EDIT: After a few misfortunes with jwplayer (constant breaks), I switched to the promising videojs. Post updated accordingly.

libssl-dev
pibpcre++-dev

wget http://nginx.org/download/nginx-1.8.0.tar.gz
tar xf nginx-1.8.0.tar.gz
cd nginx-1.8.0
wget https://github.com/arut/nginx-rtmp-module/archive/master.zip
unzip master.zip
./configure --with-http_ssl_module --add-module=./nginx-rtmp-module-master
make
sudo make install

listen 8000; # Or whatever port suits you

unzip video-js-5.10.4.zip
cp -R videojs-5.10.4 /var/www/ # or whatever folder suits you

1. <html>
2. <head>
3. </head>
4. <body>
5. <link href=“videojs/video-js.min.css” rel=“stylesheet”>
6. <script src=“videojs/video.min.js”></script>
7. <script>
8.   videojs.options.flash.swf = “videojs/video-js.swf”
9.   </script>
10. <video id=“example_video_1” class=“video-js vjs-default-skin vjs-big-play-centered”
11.        controls preload=“auto” width=“640” height=“360”
12.        poster=“pony.jpg”
13.        data-setup=‘{“example_option”:true}’>
14.   <source src=“rtmp://192.X.X.X/live/test” type=“rtmp/mp4” />
15.   <p class=“vjs-no-js”>To view this video please enable JavaScript, and consider upgrading to a web browser that <a href=“http://videojs.com/html5-video-support/” target=“_blank”>supports HTML5 video</a></p>
16.   </video>
17. </body>
18. </html>

Streaming Service : Custom
Server : rtmp://192.X.X.X/live
Play Path/Stream Key : test

One of the many fantastic things about the Nuit Du Hack security Convention is the annual special challenge that comes with the badge.
The first person who’ll solve it will win the “Black Badge“, a life pass to all upcoming Nuit du Hack events !
This year, the challenge was a bit particular : it was a limited edition (200 pieces), and it was not free. But God it was fun.

The badge was an Arduino compatible board inspired from a famous project called Usnoobie. It’s basically an ATMega328p with a mini-usb port that can flash itself by simulating an USBAsp programmer. More details on the Flash memory structure later.

Last but not least, the badge comes with a handy set of tools and instructions that you could find on the creator’s online repository (@virtualabs)

Step 0 : Summoning the soldering iron

I’ll rapidly pass on the soldering part : about 15 to 20 components to solder on the board, it’s pretty strayforward. Unless you’re diagnosed with Parkinson, it should not take more than two hours to get the thing working.

Since I started soldering using a two-handed sword and mittens, it was not that easy, but well… It works. I’ll let you see for yourself and move on to the fun part.

NdH2k14 Collector badge

Step 1 : Tu quoque mi fili

Once plugged, the board is recognized as a USB device; Virtualabs gave us a cute console written in Python to talk to the monster. The board’s product and vendor’s ids are respectively 0x05dc and 0x16c0, which are shared IDs for use with libusb.

1. # python console.py 
2. *** Ndh2k14 serial console ***
3.  – waiting for device …
4.  – device detected, spawning console
5. Welcome to Ndh2k14 Secure Chip.
6.  
7. New here ? type access code ‘HelpPlz!’.
8.  
9. Access code: HelpPlz!
10. === Security level 1 ===
11.  Decrypt this and use it as an access code to enter level 2: 
12.  
13.     DyHmXoHv
14.  
15. Access code:

Anyone a bit familiar with security challenges will recognize a Caesar cipher. And what’s the most historical elegant way to defeat Julius ? Bruting it like his son, of course.

1. code = “DyHmXoHv”
2. def bruteforce():
3.     charset = “0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ”
4.     for i in range(len(charset)):
5.         nc = ”
6.         for c in code:
7.             j = charset.index(c)
8.             nc += charset[(j + i) % len(charset)]
9.         yield(nc)
10. for attempt in bruteforce():
11.     self.badge.send(attempt)

After a few tries, the code unlocking the next level comes up :

1. Access code: AvEjUlEs
2. === Security level 2 ===

On to the next part.

Step 2 : Good old WEP basic encryption

The security level 2 gives us a nice looking RC4 challenge :

1. === Security level 2 ===
2.  – Hope you have your RSA token …
3.  
4. Enter OTP (number, KEY and IV are 4 bytes long):
5.  
6. IV: 5748524f
7. RC4(RANDOM, IV+KEY): 9937c0cf5244188d
8.  
9.  
10. ANSWER: 
11. Timeout reached.
12.  
13. Access code:

After a few tries, one would notice that the IV’s and ciphered texts change over time. But not that much, since the same IV’s would come up every third or fourth try. Here is a list of IV’s and associated ciphered texts that would come up from the board :

1.     (“e7ea483d5d68ab54”,“TlYk”),
2.     (“55c1ab1aa03129c5”,“u8J7”),
3.     (“cf473fbe817ca98b”,“0zt6”),
4.     (“904a4d1afdb1bff7”,“aDHv”),
5.     (“d9cebc9e6a0da621”,“qkZu”),
6.     (“06937a2ab43edef8”,“cNcc”),
7.     (“3f05b477b874e824”,“Nv3H”),
8.     (“8c1aeabcde6adbaf”,“7LGM”),
9.     (“5617b6bcaadbad26”,“Qfvk”),
10.     (‘d662e9854ec7b192’,“fUYM”),
11.     (‘5d4f5d59a3e6d4bb’,“k8D6”),
12.     (‘1faeaf3384eb70fb’,‘w5mt’),
13.     (‘2b9abbb3af1929b5’,‘zLaF’),
14.     (“5963ae9f728cb753”,“5BRO”),
15.     (“b89a660d907bacc6”,“n2Ai”),
16.     (“9faabe2ceebb24bc”,“0M1K”),
17.     (“e653f5ccab6dd730”,“mKqb”),

I first tried the smart way : since RC4 is a stream cipher, I could try sniffing as many IV’s as I could in order to find the key, attacking the RC4’s KSA as in the popular FMS attack.

I did not succeed using this method. So I decided to take the most recurring IV and ciphered text couple (the first one in the list above), and brute the 4 bytes long key. I would only feed the “printable” deciphered texts to the badge. The resulting list of printable passcodes was about 380 long, which took around 5 minutes to get me to the next level.

Generating the list :

1. charset = “0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ”
2. def RC4(data, key):
3.     x = 0
4.     s = range(256)
5.     for i in range(256):
6.         x = (x + s[i] + ord(key[i % len(key)])) % 256
7.         s[i], s[x] = s[x], s[i]
8.     x = y = 0
9.     out = “”
10.     for c in data:
11.         x = (x + 1) % 256
12.         y = (y + s[x]) % 256
13.         s[x], s[y] = s[y], s[x]
14.         out += chr(ord(c) ^ s[(s[x] + s[y]) % 256])
15.     return out
16.  
17. def brute():
18.     return (”.join(candidate)
19.         for candidate in itertools.chain.from_iterable(itertools.product(charset, repeat=i)
20.         for i in range(4,5)))
21.  
22. encrypted = (“e7ea483d5d68ab54”,“TlYk”)
23.  
24. for key in brute():
25.     (encoded,iv) = encrypted
26.     encoded = encoded.decode(‘hex’)
27.     decoded = RC4(encoded, “%s%s” % (iv, key))
28.     if all(e in charset for e in decoded):
29.         print “%s %s” % (key,a)

The access code for the next level was ‘Pu1lD0wn’.

Step 3 : the Extra-Terrestrial

This is what you could read on the next level :

1. Access code: Pu1lD0wn
2. === Security level 3 ===
3.  – Badge phone home, obviously.
4.  
5. Access code:

Well, thank you sir.

One of the first things I tried with the badge was to identify the request types (IN and OUT) and request fields that were used to communicate with the board via control transfers. I wanted to see if the badge was “speaking” using different codes from the python console that came with the badge. And thankfully it did.

