pseudo

Hawkeye16 - you are on good track - now try to find other loops in the arm code where user input is used.

btw few people wrote me for hints on PM, and I’m glad to help out, but I honestly expected a “respect” at least. I’m not being salty for a game but it’s just I’m a bit disappointed since it’s not that fair to ask for an hint and do not give something back. Please consider this before writing me :slight_smile:

Hi all, I need some help with the challenge. I can share in PM my approach and what I have tried so far. Thanks!

based on questions I’ve received, the generic hint I can give is to track down the input first (both user and password), watch what’s happening with it and then move on the logic of the program: ask yourself “do I really need to reverse this bunch of no-sense assembly?” (by “no-sense” I’m refering to a certain part of the program). go for abstraction sometimes and try to assume that a piece of code is doing some sort of operations (you need to verify it by reversing or by observing te behaviour), don’t be stuck just with bytes and instructions.
For the rest of the code, it’s “standard” assembly: no matter if you are experience only on x86/64, you can read this architecture too :slight_smile:
and, most important, take your time: for some is faster then for others to dig into asm! don’t get frustrated and just keep read and try to understand what’s going on: the time you’re spending on this will improve your approach on reversing too, because at some point you’ll focus on answering the correct questions you’re making yourself :slight_smile:
If I was able to resolved it, trust me, you can really solve it youself ! :smiley:

I made some progress, I think. I can distinguish library code from binary code. I know how the binary was compiled. I have identified the function that asks for some input. I have somehow reconstructed the first steps of the program.
Now I am stuck in what seems to be a very long loop. Letting the loop evolve until the end probably leads to an infinite loop. I don’t understand how to force divertion to a more interesting location (that I might have found). Could someone shed some light on this aspect?

.

.

I’ve reached the point in which I too see the similarities with another esoteric language with the bytes for all but 3 of the bytes. However, I’m mainly zooming on this one byte as I know this is the one where some checking occurs… I know what operations are performed on my input and know what happens when this check fails. However, I’m having some difficulty getting past this part as I am not sure about the length. Anyone can help me out a little?

On a sidenote (this might be my lack of experience with remote debugging with gdb), who else had issues finding what they typed in the memory of the program?

Alright got it! Very tough challenge. Tip for the last step… don’t be like me and assume anything about lengths.

Just managed to solve it with radare2 and qemu (eventhough i felt like radare was very reluctant to work with this binary, it fought me wherever it could), by far the best challenge i have seen so far. As a beginner, I appreciate having to deal with reading assembly instructions other than X86 and IKEA, and the thing had a twist to it which was (in my opinion) pretty original. All in all very fun and educational (also, looking at the difficulty ratings makes me chuckle now because i feel like i’m part of an inside joke for both obvious and non-obvious reasons).

I am intrigued however, several people here mention they solved it with a python script. I tried so too, but i ran into the same problem as with the binary itself, so in the end i solved it without (except for the usual calculations/conversions). If someone is willing to share his scripting-approach via PM (the rough idea should be sufficient), i would be grateful, because the comments here make me feel like i missed something.

Done. IDA + remote gdbserver on qemu + python script (+small patch to avoid register modifications). Python script - just alternative to patching of elf file. Most time spent on: getting running elf %) (due to it was my first arm64 binary) + learning how to debug it + arm64 asm. Rest is just as usually - reading, thinking, patching %)))

PS: was fun

Done!
Excellent challenge, really enjoyed it!

Done.

For those who are still struggling with this one:

  1. It is ARM code, yes, but it’s not that difficult to read once you get used to it. My suggestion for those who are at a lost with ARM code: write some hello world program and compile it with buildroot or anything like it and then reverse it to see what it looks like and then try to compare the code to Pseudo.

  2. I finally solved it by writing a Python interpreter of my own that, as someone has said, skips certain something. This is not necessary, you can also solve it without writing your own bytecode interpreter, but if you happen to write your own script, then you will probably catch the “twist” this has right before knowing there’s a twist XD.

  3. Follow the input (password and username) and how it is transformed. Try to identify all the opcodes the VM uses and what they do. For those two certain paths full of no-sense ARM code related to maths, don’t be a fool: think it like a black-box: identify the parameters that get in and the output that gets out and be done with it.

4 I have used: r2 + qemu-aarch64-static -g 1234 + gdb-multiarch to run, debug and reverse Pseudo.

  1. Try harder.

For the record: I’m not a RE expert. This has been my first ARM challenge so far, and my second VM. The first VM-like CTF I solved I did it with angr, so you can imagine my skills. And yet, as someone has already said, it’s doable.

Enjoy!

Guys I need help. I am trying to run this binary via qemu static and it shows error “What is this? A terminal for ants?”
Is this a valid error (appears to be some screen sizing error) and I have to bypass or something wrong with the setup?

@shani said:
Guys I need help. I am trying to run this binary via qemu static and it shows error “What is this? A terminal for ants?”
Is this a valid error (appears to be some screen sizing error) and I have to bypass or something wrong with the setup?

You have to bypass it, and the way to do it is rather obvious (think about the context in which this quote is usually used)

Type your comment> @Gordin said:

@shani said:
Guys I need help. I am trying to run this binary via qemu static and it shows error “What is this? A terminal for ants?”
Is this a valid error (appears to be some screen sizing error) and I have to bypass or something wrong with the setup?

You have to bypass it, and the way to do it is rather obvious (think about the context in which this quote is usually used)

Thanks, i was just wondering as i see everyone talking about user and password etc. I am not aware of the saying though, is it a Meme?
The binary is now making sense, that i am reading this https://jumpnowtek.com/shellcode/linux-arm-shellcode-part1.html and seeing how the syscalls are happening to write to the screen etc. This is the last one in this cat that i need resolve, hopefully this weekend !

ok figure out the terminal message and it’s asking for password which then goes into a loop, only never to come out. So will be looking Into that and reading the suggestion in this thread. Thanks again.

I didn’t go the esoteric language route because I don’t know that many esoteric languages. I, however did manage to decipher three of the “bytecode” instructions. In one of them, I got the “encoded” password and then wrote a simple script to decode it. The decoding mechanism is way simpler than I previously thought. The real challenge was setting up the appropriate architecture and environment in my already virtualized Kali Linux. :wink:

Type your comment> @limbernie said:

I didn’t go the esoteric language route because I don’t know that many esoteric languages. I, however did manage to decipher three of the “bytecode” instructions. In one of them, I got the “encoded” password and then wrote a simple script to decode it. The decoding mechanism is way simpler than I previously thought. The real challenge was setting up the appropriate architecture and environment in my already virtualized Kali Linux. :wink:

that’s the point of this challenge imho: setting up the proper environment and track the input, avoiding esoteric assembly :slight_smile: