CTFtime.org / CSAW CTF Qualification Round 2017 / bananaScript / Writeup

# bananaScript
## Reversing 450

#### shareef12

Not too sure how to Interpret this, the lab member who wrote this "forgot" to
write any documentation. This shit, and him, is bananas. B, A-N-A-N-A-S.

We were initially given two files for this challenge; an ELF binary `monkeyDo`
and a text file `banana.script`. At some point on Saturday the organizers
released two additional script files: `test1.script` and `test2.script`.

user@reversing:~/csaw/bananascript$ file *
banana.script: ASCII text, with very long lines, with CRLF line terminators
monkeyDo: ELF 64-bit LSB executable, x86-64, version 1 (SYSV),
dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux
2.6.32, BuildID[sha1]=4e3e2b95c29bcb0f0da9761171d309ce92564cb2, stripped
test1.script: ASCII text, with CRLF line terminators
test2.script: ASCII text, with CRLF line terminators

Based on the description, `monkeyDo` is probably an interpreter for each of the script files. Running banana.script gives us the following results.

user@reversing:~/csaw/bananascript$ ./monkeyDo banana.script
Hello! And welcome to the Flying Monkeys' Fantastic Falling Fan Trivia Game.

Here, the council of monkeys will ask you questions, which will determine whether they choose to lift you away save you from your plummeting fate.

"WRITE DOWN YOUR AGE," speaks the elder monkey.

...Only now do you notice the immense amount of banananasPiled around you on this falling stone platform.. The bananananasSeem to be used for everything, from the obvious food source to building materials to tooth brushes to toys to even glasses, but you can't imagine how well one could see through a pair of K-Vision goggles.

One such monkey wearing these goggles hobbles up to you now, carrying a pile of limp banananananasSkins and a bananananananaPointPen. As this monkey hands you these materials, the black ends of the banananananananas(Where eyes might ought to go?) seem to peer into your soul, as though they know everything and more that there is to know about you, and they are very, very deeply conflicted about you due to a familial disagreement back in the chain... "Disgrace to our fine culture," you think you hear, but so soft that it could have just been the wind. The monkey moves in closer and closer, so close that it could, and actually does bump into you, obviously unaware of where you are due to some odd oblong fruit obscuring its vision.

test_input_1

~How can monkeys talk? And why am I following you their commands?~

"WRITE DOWN YOUR SSN/CVV's/privatekeys- err I mean favorite food!," speaks the elder monkey.
test_input_2

"GASP!" All the monkeys are dreadfully appaled, some of them even start to cry. "How could you?" spits one monkey, covering the eyes of their child. The conglomerate of monkeys take off from the platform, leaving you to fall to your death.

At this point we need to find a way to determine what inputs are valid for these
questions. To do this, I started static analysis of `monkeyDo` in order to build
a simple disassembler for the scripts. Opening it up in IDA, we see one of the
ugliest control flow graphs for `main()`. Due to the lack of other functions, we
can assume the bulk of the disassembler is implemented in this function.

![main() Control Flow Graph](img/cfg.png)

To name some of the c++ functions correctly, I created a test program with some
c++ std types, compiled, and disassembled in order to compare functionality.
Many of the top-level vector functions seemed to be exactly the same.

After verifying the correct argument count, we encounter the following basic
block, which calls two functions. The first, `read_lines` reads each line from
the input script file, and splits each line by whitespace, returning a vector of
lines, where each line is a vector of words.

![Read lines](img/read_lines.png)

The second function seems to initialize some form of hashmap mapping a "banana
string" to an ascii character. This hashmap will probably be used to translate
"banana strings" to ascii strings.

![Character Encoding map](img/build_char_encoding_map.png)

Following this, we initialize 16 `std::basic_string` objects on the stack, which
happen to be the "registers" for this interpreter. In the picture below, the
first 8 registers are named r0-r8, and the next 8 a0-a8.

![Initializing Registers](img/initialize_registers.png)

Initially I didn't make the connection that these were the registers of the
interpreter until I started looking at some of the instructions. What gave it
away was for many instructions there was a cascading sequence of comparisons for
a specific "banana string" and moving the address of one of these registers into
a specific location. Essentially this was the machine choosing a register to
operate on given a specific instruction operand.

In the below images, we see that the fourth word in the line (index 3) is an
operand. Based on the capitalization of the word "banANANS", we choose a
corresponding register to operate on. It seems all registers started with
"banA", and the remaining text corresponds to the binary value of the register
index, with uppercase being a 1 and lowercase being a 0.

banANAS = r7 or a7
banANAs = r6 or a6
banANaS = r5 or a5
...
banAnas = r0 or a0

![Choosing Operands](img/operand_choose_1.png)
![Choosing Operands](img/operand_choose_2.png)

After reversing a few of the opcodes and making extremely slow progress, I
decided to move to a more dynamic analysis. The interpreter loops through each
line, with the start of loop at `0x4074d7`. If we set a breakpoint at this
address and dump the machine registers, we can step through a script file
manually. To automate this process, I created a [gdb init script](.gdbinit) that
defined some useful functions, automatically set a breakpoint, and loaded
`banana.script`.

To help decode some of the runtime banana strings, I also wrote a simple
[python script](convert.py) to decode them.

user@reversing:~/csaw/bananascript$ gdb monkeyDo
Reading symbols from monkeyDo...(no debugging symbols found)...done.
Breakpoint 1 at 0x4074d7