Participate in DEF CON CTF 2022 Quals

Author: Qwaz

DEFCON/2022 Quals/bios/bios-nautilus.bin

@@ -0,0 +1,5 @@
+APERTURE IMAGE FORMAT (c) 1985
+
+42
+
+~ ~ ~ ~ ~ ~ ~ ~ ~ &'~ 6&~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ]'~ 5'~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ]'~ 5'~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ]'~ 5'~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ]'~ 5'~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ !*)()3(:#8'1~ ~ ~ .'~ 5'~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ !*()(5':#8&3~ 67'8&1.-(8#*)+*'H)$*T'~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ !*'*'7&:#7&5~ 58&8%3,/'8#*(,*'H)$*T'3***$87'1:$B$6:*&1~ ~ ~ ~ ~ ~ ~ ~ **&+&:$:#6&6~ 58&7%5*1&7$*'-*'H)$*T'3***$87'1:$B#89*%3~ ~ ~ ~ ~ ~ ~ ~ )*%,%<#9$5'6~ 59%6%6)3%6%*&.*'N#$#['3***$78'1:$B":8*$5~ ~ ~ ~ ~ ~ ~ ~ (:%=#8%4(6~ 5:$5&6(5$5&*%/*'N#$#['3***$69'1:$B":8*#6~ ~ ~ ~ ~ ~ ~ ~ (9&=#7&3)6~ 5;#4'6'7#4'*$0*'N#$#['3***$5:'19&A":8*#6%'~ ~ ~ ~ ~ ~ ~ z9&=#7&'56~ 5;#3(6&8#3(*#1*'N#$#['3***$4;'18(@":8*#6%'~ ~ ~ ~ ~ ~ ~ z:%=#6''56~ 5;#'46%9#'4*"2*'N#$#['3***$3<'17*?":8*#6%'~ ~ ~ ~ ~ ~ ~ z;$*',#5('=.~ 5;#'46%9#'4*!3*'N#$#['3***$'H'17+>":8*#6%'~ ~ ~ ~ ~ ~ ~ z;$*(+#*3'=-~ 6;#'<.%9#'4>*'N#$#['3***$'H'16-++'"*((8*#6%'~ ~ ~ ~ ~ ~ ~ z;$*)*#*3'<-~ 7'**#'<-&+1'4>*'N#$#['3>$'H'15/+*'")()8*+.%'~ ~ ~ ~ ~ ~ ~ z;$*)*#*35--~ 8')+#';-'*2'43!**'N#$#['3>$'H5#*;,('"((*8*+-&'~ ~ ~ ~ ~ ~ ~ z*'*$*)*#*35,-~ 9'(,#5,-()35&2"**'N#$#['3>$'H5#*<,''"&%/8**-''~ ~ ~ ~ ~ ~ ~ z*'*$*)*#*34,-~ :'',$5+-)(45&1#**'N#$#['3>$5:4$*=,&'"&%.9*)-('~ ~ ~ ~ ~ ~ ~ z*'*$*)*#*3'8-~ ;'&,%4+-*(44'0$**'N#$#['3>$5:3%*>,%'"&%.9*(-~ ~ ~ ~ ~ ~ ~ ~ ,*&+$*)*#*3'7-~ <'%,&'7-+(4'4/%**'N#$#['3>$4;2&*?,$'"&%-:*'-~ ~ ~ ~ ~ ~ ~ ~ -*%,$*)*#*3'6.~ <'$,''6-,)3'4.&**'N#$#['3>$'H'1*@,#'"&L*&-~ ~ ~ ~ ~ ~ ~ ~ .*$-$*)*#*3'5.~ ='#,('5.,*2'4-'**'N#$#['3***$'H'1*A,"'"'K*%-~ ~ ~ ~ ~ ~ ~ ~ /*#.$*)*#*35'-~ >'",)'4.-,0'4,(**'N#$#['3***$'H'1*B,!'"(J*$.,'~ ~ ~ ~ ~ ~ ~ z;$*)*#*35'6~ 5'!,*5&-.8$5&+)**'N#$#['3***$'H'1*C3"*H*#.-'~ ~ ~ ~ ~ ~ ~ z:%)**#*35'6~ 53+5&6%8$5&***$=>#$#['3***$5:5#*D2"99*#-.'~ ~ ~ ~ ~ ~ ~ z9&(+)$)45'6~ 52,5&6%7%5&)+*$=>#$#U=#***$5:5#*E1"99*#6%'~ ~ ~ ~ ~ ~ ~ z8'',(%(54(6~ 51-5&6&5&5&(,)%=>#$#U=#)+)%5:5#*F0"8:*#6%'~ ~ ~ ~ ~ ~ ~ z7(','&'63*4~ 60.4'6'3'4''-(&<?#$#U=#(,(&5:5#)G0"7;)$6%'~ ~ ~ ~ ~ ~ ~ z6)&-&'&72,2~ 7//3)4)1(3('-'':A#$#U<$'-''4;4$(I/"6<(%6%'~ ~ ~ ~ ~ ~ ~ z5*%.%(%82-0~ 8.02+2+/)2)&.&(9B#$#U:&&.&(3<3%'K."5=''4&'~ ~ ~ ~ ~ ~ ~ z4+$/$)$91/.~ 9-12,0--*2)%/%)8=)$*N9'%/%)2=2&&M-#3>&)2''~ ~ ~ ~ T3,#0#*#:01,~ :,21../,*1*$0$*7>)$*N8(%/%)2=2&%O,$1?%+0~ ~ ~ ~ ~ ~ ~ J+300,1*+0+#1#+6?)$*N7)$0$*1>1'$Q+%/@$-.~ ~ ~ ~ ~ ~ ~ ~ ~ ~ X6*#1#+0?0(#S*&-A#/,~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ \"~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ W#~ :"~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ :$~ 9#~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 9%~ 8$~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 8&~ 7%~ ~ ~ ~ ~ ~ X

