[Write-up] Jet Logger - Midnight CTF 2023
Apr 16, 2023
Jet Logger was a linux reverse engineering challenge from MidNightCTF 2023.
We are given an archive with the following content :
jet_logger
encrypted_frames.txt.enc
Given the files, we can guess that we will be needing to find a way to decrypt the encrypted frames.
jet_logger is a classic x64 ELF binary we can open in IDA.
Main function is rather simple:
int __cdecl main(int argc, const char **argv, const char **envp)
{
puts(
" ------------- JetLogger v1.19.3 -------------\n"
"| |\n"
"| The solution to keep your ADS-B frames safe |\n"
"| by HellCorp |\n"
"| |\n"
" ---------------------------------------------\n");
__printf_chk(1LL, "Please input your password : ");
if ( !fgets(s, 17, _bss_start) )
{
puts("An error occured when reading input...");
result = 1;
goto LABEL_7;
}
if ( !(unsigned __int8)check_password((FILE *)s) )
{
puts("Wrong password !");
goto LABEL_7;
}
puts("Success ! Decrypting your frames...");
v3 = fopen("./frames.txt.enc", "r");
while(1){
LOBYTE(v17) = fgetc(v3);
[some computation in a loop, using our input "s"]
algo_encrypt(&v17, (__m128i *)&v15[(16 * v12) & 0xFF0]);
[some more computation in a loop]
}
LABEL_17:
__printf_chk(1LL, "Here they are : \n%s\n", v15);
}
Parts of the decompilation has been redacted for brevity.
Two things to note :
- algo_encrypt is probably symmetrical, otherwise it could not be used to decrypt
frames.txt.enc - we have to input a password that will probably be used as a key to decrypt frames
check_password function seems rather simple too:
v3 = __readfsqword(0x28u);
result = 0;
if ( trigger_data == 34740228 )
{
puts("Password verification...");
trigger_data = 0x25120496uLL / (unsigned __int8)valid_ciphertext;
algo_encrypt(a1, &v2);
result = valid_ciphertext == v2;
}
if ( v3 != __readfsqword(0x28u) )
return on_breakpoint();
return result;
We have to find an input that result in valid_ciphertext’s value once encrypted.
Let’s take a lok at algo_encrypt :
.text:0000000000001984 mov edx, [rdi+8]
.text:0000000000001987 mov r8, rsi
.text:000000000000198A xor edx, cs:dword_4078
.text:0000000000001990 mov esi, [rdi]
.text:0000000000001992 xor esi, cs:key
.text:0000000000001998 ror edx, 0Dh
.text:000000000000199B rol esi, 7
.text:000000000000199E mov ecx, [rdi+4]
.text:00000000000019A1 mov eax, [rdi+0Ch]
.text:00000000000019A4 xor ecx, cs:dword_4074
.text:00000000000019AA xor eax, cs:dword_407C
.text:00000000000019B0 xor edx, esi
.text:00000000000019B2 mov r9d, esi
.text:00000000000019B5 xor eax, esi
.text:00000000000019B7 mov esi, ecx
.text:00000000000019B9 not r9d
.text:00000000000019BC ror ecx, 9
.text:00000000000019BF ror esi, 2
.text:00000000000019C2 xor ecx, r9d
.text:00000000000019C5 movd xmm1, r9d
.text:00000000000019CA xor eax, esi
.text:00000000000019CC movd xmm2, ecx
.text:00000000000019D0 xor eax, edx
.text:00000000000019D2 not edx
.text:00000000000019D4 punpckldq xmm1, xmm2
.text:00000000000019D8 movd xmm0, eax
.text:00000000000019DC movd xmm3, edx
.text:00000000000019E0 punpckldq xmm0, xmm3
.text:00000000000019E4 punpcklqdq xmm0, xmm1
.text:00000000000019E8 movups xmmword ptr [r8], xmm0
.text:00000000000019EC retn
The algorithm is simple enough. A constraint solver tool such as z3 should be able to provide a solution easily. Problem is, we cannot simply emulate this function to get our constraints, since it requieres knowing values of variables key, qword_4074, qword_4078, qword_407C, which are in .bss section :
.bss:0000000000004070 key dd ? ; DATA XREF: algo_encrypt+12↑r
.bss:0000000000004070 ; on_breakpoint:loc_1C09↑w ...
