Tags: reverse ghidra arm engineering 

Rating:

A few words about the Ph0wn CTF which took place on the 12/13/2019.

A few days ago, some friends invited me to join their team for the 2019
edition of the [Ph0wn](https://ph0wn.org/) CTF. It was really interesting even
though IoT are as far as possible of being my forte.

Against all odds, I managed to solve a challenge with the help of "Mathias",
a smoke break encounter.

Before we start off, I just wanted to aknowledge the fact that a real RE expert would have just "read" the ASM code to understand the logic.
I'm not a RE expert.
This is just one way to solve that challenge.

## Break my ARM

### 1 - Reco
In this challenge we find one binary "break".

Let's avoid any surprise and check the file.
```bash
file break
break: ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=4175e617ac346c7d70eeda7fb1560c80f8daf541, not stripped
```

First of all, determine what we are looking for.
According to the challenge description and other solved challenges, we are looking for a flag
in one of two formats :

```bash
ph{...}
ph0wn{...}
```

Having no Rpi or emulator at my disposal (for a IoT CTF I know how unprepared it sounds),
I decided to run the usual commands :

```bash
strings | grep 'ph{\|ph0wn{'
```

With no luck.

### 2 - The big guns

So far all we know is that it's an ARM binary file and we assume that the flag is not hard-coded or at least, not
as its final form.

As a perfect n00b in RE, I fired up the last soft I read about the infamous [Ghidra](https://ghidra-sre.org/).

Press "i" to open and add the binary to your project then double click on "break".
![Ghidra project](https://cristalcorp.github.io/assets/img/ph0wn/ghidra_project.png)
It seems that Ghidra recognized the correct format on its own, then when the message pops up
"break has not been analyzed. Would you like to analyze it now?", click yes > select all > analyze.

Then I'm looking for an entry point, as there is no main function clearly available, I just type "main"
in the search bar of the symbol tree window... Lazy yep... But it's working !
![Main function search](https://cristalcorp.github.io/assets/img/ph0wn/search_symbol_tree.png)

Once I've got my main function, I'll look at the pseudo code in the "decompile" window and
slowly rename as many variables as I can to make it more readable (using the "l" key).
At the end it looked like this :
![Decompile renamed](https://cristalcorp.github.io/assets/img/ph0wn/decompile_renamed.png)
Let's be clear, my names are not even always correct and a someone competent would have just read the ASM.
But it gets the job done !
Line 37 gives us a good idea of the logic.
The program takes every character of the user input, substract 4 from it (ASCII wise) and compare it
to the flag.
Once we know that, a little python can help...

```python
flag = "ph0wn{"
output=""
for letter in flag:
good = ord(letter) - 4
output += chr(good)
print(output)
```
line 1 is our supposed flag format
line 4 we remove 4 to each character of the string
line 6 the flag, as supposedly stored in the binary

```bash
ld,sjw
```

Knowing that, we just have to rerun the "strings" command with our supposed flag.

```bash
strings break | grep 'ld,sjw'
ld,sjwkq_d[ukq[^nkga[iu[]niy
```

### 3 - Your happy place

Last thing we need now is "add" 4 to each character to reveal the flag.

```python
output=""
good_flag = "ld,sjwkq_d[ukq[^nkga[iu[]niy"
for letter in good_flag:
output += chr(ord(letter) + 4)
print(output)
```

And solve !
```bash
ph0wn{ouch_you_broke_my_arm}
```

A big thanks to ph0wn and umpa lumpa for this opportunity to learn more.

CristalCorp.

Original writeup (https://cristalcorp.github.io/2019/12/24/Ph0wn.html).