Tags: rev ebpf
Rating:
## Baby-ebpf
We were given a [ebpf](https://en.wikipedia.org/wiki/EBPF) elf [file](https://gr007.tech/writeups/2023/backdoor/rev/babyebpf/babyebpf.o). The intended solve for this was to load this ebpf and look at the kernel trace. But I just old-school reversed it with objdump.
```sh
backdoor/rev/babyebpf on master [!?]
❯ objdump -d babyebpf.o
babyebpf.o: file format elf64-bpfle
Disassembly of section tp/syscalls/sys_enter_execve:
0000000000000000 <detect_execve>:
0: b7 01 00 00 44 04 05 1c mov %r1,0x1c050444
8: 63 1a f8 ff 00 00 00 00 stxw [%fp+-8],%r1
10: 18 01 00 00 19 08 34 01 lddw %r1,0x954094701340819
18: 00 00 00 00 47 09 54 09
20: 7b 1a f0 ff 00 00 00 00 stxdw [%fp+-16],%r1
28: 18 01 00 00 13 57 3e 40 lddw %r1,0x10523251403e5713
30: 00 00 00 00 51 32 52 10
38: 7b 1a e8 ff 00 00 00 00 stxdw [%fp+-24],%r1
40: 18 01 00 00 0b 0d 13 0e lddw %r1,0x43075a150e130d0b
48: 00 00 00 00 15 5a 07 43
50: 7b 1a e0 ff 00 00 00 00 stxdw [%fp+-32],%r1
58: b7 01 00 00 00 00 00 00 mov %r1,0
0000000000000060 <LBB0_1>:
60: 18 02 00 00 00 00 00 00 lddw %r2,0
68: 00 00 00 00 00 00 00 00
70: 0f 12 00 00 00 00 00 00 add %r2,%r1
78: 71 22 00 00 00 00 00 00 ldxb %r2,[%r2+0]
80: bf a3 00 00 00 00 00 00 mov %r3,%fp
88: 07 03 00 00 e0 ff ff ff add %r3,-32
90: 0f 13 00 00 00 00 00 00 add %r3,%r1
98: 71 34 00 00 00 00 00 00 ldxb %r4,[%r3+0]
a0: af 42 00 00 00 00 00 00 xor %r2,%r4
a8: 73 23 00 00 00 00 00 00 stxb [%r3+0],%r2
b0: 07 01 00 00 01 00 00 00 add %r1,1
b8: 15 01 01 00 1c 00 00 00 jeq %r1,0x1c,1
c0: 05 00 f3 ff 00 00 00 00 ja -13
00000000000000c8 <LBB0_2>:
c8: bf a3 00 00 00 00 00 00 mov %r3,%fp
d0: 07 03 00 00 e0 ff ff ff add %r3,-32
d8: 18 01 00 00 1c 00 00 00 lddw %r1,0x1c
e0: 00 00 00 00 00 00 00 00
e8: b7 02 00 00 04 00 00 00 mov %r2,4
f0: 85 00 00 00 06 00 00 00 call 6
f8: b7 00 00 00 01 00 00 00 mov %r0,1
100: 95 00 00 00 00 00 00 00 exit
```
The `detect_execve` function saves some constant values in the memory. `LBB0_1` function uses some memory string as reference as the key for xoring and `LBB0_2` function was used to print the flag out in the kernel trace. I rewrote the algorithm in c.
```c
#include <stdio.h>
int main() {
char *key = "marinkitagawamarinkitagawama\0";
char arr[] = {0x0b, 0x0d, 0x13, 0x0e, 0x15, 0x5a, 0x07, 0x43, 0x13, 0x57,
0x3e, 0x40, 0x51, 0x32, 0x52, 0x10, 0x19, 0x08, 0x34, 0x01,
0x47, 0x09, 0x54, 0x09, 0x44, 0x04, 0x05, 0x1c};
int len = sizeof(arr) / sizeof(arr[0]);
for (int i = 0; i < len; i++) {
printf("%c", arr[i] ^ key[i]);
}
}
```
The key string was obtained after i did strings on the ebpf file. That looked sus and it worked out. I am sure it won't be this easy next time. So gotta learn about ebpf.
flag: `flag{1n7r0_70_3bpf_h3h3h3eh}`