1. for bRequest in range(256):
2.     try:
3.         ret = dev.ctrl_transfer(0xC0, bRequest, 0, 0, 1)
4.         print “bRequest “,bRequest
5.         print ret
6.         sleep(0.02)
7.     except:
8.         pass

0xC0 is the request type IN. Here is the trimmed output :

1. bRequest  0
2. array(‘B’)
3. […]
4. bRequest  97
5. array(‘B’, [111])
6. bRequest  98
7. array(‘B’, [80])
8. bRequest  99
9. array(‘B’, [78])
10. bRequest  100
11. array(‘B’)
12. […]
13. bRequest  255
14. array(‘B’)

Seems like the board is talking through 97-99. I then tried printing what was sent :

1. for bRequest in range(97,100):
2.     try:
3.         ret = dev.ctrl_transfer(0xC1, bRequest, 0, 0, 4000)
4.         print “bRequest “,bRequest
5.         print ”.join(chr(x) for x in ret)
6.         sleep(0.02)
7.     except:
8.         pass

Here is the output :

1. bRequest  97
2. ZK
3. –
4.  |
   ��a�:�i�
   ‘%}���1]>N���S@�k������x[��B}5��6jy��E�
5. /�Gb���{���bH�}�]��b�/>>���:
   �����    �����M����I5�>
6. bRequest  98
7. Pu1lD0wn
8. k�����>wl�Z��A5Q�.�<�_ardware much electroni��8_�榌����)�������K��v�f*9i�>qe���[�/�”��
9.      J
10. bRequest  99
11. N

The 98 and 99 requests were not moving (except the 99 wich would either send ‘Y’ or ‘N’, which I did not find interesting for this step), but the 97 request field would send me different data each time. I started guessing that the board would gloriously send me it’s internal RAM after a few tries. I then started reading more and more from the badge on the same request field:

1. for i in range(200):
2.         d = device.ctrl_transfer(0xC1, 97, 0, 0, 4000)
3.         ret = ”.join(chr(x) for x in d)
4.         print ret

From what I was seeing, I was confirming that it was indeed the RAM :

1. # python fuzz.py | strings
2. 1]>N
3. <“$[
4. wIfT}
5. Pu1lD0wn
6. SASSEMBLE ME ?
7. ode: s c hardware much electroni
8. bIJ2+
9. 1s`I
10. MJ$<
11.     x7X
12. f:ErH
13. 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ%02x%02x%02x%02x%02x%02x%02x%02x
14. IV: 
15. RC4(RANDOM, IV+KEY): 
16. ANSWER: 
17. Timeout reached.
18. =so1
19. %02X%02X%02X%02X%02X%02X%02X%02X
20. Access code: 
21. d@l4
22. Welcome to Ndh2k14 Secure Chip.
23. […]

What if I sent the last code I just obtained ? Would the next access code be decrypted in RAM ? Guess what 🙂

1. device.ctrl_transfer(bmRequestTypeOut, 0x61, 0, 0, “Pu1lD0wn”)
2.     for i in range(200):
3.         d = device.ctrl_transfer(0xC1, 97, 0, 0, 4000)
4.         ret = ”.join(chr(x) for x in d)
5.         print ret

1. # python fuzz.py | strings
2. 1lD0wn
3. 1]>N
4. <“$[
5. === Se
6. curity level 3 ===
7.  – Badge phone home, obviously.
8. Next access code is: B1p!8lP!
9. Pu1lD0wn
10. Z(Pu1lD0wn
11. SASSEMBLE ME ?
12. === Secu h
13. ardware much electroni
14. bIJ2+
15. 1s`I
16. MJ$<
17.     x7X
18. f:ErH
19. 3456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ%02x%02x%02x%02x%02x%02x%02x%02x
20. IV: 
21. RC4(RANDOM, IV+KEY):

What a lucky m*therf*cker am I. On to the next level.

Step 4 : This is the end

This one is the one that took away my sleep, my soul and my sanity. Here is the output of the Security level 4 :

1. Access code: B1p!8lP!
2. === Security Level 4 ===
3.  
4. Last auth code:

wat

This is were the fun begins.

I forgot to mention that you could obtain the microcontroller’s flash memory via avrdude, since the board is capable of flashing itself by emulating a USBAsp programmer. Booting the board in “flash mode” using the RESET button :

1. avrdude –p atmega328p –c usbasp –U flash:r:atmega328p.flash.hex:i

This command gave you the whole flash memory of the board’s microcontroller, which was later added to the board’s Github repository.

With the code in hand, and the serious look of the “Last auth code” displayed by the board, there was no other choice but to reverse it using a debugger or a simulator.

I first tried a few projects, like simavr, which would have allowed me to attach a gdb to the simulator, but I faced a few problems when came the USB communication emulation part. After a few days trying to patch the project, my kernel and my brain, I decided to use more user-friendly tools and give Atmel Studio a try. Turns out the version 6 of the tool does not allow to live-debug a simulator running a raw hex dump, but the version 4 does. Using some documentation and a lot of coffee, I started executing the program step by step. I also gave IDA a try, which allowed me to get a clear graphical view of the functions I was running into.

IDA samples

Here’s an overall diagram of the whole flash program:

ndh2k14 flash memory

The board starts up at 0x7000, and the bootloader either jumps to 0x3800 if the RESET button is pressed, or to 0x0000 on default behavior.

So we need to start at 0x0. After a few lines of initialization, we end up in a loop that looks like a part of a receive function (0x070B).

1. +0000081F:   E184        LDI       R24,0x14       Load immediate
2. +00000820:   B199        IN        R25,0x09       In from I/O location
3. +00000821:   7194        ANDI      R25,0x14       Logical AND with immediate
4. +00000822:   F431        BRNE      PC+0x07        Branch if not equal
5. +00000823:   5081        SUBI      R24,0x01       Subtract immediate
6. +00000824:   F7D9        BRNE      PC–0x04        Branch if not equal
7. +00000825:   92100580    STS       0x0580,R1      Store direct to data space
8. +00000827:   9210057A    STS       0x057A,R1      Store direct to data space
9. +00000829:   91DF        POP       R29            Pop register from stack
10. +0000082A:   91CF        POP       R28            Pop register from stack
11. +0000082B:   9508        RET                      Subroutine return

After 20 loops, we RET into the function I called “DidIReceivedSomething”, a.k.a 0x082C :