.bss:0000000000004074 dword_4074 dd ? ; DATA XREF: algo_encrypt+24↑r
.bss:0000000000004074 ; on_breakpoint:loc_1B09↑w ...
.bss:0000000000004078 dword_4078 dd ? ; DATA XREF: algo_encrypt+A↑r
.bss:0000000000004078 ; on_breakpoint:loc_1C79↑w ...
.bss:000000000000407C dword_407C dd ? ; DATA XREF: algo_encrypt+2A↑r
I assume that those values will be filled at runtime. We can check where by looking at Xrefs. It seems to be used in a on_breakpoint function, which is quite large, and I do not want to reverse engineer this function. A better approach would be to recover this value dynamically.
Back on check_password, checking valid_ciphertext’s reveals something fishy :
v3 = __readfsqword(0x28u);
result = 0;
if ( trigger_data == 34740228 )
{
puts("Password verification...");
trigger_data = 0x25120496uLL / (unsigned __int8)valid_ciphertext;
algo_encrypt(a1, &v2);
result = valid_ciphertext == v2;
}
if ( v3 != __readfsqword(0x28u) )
return on_breakpoint();
return result;
.data:0000000000004040 valid_ciphertext xmmword 3C2E4CAC1BC19A84684145B626570D00h
This value ends with a 0, which should trigger a zero divide exception.
Something must be editing this value. Taking a look at Xrefs, we can discover premain function:
v0 = sys_clone(0x1200011uLL, 0LL, 0LL, (void *)(__readfsqword(0x10u) + 720));
child_pid = v0;
if ( (_DWORD)v0 )
{
waitpid(v0, 0LL, v1);
v2 = (unsigned int)child_pid;
v3 = v29;
for ( i = 54LL; i; --i )
{
*(_DWORD *)v3 = 0;
v3 += 4;
}
ptrace(PTRACE_GETREGS, v2, 0LL, v29);
child_load_addr = (__int64 (__fastcall *)(int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, __int64))(v31 - (_QWORD)child_load_addr);
install_hardware_breakpoint(12, v2, v5, v6, v7, v8, v21 & 0xFC, (__int64)main, v22 & 0xF0);
install_hardware_breakpoint(12, v2, v9, v10, v11, v12, v23 & 0xFC | 1, (__int64)check_password, v24 & 0xF0);
install_hardware_breakpoint(12, v2, v13, v14, v15, v16, v25 & 0xFC | 2, (__int64)&trigger_data, v26 & 0xF0 | 9);
install_hardware_breakpoint(12, v2, v17, v18, v19, v20, v27 | 3, (__int64)&trigger_data, v28 & 0xF0 | 0xB);
while ( 1 )
{
ptrace(PTRACE_CONT, (unsigned int)child_pid, 0LL, 0LL);
if ( (unsigned __int8)bp_index > 3u )
break;
waitpid(child_pid, 0LL, 0);
on_breakpoint();
}
bp_index = 0;
waitpid(child_pid, 0LL, 0);
ptrace(PTRACE_GETREGS, (unsigned int)child_pid, 0LL, v29);
v30 = 1LL;
LOBYTE(valid_ciphertext) = valid_ciphertext_start;
ptrace(PTRACE_POKEDATA, (unsigned int)child_pid, &valid_ciphertext, (_QWORD)valid_ciphertext);
ptrace(PTRACE_SETREGS, (unsigned int)child_pid, 0LL, v29);
ptrace(PTRACE_CONT, (unsigned int)child_pid, 0LL, 0LL);
exit(0);
}
ptrace(PTRACE_TRACEME, 0LL, 0LL, 0LL);
A lot of mess here, this looks like a classic nanomite or father/child ptrace stuff I do not want to reverse engineer myself.
Sadly, PTRACE will probably prevent us from debugging this binary and recovering the values we need to recover to find a valid input (key, qword_4074, qword_4078 and qword_407C).
Luckily, I created a tool at Flare-On CTF 2020 to help me reverse engineer ptraced binaries. It’s called tick, and all it does is preloading 99% of libc functions to log them to the terminal.
