Outils pour utilisateurs

Outils du site


ctf:public:seccon:gdb-remote-debugging

GDB Remote Debugging - Writeup by Maxima

Challenge

Decode the key

Solution

We have two files:

  • putskey, a 32-bit executable
  • log.txt, a text file

We first reverse putskey. It's pretty straightforward. Here is the pseudocode:

memset(0x80d7300, 0, 0x10)
memset(0x80d7340, 0, 0x10)
memset(0x80d7380, 0, 0x10)
n = readstr(0x80d7300, 0x40)
readrandom(0x80d7340, n)
encrypt(n)
printenc(n)
 
def readstr(buf, max_len):
    for i in range(1, max_len + 1):
       *buf = getc(stdin)
       if *buf == -1 or *buf == '\n':
           return i
       buf += 1
 
    return max_len
 
def readrandom(buf, len):
    for i in range(1, len + 1):
        *buf = getc(stdin)
        if *buf == -1:
            return
        buf += 1
 
def encrypt(len):
    for i in range(len):
       *(0x80d7380 + i) = *(0x80d7340 + i) ^ *(0x80d7300 + i)
 
def printenc(len):
    for i in range(len):
        putc(*(0x80d7380 + i), stdout)

In short, it just reads a message up to 64B long, then a key, computes message xor key and prints it.

Then, we look at log.txt. It looks like the GDB Remote Protocol. It seems that someone tried to debug putskey remotely. We guess that we have to find the message and the key to get the flag. Thus, our goal is to get the message at 0x80d7300 and the key at 0x80d7340.

The GDB remote protocol allows to dump a part of the memory with the m command. m addr,s returns the s bytes at address addr. We check:

$ grep 80d7 log.txt
Sending packet: $m80d7340,1#64...Packet received: 65
Sending packet: $m80d7341,1#65...Packet received: 6f
Sending packet: $m80d7342,1#66...Packet received: 26
Sending packet: $m80d7343,1#67...Packet received: 02
Sending packet: $m80d7344,1#68...Packet received: 13
Sending packet: $m80d7345,1#69...Packet received: 06
...

Here is our key! Unfortunately, the message is never printed. We have to look further.

We then notice the following pattern in log.txt:

Sending packet: $g#67...Packet received: 36000000180000004b0000000000000050f6c7bf68f6c7bf80730d0818000000fb82040886020000730000007b0000007b0000007b000000000000003300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007f03000000000000ffff0000730000006a4d23007b00000090ce2d00d80500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000801f0000ffffffff
Sending packet: $G36000000180000004b0000000000000050f6c7bf68f6c7bf80730d0818000000fa82040886020000730000007b0000007b0000007b000000000000003300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007f03000000000000ffff0000730000006a4d23007b00000090ce2d00d80500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000801f0000ffffffff#a3...Packet received: OK
Sending packet: $z0,80482c1,1#cd...Packet received: OK
Sending packet: $z0,80482fa,1#00...Packet received: OK
Sending packet: $z0,8048350,1#9f...Packet received: OK
Sending packet: $z0,8048397,1#aa...Packet received: OK
Sending packet: $z0,80483e3,1#d2...Packet received: OK
Sending packet: $z0,807ea00,1#f8...Packet received: OK
Sending packet: $m80482fa,1#97...Packet received: a1
Sending packet: $vCont;s:82c#bf...Packet received: T0505:68f6c7bf;04:50f6c7bf;08:ff820408;thread:82c;core:0;
Sending packet: $Z0,80482c1,1#ad...Packet received: OK
Sending packet: $Z0,80482fa,1#e0...Packet received: OK
Sending packet: $Z0,8048350,1#7f...Packet received: OK
Sending packet: $Z0,8048397,1#8a...Packet received: OK
Sending packet: $Z0,80483e3,1#b2...Packet received: OK
Sending packet: $Z0,807ea00,1#d8...Packet received: OK
Sending packet: $vCont;c#a8...Packet received: T0505:68f6c7bf;04:50f6c7bf;08:fb820408;thread:82c;core:0;

From the documentation:

  • $g# : read the value of the registers
  • $G<values># : set the values of the registers
  • $z0,addr,1# : insert a memory breakpoint on addr
  • $Z0,addr,1# : remote a memory breakpoint on addr

If we look closely, the only thing that changes is the value of the registers. I guessed that the first value (here 0x36) is the first byte of the message. It's pretty clear when you know that 0x36 ^ 0x65 = 0x53 = S.

