53cr37 463n7
C47360ry: 3m83dd3d
P01n75: 100
D35cr1p710n:
======================================================================================================
_______ ______ _______ _______ ______ ______ ___ _______ ______ _ _________
( ____ \/ ___ \ ( ____ \( ____ )/ ___ \ / ___ \ / ) ( ____ \/ ___ \ ( ( /|\__ __/
| ( \/\/ \ \| ( \/| ( )|\/ \ \\/ ) ) / /) | | ( \/\/ \ \| \ ( | ) (
| (_____ ___) /| | | (____)| ___) / / / / (_) (_ | | ___) /| \ | | | |
(_____ ) (___ ( | | | __) (___ ( / / (____ _)| | ____ (___ ( | (\ \) | | |
) | ) \| | | (\ ( ) \ / / ) ( | | \_ ) ) \| | \ | | |
/\____) |/\___/ /| (____/\| ) \ \__/\___/ / / / | | | (___) |/\___/ /| ) \ | | |
\_______)\______/ (_______/|/ \__/\______/ \_/ (_) (_______)\______/ |/ )_) )_(
======================================================================================================
As a special agent serving the ECW faction you must decode an intercepted message on a theater of
operation between two enemy agents. For this task, your radio specialist delivers the message (which
seems to be encrypted) as well as the firmware of a cryptographic terminal that is unfortunately
destroyed.
To you to play agent ECW 007 ...
+--^----------,--------,-----,--------^-,
| ||||||||| `--------' | O
`+---------------------------^----------|
`\_,---------,---------,--------------'
/ XXXXXX /'| /'
/ ====== / `\ /'
/ ECW007 /`-------'
/ ====== /
/ XXXXXX /
(________(
`------' F1l35: 53cr37.3nc, cryp70m4ch1n3.81n
N073: 7h3 ch4ll3n63 0r64n1z3r5 d0 n07 4ll0w 7h3 50urc35 70 83 m4d3 4v41l48l3.
7L;DR
7h3 3mul4710n 0f 4 f1rmw4r3 w17h Un1c0rn 3n61n3 4ll0w5 u5 70 r3c0v3r 4n 3ncryp73d m355463 w17h 8ru73 f0rc3.
M37h0d0l06y
0ur 08j3c71v3 15 70 f1nd 7h3 3ncryp73d m355463 7h4nk5 70 7h3 fr1mw4r3 0f 4n "cryp706r4ph1c 73rm1n4l" d3l1v3r3d 8y 4 "r4d10 5p3c14l157".
W3 qu1ckly f1nd 0ur53lv35 f4c3d w17h 4 816 pr08l3m 83c4u53 w3 h4v3 n0 1nf0rm4710n 480u7 7h15 f1rmw4r3.
>_ file -k cryptomachine.bin
cryptomachine.bin: data
>_ strings cryptomachine.bin
iyEI8KL
| /h?
,AC`@
d-!4a57471c 4n4ly515
70 4n4lyz3 7h3 f1rmw4r3 w3 n33d 47 l3457 175 4rch173c7ur3. 8y 534rch1n6 0n 6006l3 f0r ch1p5 d3d1c473d 70 3ncryp710n w3 c0m3 4cr055 DSP wh1ch 533m 70 c0rr35p0nd 70 7h3 ch4r4c73r1571c5 0f 0ur f1rmw4r3 4cc0rd1n6 70 7h3 d35cr1p710n 0f 7h3 ch4ll3n63.
0n Wikipedia 7h3r3 15 4 l157 0f ch1p5 7h47 c0uld p073n714lly 83 1mpl3m3n73d 1n 0ur "cryp706r4ph1c 73rm1n4l".
7h3 pr08l3m 15 7h47 7h353 ch1p5 d0 n07 4ll run und3r 7h3 54m3 4rch173c7ur3. F0r7un473ly 81nw4lk c4n h3lp u5 0n 7h15 p01n7 w17h 7h3 -4 0p710n.