1. +0000082C:   930F        PUSH      R16            Push register on stack
2. +0000082D:   931F        PUSH      R17            Push register on stack
3. +0000082E:   93CF        PUSH      R28            Push register on stack
4. +0000082F:   93DF        PUSH      R29            Push register on stack
5. +00000830:   D000        RCALL     PC+0x0001      Relative call subroutine
6. +00000831:   D000        RCALL     PC+0x0001      Relative call subroutine
7. +00000832:   B7CD        IN        R28,0x3D       In from I/O location
8. +00000833:   B7DE        IN        R29,0x3E       In from I/O location
9. +00000834:   C00A        RJMP      PC+0x000B      Relative jump
10. +00000835:   836B        STD       Y+3,R22        Store indirect with displacement
11. +00000836:   837C        STD       Y+4,R23        Store indirect with displacement
12. +00000837:   8389        STD       Y+1,R24        Store indirect with displacement
13. +00000838:   839A        STD       Y+2,R25        Store indirect with displacement
14. +00000839:   940E070B    CALL      0x0000070B     Call subroutine
15. +0000083B:   819A        LDD       R25,Y+2        Load indirect with displacement
16. +0000083C:   8189        LDD       R24,Y+1        Load indirect with displacement
17. +0000083D:   817C        LDD       R23,Y+4        Load indirect with displacement
18. +0000083E:   816B        LDD       R22,Y+3        Load indirect with displacement
19. +0000083F:   9120055A    LDS       R18,0x055A     Load direct from data space
20. +00000841:   9130055B    LDS       R19,0x055B     Load direct from data space
21. +00000843:   2B23        OR        R18,R19        Logical OR
22. +00000844:   F781        BRNE      PC–0x0F        Branch if not equal
23. +00000845:   018B        MOVW      R16,R22        Copy register pair
24. +00000846:   3069        CPI       R22,0x09       Compare with immediate
25. +00000847:   0571        CPC       R23,R1         Compare with carry
26. +00000848:   F010        BRCS      PC+0x03        Branch if carry set
27. +00000849:   E008        LDI       R16,0x08       Load immediate
28. +0000084A:   E010        LDI       R17,0x00       Load immediate
29. +0000084B:   E021        LDI       R18,0x01       Load immediate
30. +0000084C:   E030        LDI       R19,0x00       Load immediate
31. +0000084D:   9330055B    STS       0x055B,R19     Store direct to data space
32. +0000084F:   9320055A    STS       0x055A,R18     Store direct to data space
33. +00000851:   E222        LDI       R18,0x22       Load immediate
34. +00000852:   E031        LDI       R19,0x01       Load immediate
35. +00000853:   01A8        MOVW      R20,R16        Copy register pair
36. +00000854:   01BC        MOVW      R22,R24        Copy register pair
37. +00000855:   01C9        MOVW      R24,R18        Copy register pair
38. +00000856:   940E0E6D    CALL      0x00000E6D     Call subroutine
39. +00000858:   9300055C    STS       0x055C,R16     Store direct to data space
40. +0000085A:   C002        RJMP      PC+0x0003      Relative jump
41. +0000085B:   940E070B    CALL      0x0000070B     Call subroutine
42. +0000085D:   9180055A    LDS       R24,0x055A     Load direct from data space
43. +0000085F:   9190055B    LDS       R25,0x055B     Load direct from data space
44. +00000861:   9702        SBIW      R24,0x02       Subtract immediate from word
45. +00000862:   F7C1        BRNE      PC–0x07        Branch if not equal
46. +00000863:   C002        RJMP      PC+0x0003      Relative jump
47. +00000864:   940E070B    CALL      0x0000070B     Call subroutine
48. +00000866:   9180056E    LDS       R24,0x056E     Load direct from data space
49. +00000868:   FF84        SBRS      R24,4          Skip if bit in register set
50. +00000869:   CFFA        RJMP      PC–0x0005      Relative jump
51. +0000086A:   9210055B    STS       0x055B,R1      Store direct to data space
52. +0000086C:   9210055A    STS       0x055A,R1      Store direct to data space
53. +0000086E:   E081        LDI       R24,0x01       Load immediate
54. +0000086F:   E090        LDI       R25,0x00       Load immediate
55. +00000870:   900F        POP       R0             Pop register from stack
56. +00000871:   900F        POP       R0             Pop register from stack
57. +00000872:   900F        POP       R0             Pop register from stack
58. +00000873:   900F        POP       R0             Pop register from stack
59. +00000874:   91DF        POP       R29            Pop register from stack
60. +00000875:   91CF        POP       R28            Pop register from stack
61. +00000876:   911F        POP       R17            Pop register from stack
62. +00000877:   910F        POP       R16            Pop register from stack
63. +00000878:   9508        RET                      Subroutine return

We land on line 42 (coincidence? I think not), and compare the result of the previous function with 0x02. In order to “get out” of the 0x082c, we need to fill r24 with 0x02. We then RET (line 63) into 0x0879 on line 24.

1. +00000879:   92EF        PUSH      R14            Push register on stack
2. +0000087A:   92FF        PUSH      R15            Push register on stack
3. +0000087B:   930F        PUSH      R16            Push register on stack
4. +0000087C:   931F        PUSH      R17            Push register on stack
5. +0000087D:   93CF        PUSH      R28            Push register on stack
6. +0000087E:   93DF        PUSH      R29            Push register on stack
7. +0000087F:   018C        MOVW      R16,R24        Copy register pair
8. +00000880:   01EB        MOVW      R28,R22        Copy register pair
9. +00000881:   C011        RJMP      PC+0x0012      Relative jump
10. +00000882:   30C8        CPI       R28,0x08       Compare with immediate
11. +00000883:   05D1        CPC       R29,R1         Compare with carry
12. +00000884:   F028        BRCS      PC+0x06        Branch if carry set
13. +00000885:   9728        SBIW      R28,0x08       Subtract immediate from word
14. +00000886:   E088        LDI       R24,0x08       Load immediate
15. +00000887:   2EE8        MOV       R14,R24        Copy register
16. +00000888:   2CF1        MOV       R15,R1         Copy register
17. +00000889:   C003        RJMP      PC+0x0004      Relative jump
18. +0000088A:   017E        MOVW      R14,R28        Copy register pair
19. +0000088B:   E0C0        LDI       R28,0x00       Load immediate
20. +0000088C:   E0D0        LDI       R29,0x00       Load immediate
21. +0000088D:   01B7        MOVW      R22,R14        Copy register pair
22. +0000088E:   01C8        MOVW      R24,R16        Copy register pair
23. +0000088F:   940E082C    CALL      0x0000082C     Call subroutine
24. +00000891:   0D0E        ADD       R16,R14        Add without carry
25. +00000892:   1D1F        ADC       R17,R15        Add with carry
26. +00000893:   9720        SBIW      R28,0x00       Subtract immediate from word
27. +00000894:   F769        BRNE      PC–0x12        Branch if not equal
28. +00000895:   E081        LDI       R24,0x01       Load immediate
29. +00000896:   E090        LDI       R25,0x00       Load immediate
30. +00000897:   91DF        POP       R29            Pop register from stack
31. +00000898:   91CF        POP       R28            Pop register from stack
32. +00000899:   911F        POP       R17            Pop register from stack
33. +0000089A:   910F        POP       R16            Pop register from stack
34. +0000089B:   90FF        POP       R15            Pop register from stack
35. +0000089C:   90EF        POP       R14            Pop register from stack
36. +0000089D:   9508        RET                      Subroutine return

This function is the “DidWeSendSomethingViaUSB” function. In order to simulate the successful behavior of the badge, we need to jump to the “return 1” of this function on line 28. We then RET into the main function, which :

• Polls the USB for requests
• Sends the “Access code: ” string when receiving an IN request (0x08E9)
• Sends the “New here ? type access code HelpPlz!” string when it’s the first time you fire up the badge (0x08E9)
• Waits for an OUT request (receiving of a passcode) in 0x0DBD

1. +00000E1B:   E28F        LDI       R24,0x2F       Load immediate
2. +00000E1C:   E795        LDI       R25,0x75       Load immediate
3. +00000E1D:   9701        SBIW      R24,0x01       Subtract immediate from word
4. +00000E1E:   F7F1        BRNE      PC–0x01        Branch if not equal
5. +00000E1F:   C000        RJMP      PC+0x0001      Relative jump
6. +00000E20:   0000        NOP                      No operation
7. +00000E21:   9A25        SBI       0x04,5         Set bit in I/O register
8. +00000E22:   E088        LDI       R24,0x08       Load immediate
9. +00000E23:   B983        OUT       0x03,R24       Out to I/O location
10. +00000E24:   940E0937    CALL      0x00000937     Call subroutine
11. +00000E26:   E08B        LDI       R24,0x0B       Load immediate
12. +00000E27:   E095        LDI       R25,0x05       Load immediate
13. +00000E28:   940E089E    CALL      0x0000089E     Call subroutine
14. +00000E2A:   E28D        LDI       R24,0x2D       Load immediate
15. +00000E2B:   E095        LDI       R25,0x05       Load immediate
16. +00000E2C:   940E089E    CALL      0x0000089E     Call subroutine
17. +00000E2E:   940E0DBD    CALL      0x00000DBD     Call subroutine
18. +00000E30:   940E0947    CALL      0x00000947     Call subroutine
19. +00000E32:   CFFB        RJMP      PC–0x0004      Relative jump
20. +00000E33:   1B99        SUB       R25,R25        Subtract without carry
21. +00000E34:   E079        LDI       R23,0x09       Load immediate
22. +00000E35:   C004        RJMP      PC+0x0005      Relative jump
23. +00000E36:   1F99        ROL       R25            Rotate Left Through Carry
24. +00000E37:   1796        CP        R25,R22        Compare
25. +00000E38:   F008        BRCS      PC+0x02        Branch if carry set
26. +00000E39:   1B96        SUB       R25,R22        Subtract without carry
27. +00000E3A:   1F88        ROL       R24            Rotate Left Through Carry
28. +00000E3B:   957A        DEC       R23            Decrement
29. +00000E3C:   F7C9        BRNE      PC–0x06        Branch if not equal
30. +00000E3D:   9580        COM       R24            One‘s complement
31. +00000E3E:   9508        RET                      Subroutine return

We obviously want to go into line 17. Let’s squeeze out the calls of 0x089E and go directly into 0x0DBD. This one is the “IsTheCodeIReceivedALevelCode” function, the function comparing the received password in order to determine which level has been reached.

