ARM Crackme - Starting with EOR

challenge
reverseengineering

#1

ARM Crackme - Starting with EOR

@Wunkolo and I have decided that there aren’t enough ARM crackmes on the forum and that we should add a few for people that are interested in learning how the architecture works and for those that just want to show their skills :smiley:

We will start very easy with some challenges that don’t require any kind of setup or reading up specific processor manuals but that will change when the challenges get harder.
A binary is still provided in case static analysis is not your thing, anyways let’s start:

Rules and Goals

In this challenge the goal is to decrypt the password in ever way you want.
Post it in spoiler tags under the challenge so we can see who solved it! :smiley:

Challenge

I’ve written myself this tool to encrypt all my passwords a few month ago but apparently I forgot to implement a decryption function.
I can’t find the source either so I’m left with this useless encrypted password. Maybe you can help me decrypt it?

Encrypted Password

1D 0E 11 27 0F 6D 11 0C 10 6F 03 6F  6C 0E 21

Dump of the relevant assembly

0845C main      STMFD   SP!, {R11,LR}
08460           ADD     R11, SP, #4
08464           SUB     SP, SP, #8
08468           LDR     R3, =var_856C  ; "%s"
0846C           MOV     R0, R3
08470           LDR     R1, =input
08474           BL      __isoc99_scanf
08478           MOV     R3, #0
0847C           STR     R3, [R11,#-8]
08480           B       loc_84B8
08484 loc_8484  LDR     R2, =var_8570  ; "%02X "
08488           LDR     R1, =input
0848C           LDR     R3, [R11,#-8]
08490           ADD     R3, R1, R3
08494           LDRB    R3, [R3]
08498           EOR     R3, R3, #0x5C
0849C           AND     R3, R3, #0xFF
084A0           MOV     R0, R2
084A4           MOV     R1, R3
084A8           BL      printf
084AC           LDR     R3, [R11,#-8]
084B0           ADD     R3, R3, #1
084B4           STR     R3, [R11,#-8]
084B8 loc_84B8  LDR     R3, [R11,#-8]
084BC           CMP     R3, #0xE
084C0           BLS     loc_8484
084C4           LDR     R0, =var_8578  ; ""
084C8           BL      puts
084CC           SUB     SP, R11, #4
084D0           LDMFD   SP!, {R11,LR}
084D4           BX      LR

(Optional) Binary in base64 format

Extract with:

cat base64below.txt | base64 -d | gunzip > binary.elf

File type:

ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, not stripped

Base64 encoded gzip archive:

H4sIAErs31oAA5VYb2xUxxGfvT/mABvO2IR/Frk0jmIafD7A5U+qNDbG2KbmT8BtaIXyePaduUvO
d6e7d5FpQImxo0atKahFKorS+j6gqGpRRSU+UJVWKa1S1E9ItFL67c7uJUAS1ahKpKYV15mdfe/t
vZAPeae53Xnz29mZ2Z3dfftq//BeIQTYjw86gLhL0wDdWLaH6B0EuyECIZQ9Cm0kz50KApx6nQkh
kgKKGoDbdr/GJBUiBZXcTzLku6eYWoAp4EL5eY3pjSBTUL0jOb8Tkjbjix7B/ZIc7YULQSIhaRH5
RWWXbeMg4genmPYAky17rmrF4SGP3b4rnRrtSsc706lMcTJayEa38fuwsn3gwLdULLnNetWuVflO
8vd/YP23+tMfnf5u5clnn1n/7FPFz0o3SbZEYahd0NO/HZeA0u1XpVDYcNL3mE8bg/Arb5062/3g
3rWnXlp9+uPmlV0HnvnU65PQ6hGkTUjJaeZXKdtnNZ7G9ZjGR5EuavzXkSyNB8M4MZHNGAXLzFuG
ARi6MQrZdhSkCtmxXbuMwpiZGYdc0SqAOZrNW5DLpzLWOAIIrFpOmKkMDAwP7e4ztkZ3OLVuUJH2
I9FPIIXVWNCzJpVqokjtV+9aJe+D55X8Fw0CVmMQzmP5CAbuApUYxItUYhDfohLlJSox4JeoxGCH
ezrvPgnwYbjn93c21roqgXJnNVCeq64onyuHFv9Q3UwxePfcfOivs/Ob/329atfbtXqbVm/V6o1a
PUD1K6UFKJcWAuGf/bMpUqoEItgXdFbD78xVA+90VhthrtoYm6veqdU+XES6M4NjhPQRUhu+b4vM
Vf2xc2Vf5CcfABxeINvLtdoG2/YLZzDPKT6IhcjtKmFEpOSHyJ+CJL+KPrdjHyFsB7HzKD+ygKFY
1kp4rK8sl5pbal3NIaXvfFDNqsHOu4ErZ+dDt/bPJxHrh1IlHp6r/hlthFhpIRRbjrbDvRG0bxjf
h2Ib0M6pMsRuV4/FHp+vxfzzPmzjD5cqv8I2JBex6XlqR/UV2Pe/arU316Jtb6M8cOub8zDINqRx
XbqGduewnESid4sDnXePluaqRw+h3cdLFZErVXyvlSo/xLaDaF/w0ItlilP/c1cqy0rT5aXoI/SU
FhrQhiVoQ4hi/8c3P0B/K22oT/TMzAdhpPJprfb04oCaB7VaLYSUnuI5YseY5uUTBYAnYluPRtTc
63hQe9XOvw4cq8YZNydprmJsYCfOoybKOfRhHfCat0HluMxN5NvAXbtmsd9PHtSy16d4TTh+hteC
xSlyBsBEWq70r1Z90zoy0yDkWhIDXqeaKXeQQtNch2nOZ1rnW1T5oFbL3kL96G6WbMa5l71xBr70
cyHorkKD0w8n/Rno63s60rEnMZoyM5Hu6Pbots4t3Zu45hV2R3d0bt3EFeil1c1MmKMpEI8C7Woj
0OALiaViVaBVrBZr/GvFOrHehxtKtHBywjJHsbTyXCbtGi5OiXwOopmslYj27h7qtMwTijuRKUZH
iyncG1JxkFzSLCQhGj+ZQX1cWnmWvJzIF1LZTB1joCyfSBOOK7m0RR2m8N9KTOL/ODIoysZNy4Ro
7+H90cRkKj4J0UTSGM+bEwmGG2Y+b55kuF1/cSwvLTAnUmPYaxa1sZbRQgGiY9mJiUTGYp2mZeVT
o0UrUfgy40jzkkaS5pHc2wXPFfuxR/lx4H2OcHIPFrz32E9AlVs0XBJxScHrlBc3CDzXCUfzf1bw
PG7QcES0x2OuZglH+XFd8H7mxR0AzhHCUd4s0oFH2SLA3eu/De4eTHl23Mf55fX3BeAcIRzlxw2s
rND69Sl6CTinqE55dcvHfuj90vM9pKWqDeUlGRHy+BFSIhtHeRzyu3Fp0nCzSj+9p/Vmp9/dP/U4
f1/DybxE3DEPjujHGo7OkZcQd018Xt9FDUfr27Egr3le3M/BnVdJxCWDvEZ5cW8zLkdLkDybBtm/
FR7cbzR9M4ibCboyHfc71ZbGmM+aD8f9BWmlwtF6PPsFuNuqX8LRHnn+C3DvqZgQjs+wfH5douHI
r4qmj9bvGWzU4dFH9L6Gu4y4yw3c3tvvR0ov4WjPv9rw8DjfV/piiifcLg1nn+E/Y105+/3HiPuq
B0dPs+rTftago8vE53H2mNnP/3CyxFDnRqzvAzcvl3r0bcZF6KDWUD/zeh9at0C2Z9Sgw7OCpMNz
D7MOz9G57vB8el90eM7O42dsnkfzhsPziNxy+KVcmbb5ZbIMOfxyWe50eM6cQYdvkuUlh+csoDxj
fiX74/Cc8accXu76Mj+Yl6d5mQfM88o+6/A8U847PJ8uLjj8I6yvwebXyPKyw6+V5VWHXwf645en
HZ3fIEfIHh+aGQHNX8pcoflDs4z4v3nkSUcelrxtD6A9pK+s4ZdovE+1D8y4csLvdPCNkj/m6F8p
+R6P/LgmX6P5F4D7ta+AG0/8SpH9XfHY16j136Xxtn3tmrwfOL6cn+tkOeucvVphROMF8qS/Q2v/
isbb+kc0OX+X2/pa5H7xhqOvRcqvOvavk+u17i9J0tp4yPh59L/nifcdj/zQ6y7vjSfJZxz5Kvi1
xgvkSe58u2C8r0N9/G/WxasF/gHu/MavQpj3+P8JuPNdoDXy3sEZ/ybZ31GNl/5q/HLB/gWktStg
g+BvGsrcZozfY8KdrxGcD3QPon+bf0O48Q6j/8NYvanxz3vkLwh3vq7CXuIefE7rL4z9nRb1dwVn
Rf23/y+1hTaC9Fvhzt9m31p4V3D+BaQ/Yfi74G/WnPK36un/nnDzm+T3PfL/ePwJ+nj+zCr8Ml+9
PRt99XcbO331dxlDPjefV9H62h6HdhPGzHRau9SAsbxVsIrj49ExMIx9fYeN4aEjI4aBTDxrnEhn
R820Ebey+YJhFicBz9m5dMJKxKNf275tx8NBhntsN/BMnj8J8mhvxIsTEyexicYZ7mlfQSezeWOL
tGXv4d79/Ub/gT3SGLLMrtc1ioOx5zsHevcP9dVL2DtjYPjg7t5h4+DevUf6R4yR3t3D/YZ9NzNW
KEpbIZXJFS2gzwnVjO9wenrcixrDwO8M5x5IMtg3VRPyM4QVGbrA0BUWrUK9Os/tUL2w7tIJFRWy
RtLMxNMJMIYOoiCeyhjFQiKueyK/szggynfHEMd0kBdRxr6XjcOJE6kCfgn2pc1CAT+U6u+zXGt2
8K1WnXmyp/8DjmgtOHsVAAA=

References

As these challenges are meant for learning this section will contain some resources to look into that will help solving this challenge.


#2

Thank you for the challenge, pretty cool !

I did it without the binary and get the password :

ARM{S1MPL3_30R}

with the following script :

import sys

encrypted_password = “1D 0E 11 27 0F 6D 11 0C 10 6F 03 6F 6C 0E 21”
decrypted_password = [int(x,16)^0x5c for x in encrypted_password.split()[:15]]

for i in decrypted_password:
sys.stdout.write("%c"%(i))

print “”


(Root) #3

I love the fact that this has to do with processor arch. Give us more :smiley:


(decart) #4

yes, please do more of these :slight_smile: binaries welcome too…


#5

Good challenge. A great way to learn foreign archs. A one-liner python solution.

'"".join(map(lambda x: chr(int(x, 16)^0x5c), “1D 0E 11 27 0F 6D 11 0C 10 6F 03 6F 6C 0E 21”.split()))