Running this tool outputs a rather long trace :
[ 5486] [waitpid]
[ 5486] [ptrace] ptrace(PTRACE_GETREGS, 5487)
rax : 0
rcx : 7FADF516D19E
rdx : 0
rsi : 0
rdi : 0
rbx : 0
r8 : FFFFFFFF
r9 : F
r10 : 0
r11 : 286
r12 : 7FFF2904A5D8
r14 : 55AB8F3611C0
r13 : 55AB8F363D68
r15 : 7FADF5334040
rbp : 1
rsp : 7FFF2904A3F0
orax : FFFFFFFFFFFFFFFF (origin RAX)
rip : 55AB8F36163F
[ 5486] [ptrace] ptrace | 3 is not implemented by the tool.
[ 5486] [ptrace] ptrace(PTRACE_POKEUSER, pid 5487, @ 0x350) | data : 55AB8F3611C0
[ 5486] [ptrace] ptrace(PTRACE_POKEUSER, pid 5487, @ 0x388) | data : 401
[ 5486] [ptrace] ptrace(PTRACE_POKEUSER, pid 5487, @ 0x380) | data : 0
[ 5486] [ptrace] ptrace | 3 is not implemented by the tool.
[ 5486] [ptrace] ptrace(PTRACE_POKEUSER, pid 5487, @ 0x358) | data : 55AB8F3619F0
[ 5486] [ptrace] ptrace(PTRACE_POKEUSER, pid 5487, @ 0x388) | data : 405
[ 5486] [ptrace] ptrace(PTRACE_POKEUSER, pid 5487, @ 0x380) | data : 0
[ 5486] [ptrace] ptrace | 3 is not implemented by the tool.
[ 5486] [ptrace] ptrace(PTRACE_POKEUSER, pid 5487, @ 0x360) | data : 55AB8F364028
[ 5486] [ptrace] ptrace(PTRACE_POKEUSER, pid 5487, @ 0x388) | data : 9000415
[ 5486] [ptrace] ptrace(PTRACE_POKEUSER, pid 5487, @ 0x380) | data : 0
[ 5486] [ptrace] ptrace | 3 is not implemented by the tool.
[ 5486] [ptrace] ptrace(PTRACE_POKEUSER, pid 5487, @ 0x368) | data : 55AB8F364028
[ 5486] [ptrace] ptrace(PTRACE_POKEUSER, pid 5487, @ 0x388) | data : B9000455
[ 5486] [ptrace] ptrace(PTRACE_POKEUSER, pid 5487, @ 0x380) | data : 0
[ 5486] [ptrace] ptrace(PTRACE_CONT, 5487) | [Delivered signal]: [Unknown signal 0]
[ 5486] [waitpid]
[long list of PTRACE PEEKTEXT here]
[ 5486] [ptrace] ptrace(PTRACE_POKEDATA, pid 5487, @ 0x55ab8f364070) | data : C4A34DA6
[ 5486] [ptrace] ptrace | 3 is not implemented by the tool.
[ 5486] [ptrace] ptrace(PTRACE_POKEUSER, pid 5487, @ 0x350) | data : 0
[ 5486] [ptrace] ptrace(PTRACE_POKEUSER, pid 5487, @ 0x388) | data : B9000454
[ 5486] [ptrace] ptrace(PTRACE_POKEUSER, pid 5487, @ 0x380) | data : 0
[ 5486] [ptrace] ptrace(PTRACE_CONT, 5487) | [Delivered signal]: [Unknown signal 0]
[ 5486] [waitpid]
[long list of PTRACE PEEKTEXT here]
[ 5486] [ptrace] ptrace(PTRACE_POKEDATA, pid 5487, @ 0x55ab8f364074) | data : B7D80F2B
[ 5486] [ptrace] ptrace | 3 is not implemented by the tool.
[ 5486] [ptrace] ptrace(PTRACE_POKEUSER, pid 5487, @ 0x358) | data : 0
[ 5486] [ptrace] ptrace(PTRACE_POKEUSER, pid 5487, @ 0x388) | data : B9000450
[ 5486] [ptrace] ptrace(PTRACE_POKEUSER, pid 5487, @ 0x380) | data : 0
[ 5486] [ptrace] ptrace(PTRACE_CONT, 5487) | [Delivered signal]: [Unknown signal 0]
[ 5486] [waitpid]
[long list of PTRACE PEEKTEXT here]
[ 5486] [ptrace] ptrace(PTRACE_POKEDATA, pid 5487, @ 0x55ab8f364078) | data : 77871143
[ 5486] [ptrace] ptrace | 3 is not implemented by the tool.