1. +00000DBD:   930F        PUSH      R16            Push register on stack
2. +00000DBE:   931F        PUSH      R17            Push register on stack
3. +00000DBF:   93CF        PUSH      R28            Push register on stack
4. +00000DC0:   93DF        PUSH      R29            Push register on stack
5. +00000DC1:   B7CD        IN        R28,0x3D       In from I/O location
6. +00000DC2:   B7DE        IN        R29,0x3E       In from I/O location
7. +00000DC3:   9761        SBIW      R28,0x11       Subtract immediate from word
8. +00000DC4:   B60F        IN        R0,0x3F        In from I/O location
9. +00000DC5:   94F8        CLI                      Global Interrupt Disable
10. +00000DC6:   BFDE        OUT       0x3E,R29       Out to I/O location
11. +00000DC7:   BE0F        OUT       0x3F,R0        Out to I/O location
12. +00000DC8:   BFCD        OUT       0x3D,R28       Out to I/O location
13. +00000DC9:   ED89        LDI       R24,0xD9       Load immediate
14. +00000DCA:   E094        LDI       R25,0x04       Load immediate
15. +00000DCB:   940E089E    CALL      0x0000089E     Call subroutine
16. +00000DCD:   018E        MOVW      R16,R28        Copy register pair
17. +00000DCE:   5F0F        SUBI      R16,0xFF       Subtract immediate
18. +00000DCF:   4F1F        SBCI      R17,0xFF       Subtract immediate with carry
19. +00000DD0:   E089        LDI       R24,0x09       Load immediate
20. +00000DD1:   01F8        MOVW      R30,R16        Copy register pair
21. +00000DD2:   9211        ST        Z+,R1          Store indirect and postincrement
22. +00000DD3:   958A        DEC       R24            Decrement
23. +00000DD4:   F7E9        BRNE      PC–0x02        Branch if not equal
24. +00000DD5:   E069        LDI       R22,0x09       Load immediate
25. +00000DD6:   E070        LDI       R23,0x00       Load immediate
26. +00000DD7:   01C8        MOVW      R24,R16        Copy register pair
27. +00000DD8:   940E08A9    CALL      0x000008A9     Call subroutine
28. +00000DDA:   E048        LDI       R20,0x08       Load immediate
29. +00000DDB:   E050        LDI       R21,0x00       Load immediate
30. +00000DDC:   01B8        MOVW      R22,R16        Copy register pair
31. +00000DDD:   01CE        MOVW      R24,R28        Copy register pair
32. +00000DDE:   960A        ADIW      R24,0x0A       Add immediate to word
33. +00000DDF:   940E09DE    CALL      0x000009DE     Call subroutine
34. +00000DE1:   EE67        LDI       R22,0xE7       Load immediate
35. +00000DE2:   E074        LDI       R23,0x04       Load immediate
36. +00000DE3:   01CE        MOVW      R24,R28        Copy register pair
37. +00000DE4:   960A        ADIW      R24,0x0A       Add immediate to word
38. +00000DE5:   940E0A1C    CALL      0x00000A1C     Call subroutine
39. +00000DE7:   2B89        OR        R24,R25        Logical OR
40. +00000DE8:   F021        BREQ      PC+0x05        Branch if equal
41. +00000DE9:   01C8        MOVW      R24,R16        Copy register pair
42. +00000DEA:   940E0226    CALL      0x00000226     Call subroutine
43. +00000DEC:   C023        RJMP      PC+0x0024      Relative jump
44. +00000DED:   EF60        LDI       R22,0xF0       Load immediate
45. +00000DEE:   E074        LDI       R23,0x04       Load immediate
46. +00000DEF:   01CE        MOVW      R24,R28        Copy register pair
47. +00000DF0:   960A        ADIW      R24,0x0A       Add immediate to word
48. +00000DF1:   940E0A1C    CALL      0x00000A1C     Call subroutine
49. +00000DF3:   2B89        OR        R24,R25        Logical OR
50. +00000DF4:   F021        BREQ      PC+0x05        Branch if equal
51. +00000DF5:   01C8        MOVW      R24,R16        Copy register pair
52. +00000DF6:   940E043D    CALL      0x0000043D     Call subroutine
53. +00000DF8:   C017        RJMP      PC+0x0018      Relative jump
54. +00000DF9:   EF69        LDI       R22,0xF9       Load immediate
55. +00000DFA:   E074        LDI       R23,0x04       Load immediate
56. +00000DFB:   01CE        MOVW      R24,R28        Copy register pair
57. +00000DFC:   960A        ADIW      R24,0x0A       Add immediate to word
58. +00000DFD:   940E0A1C    CALL      0x00000A1C     Call subroutine
59. +00000DFF:   2B89        OR        R24,R25        Logical OR
60. +00000E00:   F021        BREQ      PC+0x05        Branch if equal
61. +00000E01:   01C8        MOVW      R24,R16        Copy register pair
62. +00000E02:   940E02F7    CALL      0x000002F7     Call subroutine
63. +00000E04:   C00B        RJMP      PC+0x000C      Relative jump
64. +00000E05:   E062        LDI       R22,0x02       Load immediate
65. +00000E06:   E075        LDI       R23,0x05       Load immediate
66. +00000E07:   01CE        MOVW      R24,R28        Copy register pair
67. +00000E08:   960A        ADIW      R24,0x0A       Add immediate to word
68. +00000E09:   940E0A1C    CALL      0x00000A1C     Call subroutine
69. +00000E0B:   2B89        OR        R24,R25        Logical OR
70. +00000E0C:   F019        BREQ      PC+0x04        Branch if equal
71. +00000E0D:   01C8        MOVW      R24,R16        Copy register pair
72. +00000E0E:   940E05CE    CALL      0x000005CE     Call subroutine
73. +00000E10:   9661        ADIW      R28,0x11       Add immediate to word
74. +00000E11:   B60F        IN        R0,0x3F        In from I/O location
75. +00000E12:   94F8        CLI                      Global Interrupt Disable
76. +00000E13:   BFDE        OUT       0x3E,R29       Out to I/O location
77. +00000E14:   BE0F        OUT       0x3F,R0        Out to I/O location
78. +00000E15:   BFCD        OUT       0x3D,R28       Out to I/O location
79. +00000E16:   91DF        POP       R29            Pop register from stack
80. +00000E17:   91CF        POP       R28            Pop register from stack
81. +00000E18:   911F        POP       R17            Pop register from stack
82. +00000E19:   910F        POP       R16            Pop register from stack
83. +00000E1A:   9508        RET                      Subroutine return

We need to squeeze out the call on line 15 and go directly 0x08A9 on line 27, the “recv” function. I won’t post the content of this one since it’s just copying what has been received into memory, but we certainly need to simulate the board’s behavior by filling out a few registers. By going into the “recv” function, we notice that it stores the received code at address 0x08E7 into data memory (SRAM). So after returning into 0x0DBD, we need to fill out the RAM by hand using our last passcode, “B1p!8lP!”, and continue the execution.

0x0DBD memory

Then, the function 0x09DE is called : this one looks like the initialization of the permutations used to encrypt the received password into memory. The received password is encrypted by the function 0x09A9 and stored at address 0x08F0 into RAM.

