Rating:
<!-- TOC -->
<!-- /TOC -->
Thrilling to see the OSASK, I have a copy of 30日でできる! OS自作入門, which teach you to implement a simple OS in 30 days.
Compare the result of GetCommandLineA() to C:\Temp\SECCON2018Online.exe" SECCON{Runn1n6_P47h}
The flag is SECCON{Runn1n6_P47h}
The architecture of the elf is moxie, can be known by strings.
The binary would print :
This program uses special instructions.
SETRSEED: (Opcode:0x16)
RegA -> SEED
GETRAND: (Opcode:0x17)
xorshift32(SEED) -> SEED
SEED -> RegA
Indeed, we can find some weird instructions in binary dump:
0000154a <set_random_seed>:
154a: 16 20 bad
154c: 04 00 ret
0000154e <get_random_value>:
154e: 17 20 bad
1550: 04 00 ret
00001552 <decode>:
1552: 06 18 push $sp, $r6
1554: 06 19 push $sp, $r7
1556: 06 1a push $sp, $r8
1558: 06 1b push $sp, $r9
155a: 06 1c push $sp, $r10
155c: 06 1d push $sp, $r11
Here, the implement of xorshift32 is differ from wiki ( I'll show you the reason in the next section )
uint32_t xorshift32(uint32_t state[static 1])
{
/* Algorithm "xor" from p. 4 of Marsaglia, "Xorshift RNGs" */
uint32_t x = state[0];
x ^= x << 13;
x ^= x >> 17;
x ^= x << 15; //the original version is << 5
state[0] = x;
return x;
}
Xor flag, randval, get_random_value to get the flag.
The flag is SECCON{MakeSpecialInstructions}
This binary should be more easy to understand, because all you need to do is dragging it into IDA.
The key point is how /dev/xorshift64 work, there are serveral implementation online, it's time comsuming to test everyone.
But, the SECCON is hold by japanese, where a japanese engineer would go for searching the information about things they don't understand ?
Wiki, but in japanese......
x = x ^ (x << 13);
x = x ^ (x >> 7);
return x = x ^ (x << 17);
Again, xor flag, randval, get_random_value to get the flag.
The flag is SECCON{UseTheSpecialDeviceFile}
My first time to reverse a unity game, it seems not so hard.
Decompress the .apk, the C# script of game is located at assets/bin/Data/Managed/Assembly-CSharp.dll.
There are only two methods ,Start and Update, obviously, the Update keep rotate the flag behind, let's modify them to :
#the axis of object seems not parellel or vertical to camera
public void Start()
{
base.transform.position = new Vector3(0f, -4.5f, 2f);
base.transform.Rotate(new Vector3(0f, -90f, 0f));
}
public void Update()
{
}
Pack it back and launch it.
The flag is SECCON{4R3_Y0U_CH34+3R?}
Again,a unity game.
Basically, it's arcade game, and the players would be ranked online with other players.
This one was builded by IL2CPP.
How I found that it was builded by IL2CPP (it's also my first time to reverse such thing):
First, there is no Assembly-CSharp.dll.
It may implies the possibility of 2 things (or more) :
dll was some how being packed or obfuscatedSecond, the layout of diretory seems to be different with last challenge, block.
Then I found that there are lots of keywords in assets/bin/Data/Managed/Metadata/global-metadata.dat
After google it, I could dump the pseudo code from global-metadata.dat and libil2cpp.so ( main logic ) by Il2CppDumper.
But there is nothing valuable in the game logic......
Observing strings, I found there are some weird strings :
shooter.pwn.seccon.jp
staging.shooter.pwn.seccon.jp
develop.shooter.pwn.seccon.jp
/admin
/api/v1/score
Now, I can get the highest score by sending:
POST /api/v1/scores HTTP/1.1
Expect: 100-continue
X-Unity-Version: 2018.2.11f1
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
User-Agent: Dalvik/2.1.0 (Linux; U; Android 8.1.0; Android SDK built for x86 Build/OSM1.180201.007)
Host: shooter.pwn.seccon.jp
Connection: Keep-Alive
Accept-Encoding: gzip
score=2147483647&name=zzzzzzzzzzzzzzzzzzzzzzzz
It's useless, server won't send flag back.
And I don't think that the command injection would work.
Then, I found that http://staging.shooter.pwn.seccon.jp/admin will redirect you to http://staging.shooter.pwn.seccon.jp/admin/sessions/new
SQL injection works....
We can login as admin by sending ' ))) UNION (SElECT 1)# as password.
What's more, we can do the time base SQL injection.
This part was done by kaibro, my teamate.
leak first db : shooter_staging
leak first table in it : ar_internal_metadata
leak second table in it : flags
columns in flags:
idvaluecreated_atupdated_a tThe flag is SECCON{1NV4L1D_4DM1N_P4G3_4U+H3NT1C4T10N}
I overdozed, only left an hour to solve this lol
By a quick glance, I guess the binary would execute an tcl script, and the goal is to build a window similar to the picture ?
