[Kinght CTF] Fix It Felix! writeup

Problem

Atmega 32 ELF 파일

atme.elf

0.01MB
Circuit board ( Atmega & 8x8 LED matrix )

Analysis Binary (ELF)

INFO user@bk-mac:~/ctf $ file atme.elf
atme.elf: ELF 32-bit LSB executable, Atmel AVR 8-bit, version 1 (SYSV), statically linked, with debug_info, not stripped

Analysis main()

user@bk-mac:~/ctf $ cat dump.asm
0x00000092 <+0>:    ldi    r24, 0xFF    ; 255
0x00000094 <+2>:    out    PORT_A, r24    ; 26
0x00000096 <+4>:    out    PORT_B, r24    ; 20
0x00000098 <+6>:    out    PORT_C, r24    ; 17

0x0000009a <+8>:    ldi    r24, 0x01    ; 1
0x0000009c <+10>:    sts    0x0060, r24    ;  0x800060 <scan>
0x000000a0 <+14>:    sts    0x00A2, r1    ;  0x8000a2 <i>
0x000000a4 <+18>:    rjmp    .+178        ;  0x158 <main+198>

0x000000a6 <+20>:    lds    r24, 0x0060    ;  0x800060 <scan>
0x000000aa <+24>:    out    PORT_c, r24    ; 21

0x000000ac <+26>:    ldi    r24, 0x01    ; 1
0x000000ae <+28>:    out    PORT_a, r24    ; 27
0x000000b0 <+30>:    lds    r30, 0x00A2    ;  0x8000a2 <i>
0x000000b4 <+34>:    ldi    r31, 0x00    ; 0
0x000000b6 <+36>:    subi    r30, 0x9F    ; 159
0x000000b8 <+38>:    sbci    r31, 0xFF    ; 255
0x000000ba <+40>:    ld    r24, Z
0x000000bc <+42>:    out    PORT_d, r24    ; 18

0x000000be <+44>:    ldi    r24, 0x02    ; 2
0x000000c0 <+46>:    out    PORT_a, r24    ; 27
0x000000c2 <+48>:    lds    r30, 0x00A2    ;  0x8000a2 <i>
0x000000c6 <+52>:    ldi    r31, 0x00    ; 0
0x000000c8 <+54>:    subi    r30, 0x9E    ; 158
0x000000ca <+56>:    sbci    r31, 0xFF    ; 255
0x000000cc <+58>:    ld    r24, Z
0x000000ce <+60>:    out    PORT_d, r24    ; 18

0x000000d0 <+62>:    ldi    r24, 0x04    ; 4
0x000000d2 <+64>:    out    PORT_a, r24    ; 27
0x000000d4 <+66>:    lds    r30, 0x00A2    ;  0x8000a2 <i>
0x000000d8 <+70>:    ldi    r31, 0x00    ; 0
0x000000da <+72>:    subi    r30, 0x9D    ; 157
0x000000dc <+74>:    sbci    r31, 0xFF    ; 255
0x000000e0 <+78>:    out    PORT_d, r24    ; 18

0x000000e2 <+80>:    ldi    r24, 0x08    ; 8
0x000000e4 <+82>:    out    PORT_a, r24    ; 27
0x000000e6 <+84>:    lds    r30, 0x00A2    ;  0x8000a2 <i>
0x000000ea <+88>:    ldi    r31, 0x00    ; 0
0x000000ec <+90>:    subi    r30, 0x9C    ; 156
0x000000ee <+92>:    sbci    r31, 0xFF    ; 255
0x000000f0 <+94>:    ld    r24, Z
0x000000f2 <+96>:    out    PORT_d, r24    ; 18

0x000000f4 <+98>:    ldi    r24, 0x10    ; 16
0x000000f6 <+100>:    out    PORT_a, r24    ; 27
0x000000f8 <+102>:    lds    r30, 0x00A2    ;  0x8000a2 <i>
0x000000fc <+106>:    ldi    r31, 0x00    ; 0
0x000000fe <+108>:    subi    r30, 0x9B    ; 155
0x00000100 <+110>:    sbci    r31, 0xFF    ; 255
0x00000102 <+112>:    ld    r24, Z
0x00000104 <+114>:    out    PORT_d, r24    ; 18

0x00000106 <+116>:    ldi    r24, 0x20    ; 32
0x00000108 <+118>:    out    PORT_a, r24    ; 27
0x0000010a <+120>:    lds    r30, 0x00A2    ;  0x8000a2 <i>
0x0000010e <+124>:    ldi    r31, 0x00    ; 0
0x00000110 <+126>:    subi    r30, 0x9A    ; 154
0x00000112 <+128>:    sbci    r31, 0xFF    ; 255
0x00000114 <+130>:    ld    r24, Z
0x00000116 <+132>:    out    PORT_d, r24    ; 18