DEFCON/2022 Quals/bios/bios-nautilus.bin.idb

@@ -0,0 +1,3 @@
+[ZoneTransfer]
+ZoneId=3
+HostUrl=https://cdn.discordapp.com/attachments/979897359943213087/979963118090342410/flag.lzma

DEFCON/2022 Quals/bios/extracted/bootsplash.bmp.lzma

@@ -0,0 +1,19 @@
+import lzma
+
+with open("extracted/flag.lzma.enc", "rb") as enc:
+    enc_data = enc.read()
+
+for key in range(0, 100000):
+    start_key = key
+
+    try_data = bytearray(enc_data)
+    for i in range(len(try_data)):
+        key = (((key >> 3) ^ (key >> 8) ^ (key >> 10) ^ (key >> 15)) & 1 | (2 * key)) & 0xffff
+        try_data[i] ^= key & 0xff
+
+    try:
+        if try_data[:4] == b"\x5d\x00\x00\x80":
+            print(start_key)
+            print(try_data)
+    except Exception as e:
+        pass

DEFCON/2022 Quals/bios/extracted/fire.pal

@@ -0,0 +1,146 @@
+from abc import ABC
+from collections import defaultdict
+from enum import Enum
+from multiprocessing import Pool
+from capstone import *
+from pwn import *
+from z3 import *
+
+import archinfo
+import angr
+import subprocess
+import logging
+
+
+class Arch(Enum):
+    PE32 = 1
+    POWER32 = 2
+    POWER64 = 3
+    ALPHA64 = 4
+    EXE_86_64 = 5
+    LIB_86_64 = 6
+    M68K = 7
+    MIPS64 = 8
+    MIPS32_LE = 9
+    MIPS32_BE = 10
+    SPARC = 11
+    RENESAS = 12
+    ARM64 = 13
+    ARM32 = 14
+    S390 = 15
+    HP_PA = 16
+    RISCV64 = 17
+
+
+name_to_arch = {
+    "ELF 32-bit MSB executable, PowerPC or cisco 4500": Arch.POWER32,
+    "ELF 64-bit MSB executable, 64-bit PowerPC or cisco 7500": Arch.POWER64,
+    "ELF 64-bit LSB executable, Alpha (unofficial)": Arch.ALPHA64,
+    "ELF 64-bit LSB executable, x86-64": Arch.EXE_86_64,
+    "ELF 64-bit LSB shared object, x86-64": Arch.LIB_86_64,
+    "ELF 32-bit MSB executable, Motorola m68k": Arch.M68K,
+    "ELF 64-bit MSB executable, MIPS": Arch.MIPS64,
+    "ELF 32-bit LSB executable, MIPS": Arch.MIPS32_LE,
+    "ELF 32-bit MSB executable, MIPS": Arch.MIPS32_BE,
+    "ELF 64-bit MSB executable, SPARC V9": Arch.SPARC,
+    "ELF 32-bit LSB executable, Renesas SH": Arch.RENESAS,
+    "ELF 64-bit LSB executable, ARM aarch64": Arch.ARM64,
+    "ELF 32-bit LSB executable, ARM": Arch.ARM32,
+    "ELF 64-bit MSB executable, IBM S/390": Arch.S390,
+    "ELF 32-bit MSB executable, PA-RISC": Arch.HP_PA,
+    "ELF 64-bit LSB executable, UCB RISC-V": Arch.RISCV64,
+}
+
+