We then see 4 differents calls to 0x0A1C, each one preceded by an address loading in r22-r23, and each one followed by a comparaison of r24 and r25 (the OR instruction) and a call to a function depending on the result. Here is the pseudo code :

1. encrypted_received_password_address = 0x08F0
2. encrypted_lvl1_password_address = 0x04E7
3. encrypted_lvl2_password_address = 0x04F0
4. encrypted_lvl3_password_address = 0x04f9
5. encrypted_lvl4_password_address = 0x0502
6.  
7. if (strcmp(encrypted_received_password_address,encrypted_lvl1_password_address)) {
8.     0x0226()
9. } else if (strcmp(encrypted_received_password_address,encrypted_lvl2_password_address)) {
10.     0x043D()
11. } else if (strcmp(encrypted_received_password_address,encrypted_lvl3_password_address)) {
12.     0x02F7()
13. } else if (strcmp(encrypted_received_password_address,encrypted_lvl4_password_address)) {
14.     0x05CE()
15. } else {
16.     return
17. }

We obviously want to call the 0x05CE function, which is the function handling the last level. As a matter of fact, one could just have bypassed the 3 previous levels by copying the encrypted string at 0x0502 at address 0x08F0. Let’s jump into 0x05CE.

1. +000005CE:   931F        PUSH      R17            Push register on stack
2. +000005CF:   93CF        PUSH      R28            Push register on stack
3. +000005D0:   93DF        PUSH      R29            Push register on stack
4. +000005D1:   B7CD        IN        R28,0x3D       In from I/O location
5. +000005D2:   B7DE        IN        R29,0x3E       In from I/O location
6. +000005D3:   5AC1        SUBI      R28,0xA1       Subtract immediate
7. +000005D4:   40D3        SBCI      R29,0x03       Subtract immediate with carry
8. +000005D5:   B60F        IN        R0,0x3F        In from I/O location
9. +000005D6:   94F8        CLI                      Global Interrupt Disable
10. +000005D7:   BFDE        OUT       0x3E,R29       Out to I/O location
11. +000005D8:   BE0F        OUT       0x3F,R0        Out to I/O location
12. +000005D9:   BFCD        OUT       0x3D,R28       Out to I/O location
13. +000005DA:   E223        LDI       R18,0x23       Load immediate
14. +000005DB:   E8E6        LDI       R30,0x86       Load immediate
15. +000005DC:   E0F3        LDI       R31,0x03       Load immediate
16. +000005DD:   01DE        MOVW      R26,R28        Copy register pair
17. +000005DE:   58A1        SUBI      R26,0x81       Subtract immediate
18. +000005DF:   4FBC        SBCI      R27,0xFC       Subtract immediate with carry
19. +000005E0:   9001        LD        R0,Z+          Load indirect and postincrement
20. +000005E1:   920D        ST        X+,R0          Store indirect and postincrement
21. +000005E2:   952A        DEC       R18            Decrement
22. +000005E3:   F7E1        BRNE      PC–0x03        Branch if not equal
23. +000005E4:   E727        LDI       R18,0x77       Load immediate
24. +000005E5:   E4E1        LDI       R30,0x41       Load immediate
25. +000005E6:   E0F4        LDI       R31,0x04       Load immediate
26. +000005E7:   01DE        MOVW      R26,R28        Copy register pair
27. +000005E8:   5FA8        SUBI      R26,0xF8       Subtract immediate
28. +000005E9:   4FBC        SBCI      R27,0xFC       Subtract immediate with carry
29. +000005EA:   9001        LD        R0,Z+          Load indirect and postincrement
30. +000005EB:   920D        ST        X+,R0          Store indirect and postincrement
31. +000005EC:   952A        DEC       R18            Decrement
32. +000005ED:   F7E1        BRNE      PC–0x03        Branch if not equal
33. +000005EE:   E048        LDI       R20,0x08       Load immediate
34. +000005EF:   E050        LDI       R21,0x00       Load immediate
35. +000005F0:   01BC        MOVW      R22,R24        Copy register pair
36. +000005F1:   01CE        MOVW      R24,R28        Copy register pair
37. +000005F2:   5F88        SUBI      R24,0xF8       Subtract immediate
38. +000005F3:   4F9D        SBCI      R25,0xFD       Subtract immediate with carry
39. +000005F4:   940E094E    CALL      0x0000094E     Call subroutine
40. +000005F6:   E746        LDI       R20,0x76       Load immediate
41. +000005F7:   E050        LDI       R21,0x00       Load immediate
42. +000005F8:   01BE        MOVW      R22,R28        Copy register pair
43. +000005F9:   5F68        SUBI      R22,0xF8       Subtract immediate
44. +000005FA:   4F7C        SBCI      R23,0xFC       Subtract immediate with carry
45. +000005FB:   01CE        MOVW      R24,R28        Copy register pair
46. +000005FC:   5F88        SUBI      R24,0xF8       Subtract immediate
47. +000005FD:   4F9D        SBCI      R25,0xFD       Subtract immediate with carry
48. +000005FE:   940E09A9    CALL      0x000009A9     Call subroutine
49. +00000600:   01BE        MOVW      R22,R28        Copy register pair
50. +00000601:   5F68        SUBI      R22,0xF8       Subtract immediate
51. +00000602:   4F7C        SBCI      R23,0xFC       Subtract immediate with carry
52. +00000603:   01CE        MOVW      R24,R28        Copy register pair
53. +00000604:   9601        ADIW      R24,0x01       Add immediate to word
54. +00000605:   940E0D1D    CALL      0x00000D1D     Call subroutine
55. +00000607:   01CE        MOVW      R24,R28        Copy register pair
56. +00000608:   9601        ADIW      R24,0x01       Add immediate to word
57. +00000609:   940E0D32    CALL      0x00000D32     Call subroutine
58. +0000060B:   9700        SBIW      R24,0x00       Subtract immediate from word
59. +0000060C:   F159        BREQ      PC+0x2C        Branch if equal
60. +0000060D:   E044        LDI       R20,0x04       Load immediate
61. +0000060E:   E050        LDI       R21,0x00       Load immediate
62. +0000060F:   01BC        MOVW      R22,R24        Copy register pair
63. +00000610:   01CE        MOVW      R24,R28        Copy register pair
64. +00000611:   5F88        SUBI      R24,0xF8       Subtract immediate
65. +00000612:   4F9D        SBCI      R25,0xFD       Subtract immediate with carry
66. +00000613:   940E094E    CALL      0x0000094E     Call subroutine
67. +00000615:   E242        LDI       R20,0x22       Load immediate
68. +00000616:   E050        LDI       R21,0x00       Load immediate
69. +00000617:   01BE        MOVW      R22,R28        Copy register pair
70. +00000618:   5861        SUBI      R22,0x81       Subtract immediate
71. +00000619:   4F7C        SBCI      R23,0xFC       Subtract immediate with carry
72. +0000061A:   01CE        MOVW      R24,R28        Copy register pair
73. +0000061B:   5F88        SUBI      R24,0xF8       Subtract immediate
74. +0000061C:   4F9D        SBCI      R25,0xFD       Subtract immediate with carry
75. +0000061D:   940E09A9    CALL      0x000009A9     Call subroutine
76. +0000061F:   01CE        MOVW      R24,R28        Copy register pair
77. +00000620:   5881        SUBI      R24,0x81       Subtract immediate
78. +00000621:   4F9C        SBCI      R25,0xFC       Subtract immediate with carry
79. +00000622:   940E089E    CALL      0x0000089E     Call subroutine
80. +00000624:   E585        LDI       R24,0x55       Load immediate
81. +00000625:   E095        LDI       R25,0x05       Load immediate
82. +00000626:   940E089E    CALL      0x0000089E     Call subroutine
83. +00000628:   E210        LDI       R17,0x20       Load immediate
84. +00000629:   B185        IN        R24,0x05       In from I/O location
85. +0000062A:   2781        EOR       R24,R17        Exclusive OR
86. +0000062B:   B985        OUT       0x05,R24       Out to I/O location
87. +0000062C:   EB2F        LDI       R18,0xBF       Load immediate
88. +0000062D:   E287        LDI       R24,0x27       Load immediate
89. +0000062E:   E099        LDI       R25,0x09       Load immediate
90. +0000062F:   5021        SUBI      R18,0x01       Subtract immediate
91. +00000630:   4080        SBCI      R24,0x00       Subtract immediate with carry
92. +00000631:   4090        SBCI      R25,0x00       Subtract immediate with carry
93. +00000632:   F7E1        BRNE      PC–0x03        Branch if not equal
94. +00000633:   C000        RJMP      PC+0x0001      Relative jump
95. +00000634:   0000        NOP                      No operation
96. +00000635:   940E0947    CALL      0x00000947     Call subroutine
97. +00000637:   CFF1        RJMP      PC–0x000E      Relative jump
98. +00000638:   55CF        SUBI      R28,0x5F       Subtract immediate
99. +00000639:   4FDC        SBCI      R29,0xFC       Subtract immediate with carry
100. +0000063A:   B60F        IN        R0,0x3F        In from I/O location
101. +0000063B:   94F8        CLI                      Global Interrupt Disable
102. +0000063C:   BFDE        OUT       0x3E,R29       Out to I/O location
103. +0000063D:   BE0F        OUT       0x3F,R0        Out to I/O location
104. +0000063E:   BFCD        OUT       0x3D,R28       Out to I/O location
105. +0000063F:   91DF        POP       R29            Pop register from stack
106. +00000640:   91CF        POP       R28            Pop register from stack
107. +00000641:   911F        POP       R17            Pop register from stack
108. +00000642:   9508        RET                      Subroutine return