-4, --0pc0d35 5c4n 74r637 f1l3(5) f0r c0mm0n 3x3cu748l3 0pc0d3 516n47ur35
>_ binwalk -A cryptomachine.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
132 0x84 ARM instructions, function prologue
640 0x280 ARM instructions, function prologueC00l, n0w w3 kn0w 17'5 4RM 8u7 n07 wh1ch v3r510n. F0r7un473ly, 8y 4n4lyz1n6 17 w17h 1D4 y0u c4n n07 5p3c1fy 7h3 v3r510n 0f 4RM 4nd 17 m4n4635 0n 175 0wn.
4nd d3c0mp1l4710n w0rk5 qu173 w3ll:)
N073 7h47 1n 7h3 l0c_40 1n57ruc710n, 5P 15 537 70 4ddr355 0x10000. 7h15 m34n5 7h47 7h3 m3m0ry 4ll0c473d 70 7h3 pr06r4m 574r75 0r 3nd5 47 7h15 4ddr355. 17 d3p3nd5 0n h0w w3 1mpl3m3n7 7h3 574ck. (533 here f0r m0r3 1nf0rm4710n)
70 d373rm1n3 wh3r3 7h3 m3m0ry 15 l0c473d 1 u53d 7h3 8361nn1n6 0f 7h3 m41n func710n wh3r3 50m3 d474 4r3 l04d3d. 1n v4r_X 4r3 l04d3d d474 fr0m n36471v3 4ddr35535 4nd 1n 7h3 r361573r R1 15 l04d3d d474 fr0m 4ddr355 0x10618 wh1ch c0rr35p0nd5 70 0x618 1n 7h3 d3c0mp1l3d c0d3, 50 70 7h3 v4lu3 0x94.
R0M:00000618 DC8 0x94
W3 d3duc3 7h47 7h3 4ddr355 0x10000 15 7h3 70p 0f 7h3 574ck. 50 7h3 f1rmw4r3 15 l04d3d fr0m 7h15 4ddr355.
4n4lyz1n6 7h3 r357 0f 7h3 1n57ruc710n5, w3 n071c3 7h47 7h3 c0d3 0ccur5 1n 2 573p5.
F1r57, 17 533m5 7h47 7h3r3 15 4n 1n1714l1z4710n ph453 wh3r3 d474 15 l04d3d fr0m 5p3c1f1c 4ddr35535 0x101F1000 4nd 0x101F1018.
7h3 5u173 l00k5 m0r3 l1k3 3ncryp710n wh3n v13w3d fr0m 7h3 57ruc7ur3. W3 n071c3 7h47 7h3r3 4r3 4 d1571nc7 l4r63 8l0ck5.
4f73r 4n4ly515, 17 4pp34r5 7h47 7h3 8l0ck5 4r3 u53d 70 3ncryp710n. W3 4l50 n071c3 7h47 7h3y d0 n07 d3p3nd 0n 34ch 07h3r.
W3 c4n 533 7h47 4f73r 34ch 3ncryp710n 8l0ck 7h3 pr06r4m 4lw4y5 p3rf0rm5 7h3 54m3 0p3r4710n5. 3x4mpl3 w17h 7h3 func710n5 l0c_480 4nd l0c_4C0.
N073 7h47 7h3 func710n 5u8_84 15 c4ll3d 4f73r 34ch 3ncryp710n 8l0ck. W3 f1nd 0ur 2 "5p3c14l" 4ddr35535 0x101F1000 4nd 0x101F1018. 4f73r 4 534rch 0n qw4n7 17 7urn5 0u7 7h47 7h353 4ddr35535 c0rr35p0nd 70 UART0 wh3r3 0x101F1000 c0rr35p0nd5 70 7h3 D474 R361573r wh3r3 7h3 r34d/wr173 d474 15 7r4n5m1773d 4nd 0x101F1018 70 7h3 Fl46 R361573r wh1ch 1nd1c4735 wh37h3r 7h3r3 15 4ny d474 l3f7 70 r34d 0r wr173.
W3 c4n 7h3r3f0r3 1m461n3 7h47 4f73r 34ch 3ncryp710n 8l0ck 7h3 0u7pu7 15 d15pl4y3d 0n 7h3 3ncryp710n 73rm1n4l.
N0w 7h47 w3 kn0w h0w 7h3 f1rmw4r3 w0rk5 70 3ncryp7, 4ll 7h47 r3m41n5 15 70 1mpl3m3n7 4 d3cryp710n 4l60.
8u7 1'm l4zy...
3mul4710n
51nc3 7h3 3ncryp710n 8l0ck5 4r3 1nd3p3nd3n7 0f 34ch 07h3r, 4 8ru73 f0rc3 15 p05518l3 w17h1n 4 r3450n48l3 71m3.
70 4v01d 807h3r1n6 70 1mpl3m3n7 7h3 4l60 1n 4n07h3r l4n6u463 1 d3c1d3d 70 u53 Unicorn Engine. 7h15 fr4m3w0rk 15 v3ry u53ful 83c4u53 17 4ll0w5 y0u 70 3mul473 4 81n4ry 0n 4ny 4rch173c7ur3. 1n 4dd1710n 17 h45 4n 4P1 7h47 4ll0w5 17 70 83 u53d w17h py7h0n.
7h3r3'5 ju57 0n3 l177l3 pr08l3m....
7h3r3 15 ju57 4 5m4ll example script f0r 34ch 4rch173c7ur3.... 4nd 50m3 3x4mpl35 0f 1mpl3m3n74710n5 f0und here 4nd h3r3 v14 y4nd3x.
Un1c0rn 3n61n3
70 u53 Un1c0rn w17h py7h0n y0u mu57 f1r57 1n1714l1z3 7h3 3mul470r.
# Initialize emulator in ARM mode
mu = Uc(UC_ARCH_ARM, UC_MODE_ARM)
# map memory for this emulation
# - Stack + ROM
mu.mem_map(0x0, 0x20000)
# - UART addresses
mu.mem_map(0x101F1000, 1*1024)
# write machine code to be emulated to memory
ARM_CODE = open("cryptomachine.bin" ,'rb').read()
mu.mem_write(0x10000, ARM_CODE)7h3n w3 w1ll 1n1714l1z3 4 H00K_C0D3 wh1ch w1ll 4ll0w u5 70 c0n7r0l 7h3 3x3cu710n 0f 7h3 c0d3 4f73r 34ch 1n57ruc710n.
3x4mpl3 w17h 7h3 d15pl4y 0f 7h3 c0n73n75 0f 7h3 r361573r5 4f73r 34ch 1n57ruc710n.
def hook_code(uc, address, size, user_data):
print(">>> Tracing instruction at 0x%x, instruction size = 0x%x" %(address, size))
print("> R0 = 0x%x" %mu.reg_read(UC_ARM_REG_R0))
print("> R1 = 0x%x" %mu.reg_read(UC_ARM_REG_R1))
print("> R2 = 0x%x" %mu.reg_read(UC_ARM_REG_R2))
print("> R3 = 0x%x" %mu.reg_read(UC_ARM_REG_R3))
print("> R4 = 0x%x" %mu.reg_read(UC_ARM_REG_R4))
print("> R5 = 0x%x" %mu.reg_read(UC_ARM_REG_R5))
print("> LR = 0x%x" %mu.reg_read(UC_ARM_REG_LR))
print("> SP = 0x%x" %mu.reg_read(UC_ARM_REG_SP))
ADDRESS = 0x10000
mu.hook_add(UC_HOOK_CODE, hook_code, begin=ADDRESS, end=ADDRESS+len(ARM_CODE))N0w w3 w1ll 83 48l3 70 3mul473 0ur f1rmw4r3 w17h 7h15 func710n.
ADDRESS_START = 0x10040
ADDRESS_STOP = 0x105E0
mu.emu_start(ADDRESS_START, ADDRESS_STOP, count=100000)4nd h3r3 15 7h3 c0mpl373 5cr1p7 70 8ru73 f0rc3 7h3 3ncryp73d m355463.
