Ph0wn 2023 - Light weight but heavy duty
This is the solution of the challenge “Light weight but heavy duty” from Ph0wn 2023 CTF we solved together with @FdLSifu. It was a ARM reverse engineering of the block cipher PRESENT.
Details
Category: reverse
Author: Cryptopathe
Points: 500
Description
Pico le Croco, in need of securing his luxurious jacuzzi installation, enlisted the services of a renowned cryptographer, who goes by the name Lars Bogdanov, or something along those lines. Can you crack the algorithm designed to protect the jacuzzi’s remote control?
Bonus for 1st solve: 50
Solution
Ghidra was not able to directly find the main function but hopefully radare2 does:
|
|
Now let’s open it in Ghidra:
|
|
The first two checks are checks of the number of arguments and check on the size of the second argument. For example for the second if
we have sVar1 * 0x7477 - 0x6569 == 0x97ef % 0x10001
. Thus we can recover the value of sVar1
with Sage:
|
|
Meaning that the parameter need to be 40 bytes long.
Then, the loop preforms an operation with the function FUN_000105f8
on block of 8 bytes until it reach the end of the input. When we looked at the function it seems to be a Cryptography operation. We got back to the description of the challenge and it appears that if you search for “Bogdanov, Lars cipher” you quickly find that the block cipher PRESENT. Then we confirmed that the function implement the PRESENT cipher by remarking that it does 31 rounds, it uses the same PRESENT Sbox and it loads a key of 10 bytes.
At the end of the block encryption the result is compared with a value in the code at address 0x113b4
. The value can be recovered in radare2:
|
|
It it matches, the program displays the string "\nWell done!\n\n".
The key is pass as the third parameter of the function and is a pointer on the function main
itself. It is a nice anti-debug trick because if you insert a breakpoint on main you would have a wrong decryption. We can easily recover the key:
|
|
Since we have the encrypted value and the key we can decrypt everything in Sage:
|
|
Then we got the flag.
Another description and a solution of this challenge are available in the Ph0wn Mag Issue #1