This function stores an encrypted content located at 0x0386 (our final answer to all our suffering) into 0x08BF, another one located at 0x0441 into 0x084E, and decrypts the content of 0x0441 using our encrypted level 4 password. This text is the one displayed when reaching the security level 4.

The function then calls out the 0x0D32 function, decrypts our final answer at 0x08BF using whatever has been done into 0x0D32, and prints out the result to the user via USB using the 0x089E function. 0x0D32 is a living nigthmare, responsible for the whole world’s misery, but it’s the last function we have to reverse in order to get our answer. Here is how it looks :

1. +00000D32:   92EF        PUSH      R14            Push register on stack
2. +00000D33:   92FF        PUSH      R15            Push register on stack
3. +00000D34:   930F        PUSH      R16            Push register on stack
4. +00000D35:   931F        PUSH      R17            Push register on stack
5. +00000D36:   93CF        PUSH      R28            Push register on stack
6. +00000D37:   93DF        PUSH      R29            Push register on stack
7. +00000D38:   01EC        MOVW      R28,R24        Copy register pair
8. +00000D39:   018C        MOVW      R16,R24        Copy register pair
9. +00000D3A:   5F1E        SUBI      R17,0xFE       Subtract immediate
10. +00000D3B:   017C        MOVW      R14,R24        Copy register pair
11. +00000D3C:   EF8A        LDI       R24,0xFA       Load immediate
12. +00000D3D:   1AE8        SUB       R14,R24        Subtract without carry
13. +00000D3E:   EF8D        LDI       R24,0xFD       Load immediate
14. +00000D3F:   0AF8        SBC       R15,R24        Subtract with carry
15. +00000D40:   C066        RJMP      PC+0x0067      Relative jump
16. +00000D41:   2755        CLR       R21            Clear Register
17. +00000D42:   FD47        SBRC      R20,7          Skip if bit in register cleared
18. +00000D43:   9550        COM       R21            One‘s complement
19. +00000D44:   2F65        MOV       R22,R21        Copy register
20. +00000D45:   2F75        MOV       R23,R21        Copy register
21. +00000D46:   01FA        MOVW      R30,R20        Copy register pair
22. +00000D47:   97F0        SBIW      R30,0x30       Subtract immediate from word
23. +00000D48:   33E0        CPI       R30,0x30       Compare with immediate
24. +00000D49:   05F1        CPC       R31,R1         Compare with carry
25. +00000D4A:   F008        BRCS      PC+0x02        Branch if carry set
26. +00000D4B:   C05B        RJMP      PC+0x005C      Relative jump
27. +00000D4C:   5CEC        SUBI      R30,0xCC       Subtract immediate
28. +00000D4D:   4FFF        SBCI      R31,0xFF       Subtract immediate with carry
29. +00000D4E:   940C0E67    JMP       0x00000E67     Jump
30. +00000D50:   01CE        MOVW      R24,R28        Copy register pair
31. +00000D51:   940E0B42    CALL      0x00000B42     Call subroutine
32. +00000D53:   C053        RJMP      PC+0x0054      Relative jump
33. +00000D54:   01CE        MOVW      R24,R28        Copy register pair
34. +00000D55:   940E0B62    CALL      0x00000B62     Call subroutine
35. +00000D57:   C04F        RJMP      PC+0x0050      Relative jump
36. +00000D58:   01CE        MOVW      R24,R28        Copy register pair
37. +00000D59:   940E0B82    CALL      0x00000B82     Call subroutine
38. +00000D5B:   C04B        RJMP      PC+0x004C      Relative jump
39. +00000D5C:   01CE        MOVW      R24,R28        Copy register pair
40. +00000D5D:   940E0BA2    CALL      0x00000BA2     Call subroutine
41. +00000D5F:   C047        RJMP      PC+0x0048      Relative jump
42. +00000D60:   01CE        MOVW      R24,R28        Copy register pair
43. +00000D61:   940E0BC6    CALL      0x00000BC6     Call subroutine
44. +00000D63:   C043        RJMP      PC+0x0044      Relative jump
45. +00000D64:   01CE        MOVW      R24,R28        Copy register pair
46. +00000D65:   940E0BE6    CALL      0x00000BE6     Call subroutine
47. +00000D67:   C03F        RJMP      PC+0x0040      Relative jump
48. +00000D68:   01CE        MOVW      R24,R28        Copy register pair
49. +00000D69:   940E0C06    CALL      0x00000C06     Call subroutine
50. +00000D6B:   C03B        RJMP      PC+0x003C      Relative jump
51. +00000D6C:   01CE        MOVW      R24,R28        Copy register pair
52. +00000D6D:   940E0C26    CALL      0x00000C26     Call subroutine
53. +00000D6F:   C037        RJMP      PC+0x0038      Relative jump
54. +00000D70:   01CE        MOVW      R24,R28        Copy register pair
55. +00000D71:   940E0C33    CALL      0x00000C33     Call subroutine
56. +00000D73:   C033        RJMP      PC+0x0034      Relative jump
57. +00000D74:   01CE        MOVW      R24,R28        Copy register pair
58. +00000D75:   940E0C60    CALL      0x00000C60     Call subroutine
59. +00000D77:   C02F        RJMP      PC+0x0030      Relative jump
60. +00000D78:   01CE        MOVW      R24,R28        Copy register pair
61. +00000D79:   940E0C84    CALL      0x00000C84     Call subroutine
62. +00000D7B:   C02B        RJMP      PC+0x002C      Relative jump
63. +00000D7C:   01CE        MOVW      R24,R28        Copy register pair
64. +00000D7D:   940E0C8A    CALL      0x00000C8A     Call subroutine
65. +00000D7F:   C027        RJMP      PC+0x0028      Relative jump
66. +00000D80:   01CE        MOVW      R24,R28        Copy register pair
67. +00000D81:   940E0CB1    CALL      0x00000CB1     Call subroutine
68. +00000D83:   C023        RJMP      PC+0x0024      Relative jump
69. +00000D84:   01CE        MOVW      R24,R28        Copy register pair
70. +00000D85:   940E0C98    CALL      0x00000C98     Call subroutine
71. +00000D87:   C01F        RJMP      PC+0x0020      Relative jump
72. +00000D88:   01CE        MOVW      R24,R28        Copy register pair
73. +00000D89:   940E0CCA    CALL      0x00000CCA     Call subroutine
74. +00000D8B:   C01B        RJMP      PC+0x001C      Relative jump
75. +00000D8C:   01CE        MOVW      R24,R28        Copy register pair
76. +00000D8D:   940E0CE3    CALL      0x00000CE3     Call subroutine
77. +00000D8F:   C017        RJMP      PC+0x0018      Relative jump
78. +00000D90:   01CE        MOVW      R24,R28        Copy register pair
79. +00000D91:   940E0CFC    CALL      0x00000CFC     Call subroutine
80. +00000D93:   C013        RJMP      PC+0x0014      Relative jump
81. +00000D94:   01CE        MOVW      R24,R28        Copy register pair
82. +00000D95:   940E0AFF    CALL      0x00000AFF     Call subroutine
83. +00000D97:   C00F        RJMP      PC+0x0010      Relative jump
84. +00000D98:   01CE        MOVW      R24,R28        Copy register pair
85. +00000D99:   940E0B0A    CALL      0x00000B0A     Call subroutine
86. +00000D9B:   C00B        RJMP      PC+0x000C      Relative jump
87. +00000D9C:   01CE        MOVW      R24,R28        Copy register pair
88. +00000D9D:   940E0B1C    CALL      0x00000B1C     Call subroutine
89. +00000D9F:   C007        RJMP      PC+0x0008      Relative jump
90. +00000DA0:   01CE        MOVW      R24,R28        Copy register pair
91. +00000DA1:   940E0B29    CALL      0x00000B29     Call subroutine
92. +00000DA3:   C003        RJMP      PC+0x0004      Relative jump
93. +00000DA4:   01CE        MOVW      R24,R28        Copy register pair
94. +00000DA5:   940E0AC6    CALL      0x00000AC6     Call subroutine
95. +00000DA7:   01D8        MOVW      R26,R16        Copy register pair
96. +00000DA8:   91ED        LD        R30,X+         Load indirect and postincrement
97. +00000DA9:   91FC        LD        R31,X          Load indirect
98. +00000DAA:   9711        SBIW      R26,0x01       Subtract immediate from word
99. +00000DAB:   9141        LD        R20,Z+         Load indirect and postincrement
100. +00000DAC:   93ED        ST        X+,R30         Store indirect and postincrement
101. +00000DAD:   93FC        ST        X,R31          Store indirect
102. +00000DAE:   3342        CPI       R20,0x32       Compare with immediate
103. +00000DAF:   F021        BREQ      PC+0x05        Branch if equal
104. +00000DB0:   01F7        MOVW      R30,R14        Copy register pair
105. +00000DB1:   8180        LDD       R24,Z+0        Load indirect with displacement
106. +00000DB2:   FF82        SBRS      R24,2          Skip if bit in register set
107. +00000DB3:   CF8D        RJMP      PC–0x0072      Relative jump
108. +00000DB4:   01CE        MOVW      R24,R28        Copy register pair
109. +00000DB5:   91DF        POP       R29            Pop register from stack
110. +00000DB6:   91CF        POP       R28            Pop register from stack
111. +00000DB7:   911F        POP       R17            Pop register from stack
112. +00000DB8:   910F        POP       R16            Pop register from stack
113. +00000DB9:   90FF        POP       R15            Pop register from stack
114. +00000DBA:   90EF        POP       R14            Pop register from stack
115. +00000DBB:   940C0AC6    JMP       0x00000AC6     Jump