#!/usr/bin/env python2
from unicorn import *
from unicorn.arm_const import *
import struct
import binascii
# memory address where emulation starts
ADDRESS = 0x10000
ADDRESS_START = 0x10040
ADDRESS_STOP = 0x105E0
ARM_CODE = open("cryptomachine.bin" ,'rb').read()
INPUT_A_STR = 0x101F1000
INPUT_A_CONTINUE = 0x101F1018
instructions_skip_list = [0x1030C, 0x10334, 0x10374, 0x105E8, 0x103C8, 0x1043C, 0x104B0, 0x10530, 0x105A8, 0x105CC]
OUTPUT = ''
first_loop = True
secret = "49D29B343820ADFF3DBCFC29392DFCFD3B90FCF7390DAFF9347EFBFF3AA9F8FA38E6FB003A3AFE2B3DBCFB2B37BCFEFB36EAFEFE363AF82D653AF5CD35A9FF046990A8CA81"
flag = ''
string_tested = ''
# Right format int
def p32(num):
return struct.pack("I", num)
# callback for tracing instructions
def hook_code(uc, address, size, user_data):
global OUTPUT
global first_loop
global string_tested
#End the programm on second loop i.e. redo cipher
if address == 0x102EC :
if first_loop:
first_loop = not first_loop
else:
#Skip the instruction because there is an input
mu.reg_write(UC_ARM_REG_PC, 0x105E0)
if address == 0x1032C:
#Skip the instruction because there is an input
mu.reg_write(UC_ARM_REG_PC, address+size)
mu.mem_write(0xFEE8, string_tested)
if address in instructions_skip_list:
mu.mem_write(INPUT_A_CONTINUE, p32(0x80))
OUTPUT += mu.mem_read(0x101F1000, 0x1)
def emule_firmware():
# map memory for this emulation
mu.mem_map(0x0, 0x20000)
mu.mem_map(0x101F1000, 1*1024)
# write machine code to be emulated to memory
mu.mem_write(ADDRESS, ARM_CODE)
# write in memory
mu.mem_write(INPUT_A_CONTINUE, p32(0x40))
# tracing one instruction at ADDRESS with customized callback
mu.hook_add(UC_HOOK_CODE, hook_code, begin=ADDRESS, end=ADDRESS+len(ARM_CODE))
# emulate machine code
#100000 instructions max -> stop if infinite loop
mu.emu_start(ADDRESS_START, ADDRESS_STOP, count=100000)
if __name__ == '__main__':
# Initialize emulator in ARM mode
# and define mu as global
mu = Uc(UC_ARCH_ARM, UC_MODE_ARM)
CHARS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890_{}"
chr_hex = ''
#Compute chars
for c in CHARS:
chr_hex += binascii.hexlify(c)
chr_hex = chr_hex.upper()
flag = ''
for i in xrange(0, len(secret), 2):
for c in xrange(0, len(chr_hex), 2):
mu = None
mu = Uc(UC_ARCH_ARM, UC_MODE_ARM)
first_loop = True
OUTPUT = ''
string_tested = flag+chr_hex[c:c+2]
emule_firmware()
out = OUTPUT.split("C:")[1].strip()
if secret[i:i+2] in out[i:i+2]:
flag += chr_hex[c:c+2]
print("flag = %s" %binascii.unhexlify(flag))
breakW3 run 7h3 5cr1p7 4nd 1n 5 m1n w3 637 7h3 fl46:)
>_ ./secret_brute.py
flag = E
flag = EC
flag = ECW
flag = ECW{
flag = ECW{4
flag = ECW{48
flag = ECW{48a
flag = ECW{48a5
flag = ECW{48a59
flag = ECW{48a59c
flag = ECW{48a59c0
flag = ECW{48a59c0d
flag = ECW{48a59c0d5
flag = ECW{48a59c0d57
flag = ECW{48a59c0d570
