03 Mar 2014 @ 11:09 PM 

Hypercube is a DOL file which points us to gamecube and Dolphin emulator. Once we have the emulator, we can see the output. It clearly states that we are in a gamecube and only hypercube is fast enough to get the flag. This pretty much sounds like Hypercomputer challenge from PlaidCTF. Now its time to do some RE then.

To get disassembly we will need specific loader for DOL files. Hopefully some of those are available and we can directly start our disassembly. We can easily reach interesting function by looking up for strings. Reading Power PC assembly is not in my usual work description, but I can do that too while doing a CTF 😉
init_ida
Next thing I did was to try to debug it in the emulator and see what exactly happens. Once the call at 0x80005c78 was invoked, it just went into full on computation which eventually crashed the emulator. Now the Hyper part was pretty much making sense 🙂
init_dbg
Upon analyzing there are only 3 functions we have to worry about – 80005B18, 80005A4C and 800059E4.

After converting the PPC to higher language, it was evident that these operations are simple and written in a way that will consume lot of CPU cycles.

We can rename those functions as 80005B18 -Multiply, 80005A4C – Add and 800059E4 – Increment

That reduces our code to minimal and running it yields our flag. (Don’t mind the variable names – happens when you haven’t slept for more than 24 hours 😀 )

UInt32 s_8 = 0xadd;
UInt32 s_c = 0x5dd11;
UInt32 s_10 = 0x352463;
UInt32 s_14 = 0x8008135;
UInt32 r0, r11, r3, r9, r4;
for (int i = 0; i <= 31390; i++)
{
	for (int j = 0; j <= 21; j++)
	{
		r9 = s_c * s_10;


		r0 = (UInt32)((((UInt64)r9 * (UInt64)3) & 0xFFFFFFFF00000000) >> 32);
		r11 = r9 - r0;
		r11 = r11 >> 1;
		r0 += r11;
		r11 = r0 >> 30;
		r0 = r11 << 31;
		r0 = r0 - r11;
		r0 = r9 - r0;
		s_8 = r0;
		 

		r3 = s_c;
		r4 = 0x6ddb;
		r9 = r3 * r4;
		
		r0 = (UInt32)((((UInt64)r9 * (UInt64)3)&0xFFFFFFFF00000000)>>32);
		r11 = r9 - r0;
		r11 = r11 >> 1;
		r0 += r11;
		r11 = r0 >> 30;
		r0 = r11 << 31;
		r0 = r0 - r11;
		r0 = r9 - r0;
		s_c = r0;
		

		s_10 = s_c ^ 0x1BA40000 ^ 0x1c3c;
		s_14++;
	}
}
richText.Text = "key{1337" + s_8.ToString() + s_c.ToString() + s_10.ToString() + "h4x" + s_14.ToString() + "}";

Posted By: Dan
Last Edit: 03 Mar 2014 @ 11:22 PM

EmailPermalink
Tags
Categories: CTF, Reverse Engineering


 

Responses to this post » (None)

 
Post a Comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>


 Last 50 Posts
Change Theme...
  • Users » 1
  • Posts/Pages » 19
  • Comments » 41
Change Theme...
  • VoidVoid « Default
  • LifeLife
  • EarthEarth
  • WindWind
  • WaterWater
  • FireFire
  • LightLight

About



    No Child Pages.