Yes, 22 freaking subfunctions. Without going into too much details that would make some brains explode, this function basically looks over the string located at 0x0848 until it reaches the “2” at address 0x0882, and calls out functions according to the values stored into this string (and values stored at the beginning of the program below address 0x100).

(For those who like details) Turns out this subfunction seems to implement a tiny stack-based VM (stack location is around 0x0543), parsing instructions represented by the weird string I mentionned earlier (stored at 0x0848). It seems to handles ‘syscalls’ (like the 0x0CFC function, handling the I/O’s of the tiny VM), calling send/recv functions according to the instructions stored at 0x0848. Some bytes are incremented/decremented as values are poped/pushed on the stack (bytes at 0x0745, a stack pointer if you will), and the address of the PC is stored at 0x741. Long story short, the mini-stack is located around 0x0543, the VM’s internal registers are stored at 0x0741.

Here is the order of the different functions called by 0x0D32 :

• 0x0B0A (line 85) : Stores address of string “Security level 4…” into a specific address into RAM (on the mini-stack, at 0x0545).
• 0x0AFF (line 82) : Stores the letter “W” into RAM at address 0x0543 (comes from the instructions located at 0x0848, pushed on the mini-stack).
• 0x0CFC (line 79) : Compares the letter at address 0x0547 : If “W”, writes the content of the specific address to USB. If “R”, reads a password from USB. In our case, the first call to this function writes “Security level 4” to the user.
• 0x0AFF: Stores ‘0x04’ into RAM at address 0x0543.
• 0x0B0A : Stores address ‘0x08B2’ into 0x0545; this address is where the received “Last auth code” will be written.
• 0x0AFF : Stores the letter “R” into RAM at address 0x0547 (still coming from the instructions located at 0x0848).
• 0x0CFC : Compares the letter at address 0x0547; this time it’s “R”, so the function reads 0x04 (stored into the stack at 0x0543 by the 0x0AFF call) bytes from USB and stores them to 0x08B2. It also stores the length of the received password into 0x0543 (mini-stack). That’s where we intervene in memory, storing 04 (length of password) into 0x0543 and 0xDEADBEEF into 0x08B2.
• 0x0AFF : Stores 0x04 at address 0x0545.
• 0x0C33 (line 55) : Stores 0x01, 0x08 or 0x10 depending on the result of the comparaison of the bytes at 0x0543 and 0x0545 into 0x0747. At this stage, this means “is the password’s length we received is 4 ?”. In other words, the VM updates its internal register at 0x0747.
• 0x0CB1 (line 67) : Checks the result of C33, the function responsible for the comparaisons. If 0x01 is stored at 0x0747, then C33 returned true.
• 0x0B0A : Stores address ‘0x08B2’ into 0x0543 (address of the received auth code)
• 0x0B1C (line 88) : Stores the 2 first letters of the received password into 0x0543 (in our case, 0xDEAD).
• 0x0AFF : Stores 0x5337 (the string ‘S7‘) into 0x0545. Do you smell it ? Do you smell the 2 first letters of the passcode we’re looking for ?
• 0x0C33 : Again, this is the function doing the comparaison. Are the two first letters of the passcode we received equal to ‘S7’ ? Stores 0x01 into 0x0747 if it’s the case. We modify the memory accordingly during debug time in order to continue our course.
• 0x0CB1 : Checking the result of C33. If the two first letters of the received passcode are ‘S7’, you shall pass.
• 0x0B0A : Stores address ‘0x08B2’ into 0x0543.
• 0x0B1C : Stores 0x5337 into 0x0543.
• 0x0B0A : Stores address ‘0x08B2’ into 0x0545.
• 0x0AFF : Stores 0x02 at address 0x0547.
• 0x0B42 (line 31) : Stores address ‘0x08B4’ into 0x0545. This is the address of the two last letters of our passcode. The end should be near.
• 0x0B1C : Stores the two last letters of our passcode at 0x0545. This function used the address previously stored by B42, of course.
• 0x0C06 (line 49) : This is the function I should have considered useful from the beginning. It stores 0xEDD8 into 0x0543 in our case. I discovered later that it stores 2_first_bytes_of_passcode XOR 2_last_bytes_of_passcode… (0x5337 XOR 0xBEEF is 0xEDD8)
• 0x0AFF : Stores ‘0x3B03‘ into 0x0545. Those bytes come from the string located at 0x0848.
• 0x0C33 : Comparaison time. This is were I realized “shit, what did I miss ?”. I missed C06. 0x0EDD8 is obviously not equal to 0x3B03, the result we should have obtained in case of a good passcode. I went back and had a look at C06, and realized that I had to find two bytes that, when xored with the two first letters ‘0x5337’, gave me 0x3B03. 0x5337 XOR 0x3b03 is 0x6834, which corresponds to ‘h4‘ in the ASCII table. Adjusting the memory accordingly, preparing for a call to CB1… And praying.
• 0x0CB1 : Bingo ! 0x01 is stored in 0x0747, so CB1 lets us pass.
• 0x0B0A : Stores address ‘0x08B2’ into 0x0543.

