I think something is hidden here, something that may seem useless. GPG key: yaxceburkaukvefinneuvUvjueknykfa
» file trollface
trollface: ELF 32-bit MSB executable, OpenRISC, version 1 (SYSV), statically linked, not stripped
OpenRISC, cool! It's for an open source CPU! Let's see where the flag is hidden...
I had no success running the binary using qemu, although it has support for the or32 arch:
% qemu-or32 ./trollface
PC=00025d2c
R00=00000000 R01=007fe000 R02=007fe000 R03=00002000
R04=007fc000 R05=000292ac R06=00000000 R07=00000000
R08=00000000 R09=000020e4 R10=00000000 R11=00000000
R12=00000000 R13=00000000 R14=00000000 R15=00000000
R16=00000000 R17=00000000 R18=00000000 R19=00000000
R20=00000000 R21=00000000 R22=00000000 R23=00000000
R24=00000000 R25=00000000 R26=00000000 R27=00000000
R28=00000000 R29=00000000 R30=00000000 R31=00000000
Time to download a toolchain - conveniently available in binary form as
gcc-or1k-elf-4.8.1-x86_64.tar.bz2 somewhere on the web.
Looking at the disassembly using gdb or objdump, we see a huuuge main function, over 32000 instructions long! However even without knowing much about the architecture, we can see that most instructions don't have any effect:
[...]
0x00002738 <+32>: l.addi r16,r16,0
0x0000273c <+36>: l.nop 0x4141
0x00002740 <+40>: l.ori r19,r19,0x0
0x00002744 <+44>: l.addi r2,r0,32
0x00002748 <+48>: l.sb 0(r1),r2
0x0000274c <+52>: l.nop 0x4141
0x00002750 <+56>: l.muli r5,r5,1
0x00002754 <+60>: l.nop 0x4141
0x00002758 <+64>: l.ori r2,r2,0x0
[...]
I tried filtering them using grep ( grep -Ev "nop|(addi?|subi?|ori?) (r[0-9]+),\\2,(0|r0|0x0)|(muli?) (r[0-9]+),\\5,1"),
however over 5800 mostly 'proper' instructions remained, likely autogenerated.
The toolchain comes with an emulator, so we can just run the binary:
» gcc-or1k-elf-4.8.1-x86_64/bin/or1k-elf-run ./trollface
WARNING: l.nop with unsupported code 0x00003066
WARNING: l.nop with unsupported code 0x00004d56
WARNING: l.nop with unsupported code 0x00006752
WARNING: l.nop with unsupported code 0x00004345
WARNING: l.nop with unsupported code 0x00005141
[...]
WARNING: l.nop with unsupported code 0x00004141
WARNING: l.nop with unsupported code 0x00004141
WARNING: l.nop with unsupported code 0x00004141
.....' ,;;::cccllllllllllllcccc:::;;,,, ... ,, ..
.. ;cldkO00KXNNNNXX KK000OOkkkkkxxxxxddoooddddddxxxxkkkkOO0 Kx:.
. :ok0K N K0kxolc:;;,,,,;;;;;;;;;;;; ;; .. . lOXKd
. lx00Oxl:x ............ ................... ....;. . .oKXd.
.ckKKkc ... .:::.. ......... ...::::.. .......... ..... .. . . kNKc.
.:kXXk . .. .................. .............. c ...; . .dNNx.
0NKd, ..... ,,,, .. ,........... ,,, ,, ,...,,. .dNNx.
. Xd. .:;'.. ..,' . ,. ...,,'' '. ... .oNNo
.0K. .;. ;' '; .'...'. . XX:
.oNO. . ,. . ..' ::ccc:; .. .. lXX:
.dNd: ...... ;. 'cxOKK0OXWWWWWWWNX0kc. :KXd.
.l N ; ;d KKKKKXK ko:... .l xc,...l WWW KO Kx' ,ONKo.
.lKNKl... ...... . .dXWN0kkk0N N0o. :KN0;. .,cokX NNNN NKkxONK: .,:c:. .';;;;:lk0XXx;
:KN0 '; :'. .,:lodxxkO00KXNWWWX000k. oXNx;:okKX0kdl:::;'' ;coxkkd ...'. ...'''.......' :lxKO:.
oNNk ;c '' . ...;xNNOc . d0X0xc . .dOd ..;dOKXK Ox:. ..''dKO
'KW' : . :.. oxkkkdl;'. 'KK' .. .dXX0o:'....,:oOXNN0d;.'. ..,lOKd. .. ;KXl.
