Hey Pwners, this is the second writeup of the day …
Now lets get to this MotherF***er 😉
Reverse 150 [ Kernel Land ] is an simple reversing challenge . All it requires is a — CTF thinking —
I don’t know why this challenge is alloted 150 points and why Rev100 only 100 pts , only organizers can tell us.
So lets Start…We are given an 32-bit binary file. file command gives us
but when i tried to run it , I got Segmentation Fault.
What the hell ? Then i got curious as i was expecting a good challenge as compared to REV100 , i thought may be i am running it on wrong processor .
I tried to use string command to see wats up with this binary? Generally you see different library strings ( like libc.so.6 , GLIBC_2.0 ) but this binary had nothing .
So , next move is well know , “RELEASE THE IDA“. Well , as you know its an 32-bit binary , I just decompiled it using IDA hex-ray decompiler plugin ( and it came out to be really really small kernel ).
So lets move to main function.
As you can see main has couple of function call . Lets start with monitor_clear()
Eww…looks messy. If you look closely , its very simple (compiler is the culprit here)…
| void monitor_clear() | |
| { | |
| for(int a=0;a<80;a++) | |
| { | |
| b = a%256; | |
| for(c=b;c<25;c++) | |
| { | |
| monitor_put_char_at(a,c,32); | |
| } | |
| } | |
| } |
okay now look at monitor_put_char_at() …
its some address calculation ( v1 calculation ) and some value calculation ( v2 calculation ) to be stored at v1. Doesn’t look like a string creation , so moving on…
Next , we will see dump_mboot() …
Well, looks like some memory calculation and some dumping . Not looks interesting. Moving on…
Next stop is gdt_init() [Global Description table initialisation]…
Well, at the first look i think this function is completely useless to me…moving on…
Next stop idt_init() [ Interrupt descriptor table initialisation]…
Useless…moving on…
Next Step irq_init()…
Interrupt request initialisation…hmm…moving on…
Next and last interesting function timer_init()…lets jump in…
It calls an another function irq_install_handler to install an interrupt handler i.e timer_trick [ the main culprit ]
hmm…interesting function. Looks like its xoring some value in the bss section (i.e memory) with the tick count. IDA made it look little bit confusing but its very simple. It takes a string from memory location 0x103060 and performs some xor operation with tick variable and then again store it at the same position .Looks easy right ? but their is one trick. Each time we enter this handler we increase the value of tick by one. So we can’t figure out the flag until we know which value of tick gives us the flag. Now Good thing about this tick variable is that , its value matters till it reaches 255[0xff] as we are doing mod operation with 256.
So, Lets fuck it,
I wrote a very simple c code to brute force the tick value and compute output string for each tick value.
| #include<stdio.h> | |
| int main() | |
| { | |
| char encoded_flag[]={"Itofrjxb2`..c.2.6031]g6b1gg0^)b11cb^^-]z"},ch; | |
| int tick,x; | |
| for(tick=1;tick<256;tick++) | |
| { | |
| printf("tick:%d\n",tick-1); | |
| int i = 0; | |
| for(i=0;i<0x28;i++) | |
| { | |
| x = encoded_flag[i]^tick ; | |
| x++; | |
| encoded_flag[i]=(char )x; | |
| } | |
| puts(encoded_flag); | |
| } | |
| return 0; | |
| } |
And , for tick = 2 we got our Flag.
Flag –> Pwnium{e5c11b1519328df9e8ff3a0e88beaa4d}
iN3O 