flag = ECW{48a59c0d5704
flag = ECW{48a59c0d57047
flag = ECW{48a59c0d570475
flag = ECW{48a59c0d5704750
flag = ECW{48a59c0d57047500
flag = ECW{48a59c0d570475005
flag = ECW{48a59c0d5704750050
flag = ECW{48a59c0d5704750050c
flag = ECW{48a59c0d5704750050c0
flag = ECW{48a59c0d5704750050c00
flag = ECW{48a59c0d5704750050c006
flag = ECW{48a59c0d5704750050c0067
flag = ECW{48a59c0d5704750050c00671
flag = ECW{48a59c0d5704750050c006716
flag = ECW{48a59c0d5704750050c006716e
flag = ECW{48a59c0d5704750050c006716e4
flag = ECW{48a59c0d5704750050c006716e42
flag = ECW{48a59c0d5704750050c006716e424
flag = ECW{48a59c0d5704750050c006716e424a
flag = ECW{48a59c0d5704750050c006716e424a7
flag = ECW{48a59c0d5704750050c006716e424a76
flag = ECW{48a59c0d5704750050c006716e424a766
flag = ECW{48a59c0d5704750050c006716e424a7662
flag = ECW{48a59c0d5704750050c006716e424a76622
flag = ECW{48a59c0d5704750050c006716e424a76622c
flag = ECW{48a59c0d5704750050c006716e424a76622c9
flag = ECW{48a59c0d5704750050c006716e424a76622c9c
flag = ECW{48a59c0d5704750050c006716e424a76622c9c7
flag = ECW{48a59c0d5704750050c006716e424a76622c9c7f
flag = ECW{48a59c0d5704750050c006716e424a76622c9c7f3
flag = ECW{48a59c0d5704750050c006716e424a76622c9c7f3c
flag = ECW{48a59c0d5704750050c006716e424a76622c9c7f3c2
flag = ECW{48a59c0d5704750050c006716e424a76622c9c7f3c20
flag = ECW{48a59c0d5704750050c006716e424a76622c9c7f3c202
flag = ECW{48a59c0d5704750050c006716e424a76622c9c7f3c202b
flag = ECW{48a59c0d5704750050c006716e424a76622c9c7f3c202b2
flag = ECW{48a59c0d5704750050c006716e424a76622c9c7f3c202b22
flag = ECW{48a59c0d5704750050c006716e424a76622c9c7f3c202b222
flag = ECW{48a59c0d5704750050c006716e424a76622c9c7f3c202b2222
flag = ECW{48a59c0d5704750050c006716e424a76622c9c7f3c202b22224
flag = ECW{48a59c0d5704750050c006716e424a76622c9c7f3c202b22224a
flag = ECW{48a59c0d5704750050c006716e424a76622c9c7f3c202b22224aa
flag = ECW{48a59c0d5704750050c006716e424a76622c9c7f3c202b22224aa2
flag = ECW{48a59c0d5704750050c006716e424a76622c9c7f3c202b22224aa29
flag = ECW{48a59c0d5704750050c006716e424a76622c9c7f3c202b22224aa290
flag = ECW{48a59c0d5704750050c006716e424a76622c9c7f3c202b22224aa2901
flag = ECW{48a59c0d5704750050c006716e424a76622c9c7f3c202b22224aa2901e
flag = ECW{48a59c0d5704750050c006716e424a76622c9c7f3c202b22224aa2901e3
flag = ECW{48a59c0d5704750050c006716e424a76622c9c7f3c202b22224aa2901e37
flag = ECW{48a59c0d5704750050c006716e424a76622c9c7f3c202b22224aa2901e37e
flag = ECW{48a59c0d5704750050c006716e424a76622c9c7f3c202b22224aa2901e37e5
flag = ECW{48a59c0d5704750050c006716e424a76622c9c7f3c202b22224aa2901e37e5d
flag = ECW{48a59c0d5704750050c006716e424a76622c9c7f3c202b22224aa2901e37e5d1
flag = ECW{48a59c0d5704750050c006716e424a76622c9c7f3c202b22224aa2901e37e5d1}FL46_15:
3CW{48459c0d5704750050c0067163424476622c9c7f3c20282222444290133735d1}