Aaaaaaand we’re out D32. We wait for 94E and 9A9 to decrypt the encrypted content using our beautiful passcode ‘S7h4‘…

Lvl4 after completion

Testing it live…

1. Access code: B1p!8lP!
2. === Security Level 4 ===
3.  
4. Last auth code: S7h4
5. >> GG! Go to http://bit.ly/1ijlXpZ

The board blinks.

The URL redirects to a page on virtualab’s website.

And I discover that I’m not the first.

:'(

After a minute of denial, comes the minute of anger. And then the one of depression.

And then the one of acceptance.

This challenge has been especially fun to resolve, since it required a lot of various skills that I didn’t particularly possess a month ago (reading AVR assembler instructions was not part of my previous hobbies). It ripped away a part of my soul, but I would like to thank its creator for it.

Many thanks for the two weeks of hell fun I had on this challenge, and I hope you’ll keep them coming for next year 😉

In this article I’ll present how I managed to validate the second Reverse Challenge of the prequals of the “Nuit du Hack 2011” that took place on the 2nd/3rd of april. You’ll find the Android application attached here.

Let’s have a look at the application. A simple “Enter Password” button opens a new window, prompting for a vocal password.

ndh2k11 App

I first used dex2jar to convert the Dalvik Executable bytecode into java Bytecode, and jd-gui to navigate through the java disassembled code.

ndh2k11 app code

The ReverseMe class is the main activity; the b class implements an OnClick Listener; the a class seems to encode/decode a given string; the c class contains methods to encrypt static arrays of bytes. Those arrays are interesting:

private static byte[] a = { 90, 5, 88, 88, 13, 13, 90, 90, 10, 4, 9, 11, 93, 90, 11, 15, 93, 95, 5, 93, 5, 8, 8, 88, 90, 95, 9, 14, 90, 8, 13, 94 };
private static byte[] b = { 91, 83, 83, 91, 80, 89, 99, 79, 88, 87 };
private static byte[] c = { 113, 120, 9 };
private static byte[] d = { 93, 82, 88, 78, 83, 85, 88, 18, 79, 76, 89, 89, 95, 84, 18, 93, 95, 72, 85, 83, 82, 18, 110, 121, 127, 115, 123, 114, 117, 102, 121, 99, 111, 108, 121, 121, 127, 116 };
private static byte[] e = { 111, 116, 125, 17, 13 };

When looking deeper in the Listener, a new Intent is created with the argument c.d(). The d() method calls the c.a() method on the static array of byte d. The a() method is used to xor the content of the given array of bytes:

private static String a(byte[] paramArrayOfByte)
{
byte[] arrayOfByte = new byte[paramArrayOfByte.length];
int i = 0;
while (true)
{
int j = paramArrayOfByte.length;
if (i >= j)
return new String(arrayOfByte);
int k = (byte)(paramArrayOfByte[i] ^ 0x3C);
arrayOfByte[i] = k;
i += 1;
}
}

We now want to modify the code of the application; unfortunately, jd-gui won’t allow you to do that. We will now use apktool to convert the dex bytecode into smali (pseudo-assembly source code), modify it, and repackage the application.

The following code in the Listener is used to create the speech recognition Intent; notice the prompt setting with the static string “Enter password”. We will use this prompt to print some information (like the content of the static arrays of bytes 😉 ):

ReverseMe localReverseMe = this.a;
if (paramView.getId() == 2131034114)
{
String str = c.d();
Intent localIntent1 = new Intent(str);
Intent localIntent2 = localIntent1.putExtra("android.speech.extra.LANGUAGE_MODEL", "free_form");
Intent localIntent3 = localIntent1.putExtra("android.speech.extra.PROMPT", "Enter password");
localReverseMe.startActivityForResult(localIntent1, 1234);
}

This code, in smali, looks like the following:

.locals 4
iget-object v0, p0, Lndh/prequals/rce/b;->a:Lndh/prequals/rce/ReverseMe;
invoke-virtual {p1}, Landroid/view/View;->getId()I
move-result v1
const v2, 0x7f050002
if-ne v1, v2, :cond_0
new-instance v1, Landroid/content/Intent;
invoke-static {}, Lndh/prequals/rce/c;->d()Ljava/lang/String;
move-result-object v2
invoke-direct {v1, v2}, Landroid/content/Intent;-><init>(Ljava/lang/String;)V
const-string v2, "android.speech.extra.LANGUAGE_MODEL"
const-string v3, "free_form"
invoke-virtual {v1, v2, v3}, Landroid/content/Intent;->putExtra(Ljava/lang/String;Ljava/lang/String;)Landroid/content/Intent;
const-string v2, "android.speech.extra.PROMPT"
const-string v3, "Enter password"
invoke-virtual {v1, v2, v3}, Landroid/content/Intent;->putExtra(Ljava/lang/String;Ljava/lang/String;)Landroid/content/Intent;
const/16 v2, 0x4d2
invoke-virtual {v0, v1, v2}, Lndh/prequals/rce/ReverseMe;->startActivityForResult(Landroid/content/Intent;I)V
:cond_0
return-void

We will replace the highlighted line with a call to a(), b(), c(), d() and e() methods to see the content of the arrays:

invoke-static {}, Lndh/prequals/rce/c;->a()Ljava/lang/String;
move-result-object v3

Still using apktool, we repack the patched application into a new apk file. Our new application needs to be signed before installing; we’ll use keystore to create a new keystore, keytool to create a new key, and jarsigner to sign the application. Here is what the a array contains:

ndh2k11 android app screen

This looks like a md5… The b array contains “google_sdk”, c contains “MD5”, d contains “android.speech.action.RECOGNIZE_SPEECH” (used to initialize the Intent object), and e contains “SHA-1”. The c.a() method (returning the md5 hash) is called in the a class (in the b() method). This last method (a.b()) is called in the onActivityResult() method of the ReverseMe class, called after the speech recognition. Here is the code:

if ((paramInt1 == 1234) && (paramInt2 == -1))
{
ArrayList localArrayList = paramIntent.getStringArrayListExtra("android.speech.extra.RESULTS");
if ((!localArrayList.isEmpty()) && (a.b((String)localArrayList.get(0))))
{
TextView localTextView = this.b;
String str = a.a((String)localArrayList.get(0));
localTextView.setText(str);
}
}
super.onActivityResult(paramInt1, paramInt2, paramIntent);

This code seeks the results from the speech recognition; if the a.b() method succeeds with the given recognized word, the result of a.a(word) is written in the TextView. So basically, we just have to revert the md5 hash we’ve found, say it to the phone, and it will give us the string we’re looking for. Luckily, there are loads of reverse md5 databases on the world wide web; f9dd11ff6857af73ac9a944dfc52f41b just corresponds to “salope” (bitch, in french). Let’s insult our phone!

Unfortunately, the speech recognition doesn’t work on my phone; after 10 minutes shouting at my phone, I didn’t get any result. So I just patched the ReverseMe class, replacing calls to a.b(localArrayList.get(0)) and a.a(localArrayList.get(0)) with a.b(“salope”) and a.a(“salope”) (in smali, that’s just 2 lines ‘const-string v0, “salope”‘ to add).

here is the result, which is a simple sha1 of “salope”. Could have guessed that by reading the a.a() method…

ndh2k11 reversed android app

Hope this will be useful to someone. Many thanks to Hackerzvoice for their work on the prequals!

The Hackerzvoice slides “Reversing Android” were very useful: http://www.hackerzvoice.net/repo_hzv/meetings/diordna-hzv.pdf