;XNd,; ;. l00kxoooxKXKx:..ld: ; ' .:dkO000000Okxl;. c0; : ; . ;XXc
'XXdc. :. .. '' 'kNNNKKKk, .,dKNO. .... . c0NO :X0. ,. xN0.
.kNOc ,. .00. .. ... .l0X0d;. dOkxo;... .;okK K0KN x;. .0 : ,. lN '
,KKdl .c, .dN , .;x W c. .;:coO O,,'....... .,lx0 Oo;...oNWN k:.' ; ' dN .
: kc'.... .dNW l .';l0N NKl. ,lxkkkxo .cK0. ..;lx0 N 0xc. ,0Nx . , .k o ., ,KNx.
c d,,;:, . WNNK . .. . . dKk; .c ll x;.x l ..,cdOK 00N c. KWK ;k: .l. ,0Nk.
cXNx. . ,KWX0NNNXOl . .o0Ooldk; . c;. lxOKKK0xo ,.. ;XX .,lOXW Xd. . . :,.lKXd.
lXNo cX XooN NXKko; .. .lk0x; ...,:ldk0KXNNOo:,.. ,O NOxO0KXXNWNO, ....'l0 k,
.dNK. oNWWNo.c K;;oO NN K0kxdolllllooooddxk00KKKK0kdoc:c0No .'ck WWWN kc,;kNKl. ., XX ,
'KXc .dNWWX;.xN . . NO::lodx OXWN0O xdlcxNKl,.. oN0'..,:ox0XNWWNNWXo. ,ONO' .o0X ;
.ONo oNWWN0xXWK, .oNKc .ONx. ;X0. .:XNKKNN NK l; N . .cKXo. .ON0;
.x d c WWWWWWWWKO K Xxl:,'...;0Xo'.....'lXK;...',:lx 0K WWWW KOd:.. lXKclO 0: .xNk.
dXd ;XWWWWWWWWWWWWWWWWWWNNNNNWWNNNNNNNNNWWNNNNNNWWWWWNXKNNk; dNWWXd cXO
xXo ONWNWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWNNK0ko:' OXo 'l0NXx, :KK,
OXc : Nk0NW KNWWWWWWWWWWWWWWWWWWWWWNNN 00NNx:' l Kc 'lONN0l o K:
K ; dNKoON0;l Nkcld0N o::cd0NNO:;,,' 0 c l o 'l0NNKd, c0Nk,
: K xNX0 Kc cXXl ;KXl d 0 0 o x XOK XOo, l0Xk;
dXk lKW 0d::OWK; lXXc OX: O x ,cdk0X XOd; ''' ;c:' ;xKXx,
0 o :dOK W KOxkXWXo:,,;O k;,,,,,;c0 XOxxkO0XX XKOdc,. ..;::,...;lol;..:x XOl.
,XX: ..';cldxkOO0'''XXXXXXXXXX'''''00Okxdol:;'.. .';::,..':llc,..'lkKXkc.
:NX' . '' .................. .,;:;,',;ccc;'..'lkKX0d;.
lNK. .; ,lc,. ................ ..,,;;;;;;:::,....,lkKX0d:.
.oN0. .'. .;ccc;, .... .... ,;;;;;;;;;; .. .;oOXX0d:.
. N0. .;;,.. .... ..''''''''.... .: OKKko;.
lNK' .., :: ,'......................... . 0X0kc'.
.xXO .;oOK0x:.
.cKKo. .,:oxkkkxk0K0xc'.
.oKKkc,. .';cok XNNNX Oxoc,.
.;d XXdkdlc:;,,,',,,;;:clodkO0KK0Oldl:,'..
.,coxO0KX KK0OOxdoc:,..
...
I had to shorten the output, we get lots of lines complaining about an invalid nop operand. Looks like data! Playing around with it, we find that it is little-endian words that make up a large bas64 string.
%gcc-or1k-elf-4.8.1-x86_64/bin/or1k-elf-run ./trollface 1>/dev/null 2>>(
cut -d " " -f 6|sed 's/0x0000//g' |
perl -pe's/(..)(..)\n/chr(hex($2)).chr(hex($1))/e'|
base64 -d > hidden)
% file hidden
hidden: ERROR: ELF 32-bit MSB executable, OpenRISC, version 1 (SYSV), statically linkederror reading (Invalid argument)
% gcc-or1k-elf-4.8.1-x86_64/bin/or1k-elf-run ./hidden
flag{Have you ever heard something about OpenRISC?}
Yes, we have!