[4])...jmp _label_wrong if outofnumbers(grid[76])jmp _label_wrong if outofnumbers(grid[77])jmp _label_wrong if outofnumbers(grid[78])jmp _label_wrong if outofnumbers(grid[79])_label_correct:print(correct)return_label_wrong:print(wrong)return

I wrote a compiler for this DSL, which was then used to compile the algorithm into an OISC program executable by the OISC VM. The OISC program is then packed together with the OISC VM as a standalone binary, which is delievered to the players.

Multiple Solutions - Behind the Scenes

During the competition, I was surprised to notice that multiple solutions exist. A quick debugging revealed the cause: the implementation of outofnumbers (var) in the compiler was incorrectly written in a way similar to return var not in range [0...9]. Since the Sudoku map is supposed to only contain 1 ~ 9, the correct implementation should be return var not in range [1...9]. Under such a scenario, multiple solutions exist because we allow the grids to be filled with 0.

Sudoku Map

\"Sudoku Sudoku Map

Solution

To solve this challenge, there is no need to simplify all the logical operations. Since there is no complicated loop in the actual control flow, we can locate the conditions preventing the control flow from jumping to the part which outputs “Sorry” through simple control flow tracing and (manual/automated) symbolic analysis. Along the way, we extract the constraints for the non-Sorry branches. Finally, we can use an SMT solver to solve the constraints. (That’s how ThinerDAS solved this challenge.)

Flag: d3ctf{g5lk9t28zz47y3l6m2kosbajd2vk9e2dwghxgfktcki}

Referenceable solution script: sol.py by Byaidu

The source code of this challenge (except for the compiler) and a duplicate of this post are uploaded to GitHub, check them out at: https://github.com/yype/D3CTF_Rev/tree/master/AncientGameV2.

More..

I’ve always found OISC interesting. This challenge is just a demo of one of my ideas. I’m considering doing more interesting works related to OISC in the upcoming future.

", "url": "https://yype.site/2020/02/20/ancient-game-v2", "tags": ["CTF","Reverse Engineering","D^3CTF2019","OISC"], "date_published": "2020-02-20T00:00:00+00:00", "date_modified": "2020-02-20T00:00:00+00:00", "author": "{"twitter"=>nil, "name"=>nil, "avatar"=>nil, "email"=>nil, "url"=>nil}" } ] }