[ 5486] [ptrace] ptrace(PTRACE_POKEUSER, pid 5487, @ 0x360) | data : 0
[ 5486] [ptrace] ptrace(PTRACE_POKEUSER, pid 5487, @ 0x388) | data : B9000440
[ 5486] [ptrace] ptrace(PTRACE_POKEUSER, pid 5487, @ 0x380) | data : 0
[ 5486] [ptrace] ptrace(PTRACE_CONT, 5487) | [Delivered signal]: [Unknown signal 0]
[ 5486] [waitpid]
[long list of PTRACE PEEKTEXT here]
[ 5486] [ptrace] ptrace(PTRACE_POKEDATA, pid 5487, @ 0x55ab8f36407c) | data : 9D63F669
[ 5486] [ptrace] ptrace | 3 is not implemented by the tool.
[ 5486] [ptrace] ptrace(PTRACE_POKEUSER, pid 5487, @ 0x368) | data : 0
[ 5486] [ptrace] ptrace(PTRACE_POKEUSER, pid 5487, @ 0x388) | data : B8000400
[ 5486] [ptrace] ptrace(PTRACE_POKEUSER, pid 5487, @ 0x380) | data : 0
[ 5486] [ptrace] ptrace(PTRACE_CONT, 5487) | [Delivered signal]: [Unknown signal 0]
[ 5486] [waitpid]
[ 5486] [ptrace] ptrace(PTRACE_GETREGS, 5487)
rax : 25120496
rcx : 0
rdx : 0
rsi : 7FFF2904A420
rdi : 7FFF2904A470
rbx : 0
r8 : 7FADF526CA70
r9 : 55AB8FF658A0
r10 : 7FADF526B2E0
r11 : 246
r12 : 7FFF2904A470
r14 : 55AB8F3611C0
r13 : 55AB8F363D68
r15 : 7FADF5334040
rbp : 7FFF2904A470
rsp : 7FFF2904A420
orax : FFFFFFFFFFFFFFFF (origin RAX)
rip : 55AB8F361A53
[ 5486] [ptrace] ptrace(PTRACE_POKEDATA, pid 5487, @ 0x55ab8f364040) | data : 684145B626570D2F
[ 5486] [ptrace] ptrace(PTRACE_SETREGS, 5487)
rax : 25120496
rcx : 1
rdx : 0
rsi : 7FFF2904A420
rdi : 7FFF2904A470
rbx : 0
r8 : 7FADF526CA70
r9 : 55AB8FF658A0
r10 : 7FADF526B2E0
r11 : 246
r12 : 7FFF2904A470
r14 : 55AB8F3611C0
r13 : 55AB8F363D68
r15 : 7FADF5334040
rbp : 7FFF2904A470
rsp : 7FFF2904A420
orax : FFFFFFFFFFFFFFFF (origin RAX)
rip : 55AB8F361A53
[ 5486] [ptrace] ptrace(PTRACE_CONT, 5487) | [Delivered signal]: [Unknown signal 0]
[ 5486] [exit]
[ 5487] [ptrace] ptrace(PTRACE_TRACEME, 0)
------------- JetLogger v1.19.3 -------------
| |
| The solution to keep your ADS-B frames safe |
| by HellCorp |
| |
---------------------------------------------
Please input your password : [ 5487] [fgets]
Password verification...
Wrong password !
Interresting values came out of PTRACE_POKEDATA:
[ 5567] [ptrace] ptrace(PTRACE_POKEDATA, pid 5568, @ 0x55ccbecf4070 (base+0x4070)) | data : C4A34DA6
[ 5567] [ptrace] ptrace(PTRACE_POKEDATA, pid 5568, @ 0x55ccbecf4074 (base+0x4074)) | data : B7D80F2B
[ 5567] [ptrace] ptrace(PTRACE_POKEDATA, pid 5568, @ 0x55ccbecf4078 (base+0x4078)) | data : 77871143
[ 5567] [ptrace] ptrace(PTRACE_POKEDATA, pid 5568, @ 0x55ccbecf407c (base+0x407c)) | data : 9D63F669
[ 5567] [ptrace] ptrace(PTRACE_POKEDATA, pid 5568, @ 0x55ccbecf4040 (base+0x4040)) | data : 684145B626570D2F
Those are the values of key (qword_4070), qword_4074, qword_4078 and qword_407C. It also modifies valid_ciphertext’s value, replacing the 0 with 0x2F.
