mh's blog

PoliCTF 2015 'Trollface' Writeup

| Comments

I think something is hidden here, something that may seem useless.
GPG key: yaxceburkaukvefinneuvUvjueknykfa

1
2
» file trollface
trollface: ELF 32-bit MSB executable, OpenRISC, version 1 (SYSV), statically linked, not stripped

OpenRISC, cool! It’s for an open source CPU! Let’s see where the flag is hidden…

I had no success running the binary using qemu, although it has support for the or32 arch:

1
2
3
4
5
6
7
8
9
10
% qemu-or32 ./trollface
PC=00025d2c
R00=00000000 R01=007fe000 R02=007fe000 R03=00002000
R04=007fc000 R05=000292ac R06=00000000 R07=00000000
R08=00000000 R09=000020e4 R10=00000000 R11=00000000
R12=00000000 R13=00000000 R14=00000000 R15=00000000
R16=00000000 R17=00000000 R18=00000000 R19=00000000
R20=00000000 R21=00000000 R22=00000000 R23=00000000
R24=00000000 R25=00000000 R26=00000000 R27=00000000
R28=00000000 R29=00000000 R30=00000000 R31=00000000

Time to download a toolchain – conveniently available in binary form as gcc-or1k-elf-4.8.1-x86_64.tar.bz2 somewhere on the web.

Looking at the disassembly using gdb or objdump, we see a huuuge main function, over 32000 instructions long! However even without knowing much about the architecture, we can see that most instructions don’t have any effect:

1
2
3
4
5
6
7
8
9
10
11
[...]
   0x00002738 <+32>:    l.addi r16,r16,0
   0x0000273c <+36>:    l.nop 0x4141
   0x00002740 <+40>:    l.ori r19,r19,0x0
   0x00002744 <+44>:    l.addi r2,r0,32
   0x00002748 <+48>:    l.sb 0(r1),r2
   0x0000274c <+52>:    l.nop 0x4141
   0x00002750 <+56>:    l.muli r5,r5,1
   0x00002754 <+60>:    l.nop 0x4141
   0x00002758 <+64>:    l.ori r2,r2,0x0
[...]

I tried filtering them using grep ( grep -Ev "nop|(addi?|subi?|ori?) (r[0-9]+),\\2,(0|r0|0x0)|(muli?) (r[0-9]+),\\5,1"), however over 5800 mostly ‘proper’ instructions remained, likely autogenerated.