$ grep '$G' log.txt
Sending packet: $G74f7c7bf10580b090100000000000000c8f6c7bfc8f6c7bf508d0408908d0408e383040846020000730000007b0000007b0000007b000000000000003300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007f03000000000000ffff0000730000006a4d23007b00000090ce2d00d80500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000801f0000ffffffff#07...Packet received: OK
Sending packet: $G000000000000000080730d08000000008cf6c7bf98f6c7bf508d0408c0730d089783040886020000730000007b0000007b0000007b000000000000003300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007f03000000000000ffff0000730000006a4d23007b00000090ce2d00d80500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000801f0000ffffffff#fb...Packet received: OK
Sending packet: $G180000000a000000847c0d08180000008cf6c7bf98f6c7bf508d0408c0730d085083040882020000730000007b0000007b0000007b000000000000003300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007f03000000000000ffff0000730000006a4d23007b00000090ce2d00d80500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000801f0000ffffffff#63...Packet received: OK
Sending packet: $G0000000036000000847c0d081800000090f6c7bf98f6c7bf508d0408c0730d08c182040882020000730000007b0000007b0000007b000000000000003300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007f03000000000000ffff0000730000006a4d23007b00000090ce2d00d80500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000801f0000ffffffff#2e...Packet received: OK
Sending packet: $G36000000180000004b0000000000000050f6c7bf68f6c7bf80730d0818000000fa82040886020000730000007b0000007b0000007b000000000000003300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007f03000000000000ffff0000730000006a4d23007b00000090ce2d00d80500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000801f0000ffffffff#a3...Packet received: OK
Sending packet: $G2a000000011070b7907c0d080100000050f6c7bf68f6c7bf80730d0818000000fa82040886020000730000007b0000007b0000007b000000000000003300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007f03000000000000ffff0000730000006a4d23007b00000090ce2d00d80500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000801f0000ffffffff#50...Packet received: OK
Sending packet: $G65000000021070b7907c0d080200000050f6c7bf68f6c7bf80730d0818000000fa82040886020000730000007b0000007b0000007b000000000000003300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007f03000000000000ffff0000730000006a4d23007b00000090ce2d00d80500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000801f0000ffffffff#2a...Packet received: OK
Sending packet: $G41000000031070b7907c0d080300000050f6c7bf68f6c7bf80730d0818000000fa82040886020000730000007b0000007b0000007b000000000000003300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007f03000000000000ffff0000730000006a4d23007b00000090ce2d00d80500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000801f0000ffffffff#26...Packet received: OK
Sending packet: $G5c000000041070b7907c0d080400000050f6c7bf68f6c7bf80730d0818000000fa82040886020000730000007b0000007b0000007b000000000000003300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007f03000000000000ffff0000730000006a4d23007b00000090ce2d00d80500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000801f0000ffffffff#5b...Packet received: OK
...

If we just ignore the first four lines, we get the message. I wrote a Python script to get the message and the key, and xor them:

#!/usr/bin/env python3
import re
import codecs
 
with open('log.txt') as f:
    key = ''
    message = ''
 
    for line in f.readlines():
        r = re.search(r'\$m80d7([0-9a-f]{3}),1#[0-9a-f]{2}...Packet received: ([0-9a-f]{2})', line)
        if r:
            key += r.group(2)
 
        r = re.search(r'\$G([0-9a-f]{2})[0-9a-f]+#[0-9a-f]{2}...Packet received: OK', line)
        if r:
            message += r.group(1)
 
    key = codecs.decode(key, 'hex')
    message = codecs.decode(message, 'hex')
    message = message[4:] # remove the first 4 bytes
 
    print(''.join(chr(k ^ m) for k, m in zip(key, message)))

We get the flag: SECCON{HelloGDBProtocol}

Author

Maxime Arthaud 2015/12/07 13:20

ctf/public/seccon/gdb-remote-debugging.txt · Dernière modification: 2016/10/15 20:19 par arthaum