ARM Crackme - Data Processing

Leeky · May 14, 2018, 8:40pm

ARM Crackme - Data Processing

@Wunkolo and I have decided that there aren’t enough ARM crackmes on the forum and that we should add a few for people that are interested in learning how the architecture works and for those that just want to show their skills

We will start very easy with some challenges that don’t require any kind of setup or reading up specific processor manuals but that will change when the challenges get harder.
This challenge will most likely be the last one to contain formated extracted assembly so if you prefer trying it out through dynamic analysis as a warm up a binary is provided as well.

Rules and Goals

In this challenge the goal is to deduct the original password from the assembly/binary.
Post it in spoiler tags under the challenge if you got it so we can see who solved it!

Challenge

After seeing how easy the last password has been recovered I thought that this might be not ideal to secure all my data that way.
Which is why I’ve written this new super secure program that doesn’t sole base on exclusive and processes the password in multiple ways!
Although I’m pretty confident in my new method I would like you to confirm that it’s not possible to recover the secret password anymore.

Dump of the relevant assembly

08460 main      STMFD   SP!, {R11,LR}
08464           ADD     R11, SP, #4
08468           LDR     R3, =var_8638 ; "%s"
0846C           MOV     R0, R3
08470           LDR     R1, =input
08474           BL      __isoc99_scanf
08478           LDR     R0, =input
0847C           BL      strlen
08480           MOV     R3, R0
08484           CMP     R3, #0x14
08488           BEQ     loc_8494
0848C           MOV     R3, #1
08490           B       loc_8570
08494 loc_8494  LDR     R3, =input_10798
08498           LDR     R2, [R3]
0849C           LDR     R3, =0x12345678
084A0           EOR     R3, R2, R3
084A4           LDR     R2, =0x69790439
084A8           LDR     R2, [R2]
084AC           CMP     R3, R2
084B0           BEQ     loc_84BC
084B4           MOV     R3, #1
084B8           B       loc_8570
084BC loc_84BC  LDR     R3, =input_1079C
084C0           LDR     R2, [R3]
084C4           LDR     R3, =input
084C8           LDR     R3, [R3]
084CC           ADD     R2, R2, R3
084D0           LDR     R3, =0xC2819E87
084D4           CMP     R2, R3
084D8           BEQ     loc_84E4
084DC           MOV     R3, #1
084E0           B       loc_8570
084E4 loc_84E4  LDR     R3, =input_107A0
084E8           LDR     R2, [R3]
084EC           LDR     R3, =input_1079C
084F0           LDR     R3, [R3]
084F4           RSB     R2, R3, R2
084F8           LDR     R3, =0xE91E0419
084FC           CMP     R2, R3
08500           BEQ     loc_850C
08504           MOV     R3, #1
08508           B       loc_8570
0850C loc_850C  LDR     R3, =input_107A0
08510           LDR     R2, [R3]
08514           LDR     R3, =input_107A4
08518           LDR     R3, [R3]
0851C           RSB     R2, R3, R2
08520           LDR     R3, =0xDD1F1D1C
08524           CMP     R2, R3
08528           BEQ     loc_8534
0852C           MOV     R3, #1
08530           B       loc_8570
08534 loc_8534  LDR     R3, =input_107A8
08538           LDR     R2, [R3]
0853C           LDR     R3, =input_107A4
08540           LDR     R3, [R3]
08544           ADD     R2, R2, R3
08548           LDR     R3, =0xD07A8174
0854C           CMP     R2, R3
08550           BEQ     loc_855C
08554           MOV     R3, #1
08558           B       loc_8570
0855C loc_855C  LDR     R3, =aCorrectTheFlag ; "Correct! The flag is: %s\n"
08560           MOV     R0, R3
08564           LDR     R1, =input
08568           BL      printf
0856C           MOV     R3, #0
08570 loc_8570  MOV     R0, R3
08574           SUB     SP, R11, #4
08578           LDMFD   SP!, {R11,LR}
0857C           BX      LR

(Optional) Binary in base64 format

Extract with:

cat base64below.txt | base64 -d | gunzip > binary.elf

File type:

ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, not stripped

Base64 encoded gzip archive:

H4sIAEph+VoAA5VYb2wUxxV/u16fD8fAGZtgBxcuKaimwecjXCAgp7IxxjYxf2JcZCTUvfXd2nfJ
+e50u45sShWMTeCDI2hAFapofFKjig/9QNuoQgqtaEtTqWrVqOFDPiTSHeZKIFQybUqrquH63sz+
mVscVV3p3czv3m/evHkz83Z2Xu8Z2CNJEtiPDK1A6PIMQARLZRn9B9URCIIfdeuhhfTZYR/A8Btc
/MBFsQRVrG3kBBdmEKXa0leRDnFkmksDcFFcKn9OcIn7uFRb/5Ge/ycxCeMfAxLvl/ToL2R9JBKT
RcSLll+2j33I75vmshu42LqXS2Yclnjs9u2p5Eh7Kt6WSqYnJkNGJrSV/x+wfO/d/00rlrzNU1a7
RmvspB+887dww0+/0b839/PvXdw4/6/v3ld+SLoai0Ntqz1923FRrNLmSRY3kJC3yMIcXHrvfMub
kUf3rj776urv/LV+Zfv+Fx96xyQJ9SDKNpTZGY5XWb6fE3A7SlTAm6gfAb+IkhIwqOrYeCatGqaW
M1UVMHQxCtk2VCSNTGzHDtWIaelR0EYyOROyuWTaHAXDzKX0NFKIbrUd15Jp6B3o39WtPhfa7tQi
YMW6CkW24iGzuQhY41qTTC6naB2w/mtkWIYjln62RoLVGIgUlk9i8LJUYgBNKvH/SSrR8HEqMegn
qMSABzrb7n4N4LNA5y8+XVduLyqFtpJSmC+tKJwt+Bd/WVJm0fj7Z2/5fz93S/n8Wsmu/+fvbv1z
oX5fqN8W6h9T/Up+AQr5BSXwg9vLg/miEsS+oK0UuD5fUq63lepgvlQXni+VyuXPFlHePYXzhP1f
xbIF/28JzpeqwmcLcvD8HYDBBfL9k3J5re07zdkGig9yIfhhiThSMF8Fwd9Uk/4CjnkD9uHHdhA+
h/pDCxiK2kbiY31lIV/fUG6v99v2fNbK6mu7q1x581ZgC/YP+WJd/Xzpt+ifIs2XrmMJ4XyxEdsj
u1YK5xdw/d37lPlwvnQ7TD4/UygECb9VkuFQ0eZtRt4fLN5VKsPnS1XBk4Vr1AYGHd4zyPuxxbtk
8eRgrHDJw2tC3qzFmxV4xz28FchLWbyjQr9HPTxcRvcGwnzMTYH50nE+1gXCygcv3YI+HqcXMH9e
xNhOHo6sOoflJZTTb0//Oo9ls7Lu7jtYtnxl/SeXsTSnj33QgXxqt9jbdnc4P18aPog+RPNFKZsv
yifyxSPYTx/2W33wlQLNd8/LV4q1+ZkCpvFa6Mwv+LD/mkC+6Kc19Kvv38F5K7agPalz9lY1DBUf
lss7F3ut9Vwul/0ox6f5WrfXCu2vjQZAdyaX02Pm08GhhB4cTWljwaSxM7jRqMVpP/hF+XU7t2zG
dRiYdfMN7cE6lA5cc7gRoRXH1Aw8n6+18hflnQTiFnDz8hz68Y9H5cy1aZ7void5nlucpsEBxFCe
sOyvFnJktEZieSEMPAfXU04gH2Z4XZnhuYreYQ1W+ahcztxE+zj8DPmMeypz46Q3e/7vJ+tzM+zA
zNIiPjuUqWRvd/fOYOtufSSppYOR0LbQ1rYtkU28Bh5lJLS97blNvAJdlI01XRtJgrQe6K09BD7Z
Ly2TVimN0mppTVWT1Cw9JW+WIGRMjZvaCJZmjpcJu4YZWM9lIZTOmHqoa1d/m6mNWWgsPREamUji
uy8ZB4YSmpGAUHwqjfZ4aea45jU9ZyQz6Qqgoi6np4jHK9mUSR0m8dfUJ/F3FAGqMnHN1CDUNbgv
pE8m45MQ0hPqaE4b1zld1XI5bYrT7forsRzzQBtPxrDXDFrjVkYMA0KxzPi4nja5Tc00c8mRCVM3
/p+5pLVJs0lriZ1dJL5e7Mee6a8Cf48Tj50xJP5utR/7/b1F4CWQl5B4Dvby+oCvd+LRHpiT+Fr2
CTwSOsPg/s0Qj/bINYmfw7y8/cD3CfFo7yzSgc7yRQL3LHMY3DMG7bWozPeYd7zfAr5PiEd75AZW
Vgj9ypa8CnxfUZ321k2Zj0Psl55jKMusNrQ3lSq+J8VxEJ4ReLSX66rcuCwXeHOWffqfck5HlXs2
EON8WuCxvYm8ox4eyVsCj87Jl+lMID9u76LAoxzX6uN5z8t7G4R1hbyIb+l18CPOy1IaYmdvHx/f
Cg/vJ4K9KPKiPlcn8t6z2tIc87P00rzfoay0eJSTE1/C+9Dql3j0/k99Ce8jKybE42d0fj6vEXg0
rqJgj3J4FAmtHnskfxF4Z5B3pmbpON+37BKPzjMXkNeyBO+BZS9sYeLtEHj2N8q/ua2s/f8fkfd1
D4+eeqtP+/lnDR0SHufZc2Y/H+MiPoixWYf1l8Ddl8s89jbjS21UaCie6b0P5S1g7Tmrz8HcQMLB
vIc5B/PoXHMw/zpZdDDfndGTNuazecPBflbedPAyViozNq5lZZ2Dn2Blh4P5jA44eDkrLzuY7wLa
Zxyv5ON1MN/xww6u5/46mH2tsH3AMc/sCQc3sjLlYH7CyDr4SW6vxsZrWHnGwU2svODgZhCfKnbi
EfFaNkP2/NDKUITx0s6VhPHQKiP8kUcfcfQBhm1/AP0he7cFfo2AZau9f9bVE7/D4dcx3OrYX8nf
QR79ZkG/RhifAg/KeDZ34olfYKy/OY9/AaH/dgHb/rUK+h7g8eX7s5mVCef81QhDApYQM/+E9t8W
sG1/WNDzewfbXgN7X8Qdew1Mf8Hxv5nla3G8pDknjI9qLwjzQ/5EPf2dOOVi0r97qlLf8oaLvfEl
fdTRr4KrApYQk975TsP4vw+V8/Hnivg1wAK46x2/gFk+FeNRBnf9S+gN+eueb5ez/o4KmI1XwPQN
TuNTmLcrYKPEv41op9VjPJ+V3PUbxPhtkyrvIuicZcc/gOM/jNUrAtY8ejpv2et3Fa7PtId/TOgv
gP2dlirvNt4REm0Q5WeSu37r5Sa4LvH9pzD/A/AnqfJuhT4W6fs8a433gaf/h5K730n/hcTXD7fX
BH65kh+QK8fXIvP1NCTx9k8L7wjy93m58m7ngFx5l0PnvQ4HY/7dEIcNGsS0VEq41IFYzjTMidHR
UAxUdW/3oDrQf2hIVRHEM+pYKjOipdS4mckZqjYxCXgOz6Z0U4+Hnt+2dfvSJNU91qt4Zs9NATv6
q/GJ8fEpbCIg1f0asKh05lezuUxMN4xkeox5tWewa1+P2rN/N3OLfLTrFc3joO4+sr9rX393pYaP
U+0dOLCra0A9sGfPoZ4hdahr10CPat9RxYwJ5jUk09kJkzvBm/Errc5O98JKVfGLxLkRYwD7pqrO
Pli4IVVUqILBx27FKm1XXLdhQyOjJrR0PKWD2n8AFfFkWp0w9Lh1yVbZ2BkL+ybjIeG9TmZyak43
JlLkgO2VMw5gt3Pq3tfUQX0saeAHZHdKMwz8vqq85nN7285v/Cq6Z53+FxSTC6+SFgAA