The toolchain comes with an emulator, so we can just run the binary:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
» gcc-or1k-elf-4.8.1-x86_64/bin/or1k-elf-run ./trollface
WARNING: l.nop with unsupported code 0x00003066
WARNING: l.nop with unsupported code 0x00004d56
WARNING: l.nop with unsupported code 0x00006752
WARNING: l.nop with unsupported code 0x00004345
WARNING: l.nop with unsupported code 0x00005141
[...]
WARNING: l.nop with unsupported code 0x00004141
WARNING: l.nop with unsupported code 0x00004141
WARNING: l.nop with unsupported code 0x00004141
                                       .....' ,;;::cccllllllllllllcccc:::;;,,,  ...  ,, ..
                            .. ;cldkO00KXNNNNXX KK000OOkkkkkxxxxxddoooddddddxxxxkkkkOO0  Kx:.
                      . :ok0K   N K0kxolc:;;,,,,;;;;;;;;;;;;       ;;  ..              . lOXKd 
                 . lx00Oxl:x ............      ...................    ....;. .             .oKXd.
              .ckKKkc ...  .:::.. .........  ...::::.. ..........  ..... .. .    .            kNKc.
           .:kXXk .    ..       ..................          .............. c  ...;  .         .dNNx.
           0NKd,          .....   ,,,,  ..                ,........... ,,,  ,,  ,...,,.        .dNNx.
         . Xd.         .:;'..         ..,'             . ,.               ...,,''  '. ...       .oNNo
         .0K.         .;.              ;'              ';                      .'...'.           . XX:
        .oNO.         .                 ,.              .     ..' ::ccc:; ..     ..                lXX:
       .dNd:               ......       ;.                'cxOKK0OXWWWWWWWNX0kc.                    :KXd.
     .l N ;             ;d KKKKKXK ko:...              .l   xc,...l WWW     KO Kx'                   ,ONKo.
   .lKNKl... ...... . .dXWN0kkk0N     N0o.            :KN0;.  .,cokX  NNNN NKkxONK: .,:c:.      .';;;;:lk0XXx;
  :KN0 ';  :'.         .,:lodxxkO00KXNWWWX000k.       oXNx;:okKX0kdl:::;'' ;coxkkd  ...'. ...'''.......' :lxKO:.
 oNNk ;c '' .                      ...;xNNOc .          d0X0xc .     .dOd            ..;dOKXK     Ox:.   ..''dKO 
'KW' : . :.. oxkkkdl;'.                'KK'              ..           .dXX0o:'....,:oOXNN0d;.'. ..,lOKd.   .. ;KXl.
;XNd,;  ;. l00kxoooxKXKx:..ld:         ;  '                             .:dkO000000Okxl;.   c0;      :  ;   .  ;XXc
'XXdc.  :. ..    '' 'kNNNKKKk,      .,dKNO.                                   ....       . c0NO       :X0.  ,.  xN0.
.kNOc   ,.      .00. ..  ...      .l0X0d;.              dOkxo;...                    .;okK K0KN x;.   .0 :  ,.  lN '
 ,KKdl  .c,    .dN ,            .;x W c.                .;:coO O,,'.......       .,lx0  Oo;...oNWN  k:.'  ;  '   dN .
  :  kc'....  .dNW l        .';l0N NKl.          ,lxkkkxo  .cK0.          ..;lx0 N 0xc.     ,0Nx . , .k o  .,  ,KNx.
   c  d,,;:, .  WNNK      . ..  . . dKk;        .c   ll x;.x  l     ..,cdOK   00N c.        KWK      ;k:  .l. ,0Nk.
    cXNx.  . ,KWX0NNNXOl .           .o0Ooldk;            . c;.  lxOKKK0xo ,.. ;XX    .,lOXW Xd.      . . :,.lKXd.
     lXNo    cX   XooN NXKko; ..       .lk0x;       ...,:ldk0KXNNOo:,..       ,O NOxO0KXXNWNO,        ....'l0 k,
     .dNK.   oNWWNo.c K;;oO NN K0kxdolllllooooddxk00KKKK0kdoc:c0No        .'ck WWWN kc,;kNKl.          ., XX ,
      'KXc  .dNWWX;.xN .  . NO::lodx OXWN0O xdlcxNKl,..        oN0'..,:ox0XNWWNNWXo.  ,ONO'           .o0X ;
      .ONo    oNWWN0xXWK, .oNKc       .ONx.      ;X0.          .:XNKKNN    NK l; N . .cKXo.           .ON0;
      .x d   c WWWWWWWWKO K Xxl:,'...;0Xo'.....'lXK;...',:lx 0K WWWW  KOd:..   lXKclO 0:            .xNk.
       dXd   ;XWWWWWWWWWWWWWWWWWWNNNNNWWNNNNNNNNNWWNNNNNNWWWWWNXKNNk;           dNWWXd              cXO 
       xXo    ONWNWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWNNK0ko:'  OXo          'l0NXx,              :KK,
       OXc    : Nk0NW KNWWWWWWWWWWWWWWWWWWWWWNNN 00NNx:'         l Kc      'lONN0l                o K:
       K ;     dNKoON0;l Nkcld0N o::cd0NNO:;,,'    0 c            l  o  'l0NNKd,                c0Nk,
      : K       xNX0 Kc cXXl  ;KXl     d 0         0 o             x XOK XOo,                 l0Xk; 
      dXk        lKW 0d::OWK;  lXXc     OX:        O x         ,cdk0X XOd;     '''    ;c:'  ;xKXx,
      0 o          :dOK   W KOxkXWXo:,,;O k;,,,,,;c0 XOxxkO0XX XKOdc,.  ..;::,...;lol;..:x XOl.
     ,XX:             ..';cldxkOO0'''XXXXXXXXXX'''''00Okxdol:;'..   .';::,..':llc,..'lkKXkc.
     :NX'    .     ''            ..................             .,;:;,',;ccc;'..'lkKX0d;.
     lNK.   .;      ,lc,.         ................        ..,,;;;;;;:::,....,lkKX0d:.
    .oN0.    .'.      .;ccc;, ....              ....  ,;;;;;;;;;; ..   .;oOXX0d:.
    . N0.      .;;,..       ....                ..''''''''....     .: OKKko;.
     lNK'         .., ::  ,'.........................           .  0X0kc'.
     .xXO                                                  .;oOK0x:.
      .cKKo.                                    .,:oxkkkxk0K0xc'.
        .oKKkc,.                         .';cok XNNNX Oxoc,.
          .;d XXdkdlc:;,,,',,,;;:clodkO0KK0Oldl:,'..
              .,coxO0KX      KK0OOxdoc:,..
                        ...

I had to shorten the output, we get lots of lines complaining about an invalid nop operand. Looks like data! Playing around with it, we find that it is little-endian words that make up a large bas64 string.

1
2
3
4
5
6
7
8
9
10
%gcc-or1k-elf-4.8.1-x86_64/bin/or1k-elf-run ./trollface 1>/dev/null 2>>(
    cut -d " " -f 6|sed 's/0x0000//g' |
    perl -pe's/(..)(..)\n/chr(hex($2)).chr(hex($1))/e'|
    base64 -d > hidden)

% file hidden
hidden: ERROR: ELF 32-bit MSB executable, OpenRISC, version 1 (SYSV), statically linkederror reading (Invalid argument)

% gcc-or1k-elf-4.8.1-x86_64/bin/or1k-elf-run ./hidden
flag{Have you ever heard something about OpenRISC?}

Yes, we have!

Comments