HITCON 2020: dual writeup

Author: braindead

2020/HITCON/runrunrun/README.md

@@ -0,0 +1,49 @@
+1. Use [https://github.com/pzl/ciqdb](https://github.com/pzl/ciqdb) to dump symbol and code sections from hitcon.prg
+2. Download Garmin's ConnectIQ SDK
+3. Decompile their compiler (written in Java)
+4. Learn MonkeyC's opcodes and their encoding from com.garmin.monkeybrains.asm.Opcode
+5. Disassemble the code
+6. Dump the encrypted flag and decryption algorithm
+6. Write an assymptotically faster flag decryption algorithm
+7. ???
+8. Profit
+
+Flag Decryption Algorithm
+-------------------------
+
+	def solve(cnt):
+		a = 1
+		b = 1
+		c = 1
+
+		for _ in range(cnt):
+			d = (a*2 + b + c*7)%31337
+			c = b
+			b = a
+			a = d
+		
+		return a
+
+	enc = [98, 32, 84, 253, 217, 18, 92, 22, 112, 138, 147, 46, 168, 229, 31, 149, 72, 94, 191, 124, 21, 176, 10, 104, 154, 213, 235, 25, 237, 61, 18, 15]
+	keys = [1, 3, 9, 27, 81, 243, 729, 2187, 6561, 19683, 59049, 177147, 531441, 1594323, 4782969, 14348907, 43046721, 129140163, 387420489, 1162261467, 3486784401, 10460353203, 31381059609, 94143178827, 282429536481, 847288609443, 2541865828329, 7625597484987, 22876792454961, 68630377364883, 205891132094649, 617673396283947]
+
+	flag = bytearray()
+	for e, k in zip(enc, keys):
+		flag.append(e ^^ (solve(k)&0xff))
+		print(flag)
+
+Faster Version (in SageMath)
+----------------------------
+
+	K = GF(31337)
+
+	update = Matrix([
+		[2, 1, 7],
+		[1, 0, 0],
+		[0, 1, 0],
+	], ring=K)
+
+	col = Matrix([[1], [1], [1]], ring=K)
+
+	def solve(n):
+		return int(((update^n) * col)[0,0])

2020/HITCON/runrunrun/code.bin

@@ -0,0 +1,34 @@
+enc = [98, 32, 84, 253, 217, 18, 92, 22, 112, 138, 147, 46, 168, 229, 31, 149, 72, 94, 191, 124, 21, 176, 10, 104, 154, 213, 235, 25, 237, 61, 18, 15]
+keys = [1, 3, 9, 27, 81, 243, 729, 2187, 6561, 19683, 59049, 177147, 531441, 1594323, 4782969, 14348907, 43046721, 129140163, 387420489, 1162261467, 3486784401, 10460353203, 31381059609, 94143178827, 282429536481, 847288609443, 2541865828329, 7625597484987, 22876792454961, 68630377364883, 205891132094649, 617673396283947]
+
+K = GF(31337)
+
+update = Matrix([
+	[2, 1, 7],
+	[1, 0, 0],
+	[0, 1, 0],
+], ring=K)
+
+col = Matrix([[1], [1], [1]], ring=K)
+
+def solve(cnt):
+	a = 1
+	b = 1
+	c = 1
+
+	for _ in range(cnt):
+		d = (a*2 + b + c*7)%31337
+		c = b
+		b = a
+		a = d
+	
+	return a
+
+def fast_solve(n):
+	return int(((update^n) * col)[0,0])
+
+flag = bytearray()
+
+for e, k in zip(enc, keys):
+	flag.append(e ^^ (fast_solve(k)&0xff))
+	print(flag)

2020/HITCON/runrunrun/decrypt.sage

@@ -0,0 +1,62 @@
+from braindead import *
+from opcodes import OP_BY_ID, OPSIZE
+
+args = Args()
+args.add('LOAD', help='Dumped code section')
+args.add('META', help='Dumped metadata')
+args.parse()
+
+pc2ln = {}
+syms = {}
+
+with open(args.META) as f:
+	for line in f:
+		if line.startswith('c0de7ab1'):
+			for line in f:
+				line = line.strip()
+				if len(line) == 0:
+					break
+				filename, symbol, _, pc = line.split()
+				pc = int(pc[:-1])
+				pc2ln[pc] = (filename, symbol)
+		elif line.startswith('5717b015'):
+			for line in f:
+				line = line.strip()
+				if len(line) == 0:
+					break
+				symid, symname = line.split(': ')
+				syms[int(symid)] = symname
+
+prg = util.slurp(args.LOAD)
+base = 0x10000000
+
+pc = base
+
+while pc-base < len(prg):
+	op = prg[pc-base]
+	if op not in OPSIZE:
+		print(f'{pc:08}  {op:02x} .. .. .. ..  invalid')
+	ops = OPSIZE[op]
+	hx = []
+	for i in range(min(9, ops)):
+		hx.append(f'{prg[pc+i-base]:02x}')
+	while len(hx) < 9:
+		hx.append('..')
+
+	if op not in OP_BY_ID:
+		print('wtf')
+		break
+	opn = OP_BY_ID[op]
+
+
+	arg_len = ops-1
+	arg_val = int.from_bytes(prg[pc+1-base:pc+1-base+arg_len], 'big')
+	if opn == 'SPUSH':
+		arg_fmt = syms[arg_val]
+	else:
+		arg_fmt = f'0x{arg_val:x}'
+
+	if pc in pc2ln:
+		print(';', *pc2ln[pc])
+	print(f'{pc:08x}  {" ".join(hx)}  {opn} {arg_fmt}')
+	pc += ops