References

As these challenges are meant for learning this section will contain some resources to look into that will help solving this challenge.

https://azeria-labs.com/arm-instruction-set-part-3/
https://developer.arm.com/products/architecture/a-profile/docs/100898/latest/data-processing-instructions
https://www.mtholyoke.edu/courses/dstrahma/cs221/olr/olr7.htm

neolex · May 15, 2018, 2:58am

Thank you for the crackme !
It’s really fun to learn ARM with these !
Here is the key : ARM{FL4G_PR0C33S1NG}
my script : https://pastebin.com/6L59dLhL

panic_monster · May 21, 2018, 11:52am

Great challenge.

Flag:

ARM{FL4G_PR0C33S1NG}

Python 2.7 solver:

from __future__ import print_function
import binascii

part1 = 0x12345678 ^ 0x69790439
part2 = 0xC2819E87 - part1
part3 = (part2 + 0xE91E0419) & 0xffffffff
part4 = (part3 - 0xDD1F1D1C) & 0xffffffff
part5 = (0xD07A8174 - part4) & 0xffffffff

print(binascii.unhexlify(format(part1, 'x'))[::-1], end='')
print(binascii.unhexlify(format(part2, 'x'))[::-1], end='')
print(binascii.unhexlify(format(part3, 'x'))[::-1], end='')
print(binascii.unhexlify(format(part4, 'x'))[::-1], end='')
print(binascii.unhexlify(format(part5, 'x'))[::-1])

n0t0x10 · November 30, 2018, 7:34pm

Here’s a solution with boolector smt: https://pastebin.com/gydzJAJ2
Fun challenge!

Leeky · December 1, 2018, 12:22am

That’s an interesting solution! Haven’t heard about Boolector before.

pry0cc · December 3, 2018, 6:00pm

This topic was automatically closed after 2 days. New replies are no longer allowed.