In this challenge, we have connect to a service running on port 4004 :
$ nc inmemory.final2012.ghostintheshellcode.com 4004
Written in memory of a great microprocessor.
Waiting for program...
Too slow!
Written in memory of a great microprocessor.
Waiting for program...
Too slow!
great microprocessor.. port 4004.. waiting for program... Could this be an Intel 4004 emulator ?
Checking the documentation for the Intel 4004 we see it had a 4096 bytes PROM so we send 4096 bytes down the down and indeed:
Written in memory of a great microprocessor
Waiting for program...
Loading program onto PROM...
Executing program...
Cycle limit reached!
Exiting...
Waiting for program...
Loading program onto PROM...
Executing program...
Cycle limit reached!
Exiting...
In-memory.. so it probably means the key is in the memory of the emulator. We use http://e4004.szyc.org/ a lot to design some code that will scan all the memory and send it to the ROM port.
Intel 4004 code:
init
LDM 0
DCL
FIM R0R1, 0 ; initialize R0=R1=0
FIM R2R3, 0 ; initialize R2=R3=0
LDM 12 ; load 12 to accumulator
XCH R2 ; initialize R2=12
loop1
SRC R0R1 ; select register & address
RDM ; load accumulator from RAM
WRR ; write accumulator to ROM port
ISZ R1, loop1 ; loop 16 times
ISZ R0, loop1
ISZ R2, loop1 ; loop 4 times
LDM 0
DCL
FIM R0R1, 0 ; initialize R0=R1=0
FIM R2R3, 0 ; initialize R2=R3=0
LDM 12 ; load 12 to accumulator
XCH R2 ; initialize R2=12
loop1
SRC R0R1 ; select register & address
RDM ; load accumulator from RAM
WRR ; write accumulator to ROM port
ISZ R1, loop1 ; loop 16 times
ISZ R0, loop1
ISZ R2, loop1 ; loop 4 times
We use the assembler on the website to get the object code and we send this using a simple python program:
#!/usr/bin/env python
# aXs ^ Big-Daddy
import socket
import sys
import time
if len(sys.argv) != 3:
print '\nUsage:\t./inmemory.py [host] [port]'
sys.exit(1)
host = sys.argv[1]
port = int(sys.argv[2])
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Creating Socket
s.connect((host, port)) # Connecting to socket
data = s.recv(65536)
print 'Received', repr(data)
data = s.recv(65536)
print 'Received', repr(data)
crash = '\xD0\xFD\x20\x00\x22\x00\xDC\xB2\x21\xE9\xE2\x71\x08\x70\x08\x72\x08'
crash += '\x00' * (4096 - len(crash))
s.send('%s' %crash);
while 1:
line = s.recv(4096)
if not line:
break
print 'Received', repr(line)
s.close()
The emulator was *very* unreliable on the challenge service and you needed to run your like 20 times.
Result:
$ python inmemory.py inmemory.final2012.ghostintheshellcode.com 4004
Received 'Written in memory of a great microprocessor.\n'
Received 'Waiting for program...\n'
Received 'Loading program onto PROM...\n'
Received 'Executing program...\n
500000000000000040000000000000006000000000000000f0000000000000006000000000000000
c0000000000000006000000000000000400000000000000050000000000000009000000000000000
6000000000000000f000000000000000700000000000000050000000000000004000000000000000
9000000000000000500000000000000040000000000000006000000000000000f000000000000000
6000000000000000c000000000000000600000000000000040000000000000005000000000000000
90000000000000006000000000000000f00000000000000070000000000000005000000000000000
40000000000000009000000000000000500000000000000040000000000000006000000000000000
f0000000000000006000000000000000c00000000000000060000000000000004000000000000000
500000000000000090000000000000006000000000000000f0000000000000007000000000000000
50000000000000004000000000000000900000000000000050000000000000004000000000000000
6000000000000000f0000000000000006000000000000000c0000000000000006000000000000000
4000000000000000500000000000000090000000000000006000000000000000f000000000000000
70000000000000005000000000000000400000000000000090000000000000005000000000000000
40000000000000006000000000000000f0000000000000006000000000000000c000000000000000
60000000000000004000000000000000500000000000000090000000000000006000000000000000
f0000000000000007000000000000000500000000000000040000000000000009000000000000000
500000000000000040000000000000006000000000000000f0000000000000006000000000000000
c0000000000000006000000000000000400000000000000050000000000000009000000000000000
6000000000000000f000000000000000700000000000000050000000000000004000000000000000
9000000000000000500000000000000040000000000000006000000000000000f000000000000000
6000000000000000c000000000000000600000000000000040000000000000005000000000000000
90000000000000006000000000000000f00000000000000070000000000000005000000000000000
40000000000000009000000000000000500000000000000040000000000000006000000000000000
f0000000000000006000000000000000c00000000000000060000000000000004000000000000000
500000000000000090000000000000006000000000000000f0000000000000007000000000000000
500000000000000040000000000000009000000000000000
Cycle limit reached!
Exiting...
Received 'Written in memory of a great microprocessor.\n'
Received 'Waiting for program...\n'
Received 'Loading program onto PROM...\n'
Received 'Executing program...\n
500000000000000040000000000000006000000000000000f0000000000000006000000000000000
c0000000000000006000000000000000400000000000000050000000000000009000000000000000
6000000000000000f000000000000000700000000000000050000000000000004000000000000000
9000000000000000500000000000000040000000000000006000000000000000f000000000000000
6000000000000000c000000000000000600000000000000040000000000000005000000000000000
90000000000000006000000000000000f00000000000000070000000000000005000000000000000
40000000000000009000000000000000500000000000000040000000000000006000000000000000
f0000000000000006000000000000000c00000000000000060000000000000004000000000000000
500000000000000090000000000000006000000000000000f0000000000000007000000000000000
50000000000000004000000000000000900000000000000050000000000000004000000000000000
6000000000000000f0000000000000006000000000000000c0000000000000006000000000000000
4000000000000000500000000000000090000000000000006000000000000000f000000000000000
70000000000000005000000000000000400000000000000090000000000000005000000000000000
40000000000000006000000000000000f0000000000000006000000000000000c000000000000000
60000000000000004000000000000000500000000000000090000000000000006000000000000000
f0000000000000007000000000000000500000000000000040000000000000009000000000000000
500000000000000040000000000000006000000000000000f0000000000000006000000000000000
c0000000000000006000000000000000400000000000000050000000000000009000000000000000
6000000000000000f000000000000000700000000000000050000000000000004000000000000000
9000000000000000500000000000000040000000000000006000000000000000f000000000000000
6000000000000000c000000000000000600000000000000040000000000000005000000000000000
90000000000000006000000000000000f00000000000000070000000000000005000000000000000
40000000000000009000000000000000500000000000000040000000000000006000000000000000
f0000000000000006000000000000000c00000000000000060000000000000004000000000000000
500000000000000090000000000000006000000000000000f0000000000000007000000000000000
500000000000000040000000000000009000000000000000
Cycle limit reached!
Exiting...
You need to rerun it with the top LDM changed to 1 so switch to another RAM bank.
The pattern is repeated several times: 546f6c64596f7549546f6c64596f7 = ToldYouI
You keep converting until you have the full key assembled from all the RAM memory regions
Key: ToldYouItWasInMemory