All we have to do now is use them in a symbolic execution to gather our constraints and solve them using z3 :
from miasm.analysis.machine import Machine
from miasm.core.locationdb import LocationDB
from miasm.analysis.binary import Container
from miasm.jitter.csts import *
from miasm.expression.expression import *
from miasm.ir.symbexec import SymbolicExecutionEngine
from miasm.ir.translators.z3_ir import TranslatorZ3
from miasm.arch.x86.lifter_model_call import LifterModelCall_x86_64
import z3
import sys
if len(sys.argv) != 2:
print(f'Usage : {sys.argv[0]} <filename>')
exit(1)
filename = sys.argv[1] #'jet_logger.bak'
loc_db = LocationDB()
data = open(filename, 'rb').read()
container = Container.from_stream(open(filename, 'rb'), loc_db)
machine = Machine(container.arch)
ira = machine.lifter(loc_db)
dis_engine = machine.dis_engine(container.bin_stream, loc_db=loc_db)
# we want to start emulation right inside encrypt func, here:
# .text:0000000000001984 mov edx, [rdi+8]
# .text:0000000000001987 mov r8, rsi
# .text:000000000000198A xor edx, cs:dword_4078
# .text:0000000000001990 mov esi, [rdi]
# .text:0000000000001992 xor esi, cs:key
# .text:0000000000001998 ror edx, 0Dh
start_address = 0x1984
# Disassemble fn
asm_cfg = dis_engine.dis_multiblock(start_address)
ira_cfg = ira.new_ircfg_from_asmcfg(asm_cfg)
# Now we need to prepare the state for symexec
# This function takes two parameters :
# - a pointer to a 16 bytes argument in RDI,
# - a pointer to a 16 bytes result in RSI
init_state = {}
# RDI will point to our arguments @0xDEAD0000, RSI to the result @0xC0FEC0FE
init_state[ExprId('RDI', 64)] = ExprInt(0xDEAD0000, 64)
init_state[ExprId('RSI', 64)] = ExprInt(0xC0FEC0FE, 64)
# Symbolize each byte of input
for i in range(16):
init_state[ExprMem(ExprInt(0xDEAD0000+i, 64), 8)] = ExprId(f'ARG{i}', 8)
# We add relevant information produced by ptrace child/father mechanism
init_state[ExprMem(ExprInt(0x4070, 64), 32)] = ExprInt(0xC4A34DA6, 32)
init_state[ExprMem(ExprInt(0x4074, 64), 32)] = ExprInt(0xB7D80F2B, 32)
init_state[ExprMem(ExprInt(0x4078, 64), 32)] = ExprInt(0x77871143, 32)
init_state[ExprMem(ExprInt(0x407C, 64), 32)] = ExprInt(0x9D63F669, 32)
# Execution of the encrypt function
sb = SymbolicExecutionEngine(LifterModelCall_x86_64(loc_db) , state=init_state)
sb.run_block_at(ira_cfg, addr=start_address, step=False)
# At this point symex is over, we translate result to z3 expression
trans = TranslatorZ3(loc_db=loc_db)
# We want to find an input that result in this key we retrieved from ptrace child/father mechanism
values = [0x2F, 0x0D, 0x57, 0x26, 0xB6, 0x45, 0x41, 0x68,
0x84, 0x9A, 0xC1, 0x1B, 0xAC, 0x4C, 0x2E, 0x3C]
s = z3.Solver()
for i in range(16):
s.add(trans.from_expr(ExprId(f'ARG{i}', 8)) >= trans.from_expr(ExprInt(0x20, 8) ))
s.add(trans.from_expr(ExprId(f'ARG{i}', 8)) <= trans.from_expr(ExprInt(0x7F, 8) ))
expr = sb.eval_expr(ExprMem(ExprInt(0xC0FEC0FE+i, 64), 8))
cmp = ExprInt(values[i], 8)
cmp = trans.from_expr(cmp)
expr = trans.from_expr(expr)
s.add(expr == cmp)
assert (s.check() == z3.sat)
## Extract values from model
model = s.model()
r = {}
for model_index, _ in enumerate(model):
index = int(_.name().split("ARG")[1])
r[index] = _
password = ''.join([chr(int(str(model[r[i]]))) for i in range(16)])
print(f'Password is : {password}')
$ python3 ./src/solve.py ../../jet_logger
Password is : l1k3d_th3_alg0_?