HTB ARMs Race

1 minute read

Published:

HTB ARMs Race

We are given a remote ip. After connecting to the ip, we are given 50 challenges. The challenges contain some hex values. From the name of the challenge, we get a hint that the hex values are ARM instructions. Also, we see that, we need to calculate the value of register r0 after the instructions are executed. We also have a very short time limit to provide the answer. So, we use unicorn python library to emulate the instructions and find out the value of register r0. The following python script does the trick:

from pwn import *
from unicorn import *
from unicorn.arm_const import *

p = remote("94.237.49.212", 59717)

for i in range(50):

    s = p.recvuntil("\n").decode()
    code = s.split(":")[1].strip()
    code = bytes.fromhex(code)

    mu = Uc(UC_ARCH_ARM, UC_MODE_ARM)
    ADDRESS = 0x10000
    mu.mem_map(ADDRESS, 2 * 1024 * 1024)
    ARM_CODE = code  # Hex for ADD r3, r0, #1
    mu.mem_write(ADDRESS, ARM_CODE)
    mu.emu_start(ADDRESS, ADDRESS + len(ARM_CODE))

    q = p.recvuntil(":").decode()
    q = q.split(":")[0].split()[1].strip()
    r0_value = mu.reg_read(UC_ARM_REG_R0)
    p.sendline(str(r0_value))

p.interactive()

Here we read the instructions, emulate it and send the value of register r0. We repeat it 50 times as we can see that there are 50 levels. After this, we get the flag.

Flag: HTB{un1c0Rn_0R_C4p5T0nE_0R_qeMU_5ubPR0cE55_0r_F0r90TTen_0Ld_R45berry_4NyTH1N9_BUt_n0_M4nu4LLy}