+def get_arch(filename):
+    out = subprocess.check_output(["file", "-b", filename]).decode()
+    if out.startswith("PE32+ executable (console) x86-64"):
+        return Arch.PE32
+    else:
+        arch = ", ".join(out.split(", ")[:2])
+        return name_to_arch[arch]
+
+
+class Family(ABC):
+    pass
+
+
+FILE_LEN = 24315
+
+
+def file_name(id):
+    return f"ncuts/{id}"
+
+
+def parse_imm(s):
+    if s[0] == "#":
+        s = s[1:]
+    if s[:2] == "0x":
+        return int(s[2:], 16)
+    return int(s)
+
+
+def check_answer(qemu, id, num):
+    output = subprocess.check_output(f"echo {num} | {qemu} {file_name(id)}", shell=True)
+    return b"Congrats!" in output
+
+
+with Pool() as p:
+    arch_list = p.map(get_arch, map(file_name, range(FILE_LEN)))
+
+arch_map = defaultdict(list)
+for (i, arch) in enumerate(arch_list):
+    arch_map[arch].append(i)
+
+context.arch = "aarch64"
+context.log_level = "error"
+logging.getLogger("pwnlib.elf.elf").setLevel("ERROR")
+
+# for bin_id in [64]:
+for bin_id in arch_map[Arch.ARM64]:
+    e = ELF(file_name(bin_id))
+    func_bytes = e.read(0x400540, 400)
+
+    md = Cs(CS_ARCH_ARM64, CS_MODE_ARM)
+
+    inst_list = list(md.disasm(func_bytes, 0x400540))
+    inst_map = {}
+    for inst in inst_list:
+        inst_map[inst.address] = inst
+
+    # for inst in inst_list:
+    #     print("0x%x:\t%s\t%s" % (inst.address, inst.mnemonic, inst.op_str))
+
+    if (
+        inst_map[0x400580].mnemonic != "mov"
+        or inst_map[0x400584].mnemonic != "bl"
+        or inst_map[0x400588].mnemonic != "cbnz"
+    ):
+        continue
+
+    find = parse_imm(inst_map[0x400588].op_str.split(", ")[1])
+    avoid = [0x40058c]
+
+    SP_BASE = 0x7F000000
+
+    proj = angr.Project(file_name(bin_id))
+    state = proj.factory.blank_state(
+        addr=0x400580, add_options={angr.options.ZERO_FILL_UNCONSTRAINED_REGISTERS}
+    )
+
+    x = state.solver.BVS("x", 64)
+
+    state.memory.store(SP_BASE + 0x20, x)
+    state.regs.sp = SP_BASE
+    state.regs.x20 = SP_BASE + 0x20
+
+    sm = proj.factory.simulation_manager(state)
+    sm.explore(find=find, avoid=avoid)
+
+    s = sm.found[0]
+    ans = s.solver.eval(s.memory.load(SP_BASE + 0x20, 8, endness=archinfo.Endness.LE))
+
+    if check_answer("qemu-aarch64", bin_id, ans):
+        print(f"{bin_id}: {ans}")
+    else:
+        print(f"{bin_id}: {ans} (WRONG!)")