0x00000118 <+134>:    ldi    r24, 0x40    ; 64
0x0000011a <+136>:    out    PORT_a, r24    ; 27
0x0000011c <+138>:    lds    r30, 0x00A2    ;  0x8000a2 <i>
0x00000120 <+142>:    ldi    r31, 0x00    ; 0
0x00000122 <+144>:    subi    r30, 0x99    ; 153
0x00000124 <+146>:    sbci    r31, 0xFF    ; 255
0x00000126 <+148>:    ld    r24, Z
0x00000128 <+150>:    out    PORT_d, r24    ; 18

0x0000012a <+152>:    ldi    r24, 0x80    ; 128
0x0000012c <+154>:    out    PORT_a, r24    ; 27
0x0000012e <+156>:    lds    r30, 0x00A2    ;  0x8000a2 <i>
0x00000132 <+160>:    ldi    r31, 0x00    ; 0
0x00000134 <+162>:    subi    r30, 0x98    ; 152
0x00000136 <+164>:    sbci    r31, 0xFF    ; 255
0x00000138 <+166>:    ld    r24, Z
0x0000013a <+168>:    out    PORT_d, r24    ; 18

0x0000013c <+170>:    ldi    r24, 0x21    ; 33
0x0000013e <+172>:    dec    r24
0x00000140 <+174>:    brne    .-4          ;  0x13e <main+172>
0x00000142 <+176>:    nop

0x00000144 <+178>:    lds    r24, 0x0060    ;  0x800060 <scan>
0x00000148 <+182>:    add    r24, r24
0x0000014a <+184>:    sts    0x0060, r24    ;  0x800060 <scan>
0x0000014e <+188>:    lds    r24, 0x00A2    ;  0x8000a2 <i>
0x00000152 <+192>:    subi    r24, 0xF8    ; 248
0x00000154 <+194>:    sts    0x00A2, r24    ;  0x8000a2 <i>

0x00000158 <+198>:    lds    r24, 0x00A2    ;  0x8000a2 <i>
0x0000015c <+202>:    cpi    r24, 0x41    ; 65
0x0000015e <+204>:    brcc    .+2          ;  0x162 <main+208>

0x00000160 <+206>:    rjmp    .-188        ;  0xa6 <main+20>
0x00000162 <+208>:    rjmp    .-202        ;  0x9a <main+8>

Find the column for drawing on 8x8matrix

Solution Code

    user@bk-mac:~/ctf $ cat solv.c
    #include <stdio.h>

    unsigned char column[] = {
    0xC6, 0x3C, 0x18, 0, 0x7C, 0x1C, 0x3C, 0x7E,
    0xC6, 0x66, 0x38, 0, 0xC6, 0xC, 0x18, 0x7E,
    0xC6, 0x60, 0x18, 0xC6, 6, 0x7C, 0x18, 0x5A,
    0xC6, 0xF8, 0x18, 0x6C, 0x3C, 0xCC, 0x18, 0x18,
    0xC6, 0x60, 0x18, 0x38, 6, 0xCC, 0x18, 0x18,
    0xC6, 0x60, 0x18, 0x6C, 0xC6, 0xCC, 0x18, 0x18,
    0x7C, 0xF0, 0x7E, 0xC6, 0x7C, 0x76, 0x3C,0x3C,
    0, 0, 0, 0, 0, 0, 0, 0, 0};

    void print_bin( char target )
    {
             for( int i = 7; i >= 0; -- i ){
                     printf("%d", target >> i&1);
             }
    }
    int main( void )
    {
        unsigned char scan, i;

        scan = 1;
        i = 0;
        while( 1 ){
            if( i > 0x41 ){
                scan = 1;
                i = 0;
                printf("=========\n" );
            }
            else{
                for( int j = 8; j > 0; j-- ){
                    print_bin( column[i-j] );
                }
                scan += scan;
                i -= 0xf8;
                printf("\n");
            }
        }

        return 0;
    }

Flag

KCTF{Uf1x3dIT}
run solv.c

'Security > [게임] CTF 풀이' 카테고리의 다른 글

[exploit] 2016 33c3 CTF - babyfengshui (0)	2016.12.30
[crypto] 2016 SecconCTF - Vigenere writeups (0)	2016.12.12
[exploit] 2016 SecconCTF - jmper writeups (exploit only) (0)	2016.12.11
[exploit] 2016 SecconCTF - cheer_msg writeups (exploit only) (0)	2016.12.11
[exploit] 2016 SecconCTF - checker writeups (exploit only) (0)	2016.12.11

Hello, Stranger

[Kinght CTF] Fix It Felix! writeup

Problem

Analysis Binary (ELF)

Solution Code

Flag

'Security > [게임] CTF 풀이' 카테고리의 다른 글

티스토리툴바

[Kinght CTF] Fix It Felix! writeup

Problem

Analysis Binary (ELF)

Solution Code

Flag

'Security > [게임] CTF 풀이' 카테고리의 다른 글

관련글

티스토리툴바