okasokasokasokas
SECCON CTF 2017 - z80 - 300 points 본문
Problem provides arduino source(.ino) and some pictures that connected between arduino mega and Toshiba TMPZ84C00AP.
There are some variables that define the pin number on the top of the source code.
unsigned D0=22;
unsigned D1=23;
unsigned D2=24;
unsigned D3=25;
unsigned D4=26;
unsigned D5=27;
unsigned D6=28;
unsigned D7=29;
unsigned AD0=30;
unsigned AD1=31;
unsigned AD2=32;
unsigned AD3=33;
unsigned AD4=34;
unsigned AD5=35;
unsigned AD6=36;
unsigned AD7=37;
unsigned AD8=38;
unsigned AD9=39;
unsigned AD10=40;
unsigned AD11=41;
unsigned AD12=42;
unsigned AD13=43;
unsigned AD14=44;
unsigned AD15=45;
unsigned WR=46;
unsigned RD=47;
unsigned BUSRQ=48;
unsigned BUSACK=49;
unsigned CLK=50;
unsigned RESET=51;
unsigned MREQ=52;
unsigned IORQ=53;
unsigned HALT=A13;
unsigned RFSH=A14;
unsigned M1=A15;
unsigned DATA[]={D0,D1,D2,D3,D4,D5,D6,D7};
unsigned ADDR[]={AD0,AD1,AD2,AD3,AD4,AD5,AD6,AD7,AD8,AD9,AD10,AD11,AD12,AD13,AD14,AD15};
unsigned long clocks = 0;
#define memsize 0x1000
static unsigned char mem[memsize] = {
0x22, 0x47, 0x00, 0x3d, 0x53, 0x77, 0x23, 0x3d, 0x45, 0x77, 0x23, 0x3d, 0x43,
0x77, 0x23, 0x77, 0x23, 0xc5, 0x0c, 0x77, 0x23, 0xc5, 0xfd, 0x77, 0x23, 0x3d,
0x7b, 0x77, 0x23, 0x39, 0x44, 0x00, 0x47, 0xc5, 0x46, 0x31, 0x44, 0x00, 0x78,
0x31, 0x46, 0x00, 0xfd, 0x22, 0xf9, 0x1e, 0x00, 0xfd, 0x7b, 0xf1, 0x1e, 0x00,
0x77, 0x23, 0x39, 0x45, 0x00, 0x3e, 0x31, 0x45, 0x00, 0xc1, 0x1e, 0x00, 0x3d,
0x7d, 0x77, 0x75, 0x03, 0x0b, 0x09,
};
// ...
D0 should connect to 22 and D1 to 23 and D2 to 24 and so on.
But there is a problem according to these two pictures.
Pins in the green circle connects to the ports in yellow circle where port number is 22 to 28.(Look at the sample of Arduino MEGA above)
By tracing the line, we can know that the lines are connected like this.
Line Color |
Pin on z80 |
port on Arduino MEGA |
Brown |
D0 |
23 |
White, Brown line |
D1 |
22 |
Blue |
D2 |
24 |
White, Blue line |
D3 |
25 |
Orange |
D4 |
26 |
White, Orange line |
D5 |
27 |
Green |
D6 |
28 |
White, Green line |
D7 |
29 |
D0 must be connected to 22 but connected to 23 and D1 must be connected to 23 but in 22
Rest of the lines are correct.
As a result, all of the data which pass the D_ pins need to swap 1st bit and 2nd bit.
All of the instruction was swapped. So, recover it.
a = [ 0x22, 0x47, 0x00, 0x3d, 0x53, 0x77, 0x23, 0x3d, 0x45, 0x77, 0x23, 0x3d, 0x43, 0x77, 0x23, 0x77,
0x23, 0xc5, 0x0c, 0x77, 0x23, 0xc5, 0xfd, 0x77, 0x23, 0x3d, 0x7b, 0x77, 0x23, 0x39, 0x44, 0x00,
0x47, 0xc5, 0x46, 0x31, 0x44, 0x00, 0x78, 0x31, 0x46, 0x00, 0xfd, 0x22, 0xf9, 0x1e, 0x00, 0xfd,
0x7b, 0xf1, 0x1e, 0x00, 0x77, 0x23, 0x39, 0x45, 0x00, 0x3e, 0x31, 0x45, 0x00, 0xc1, 0x1e, 0x00,
0x3d, 0x7d, 0x77, 0x75, 0x03, 0x0b, 0x09]
b = []
for i in a:
upper = (i >> 2) << 2
i2 = (i >> 1) & 1
i1 = i & 1
b.append(upper | i2 | (i1 << 1))
print "".join(["%02x"%(i)for i in b])
# 2147003e5377233e4677233e4377237723c60c7723c6fe77233e7b77233a440047c64532440078324500fe21fa1d00fe7bf21d0077233a46003d324600c21d003e7e7776030b0a
By running that bytecode with emulator, we can get the datas written in address 0x47~ (disassemble it yourself)
SFCCOM{H\\+p?S\"g6J~
We need to do bit swap to this data, too.
a = "SFCCOM{H\\+p?S\"g6J~"
b = []
for i in a:
i = ord(i)
upper = (i >> 2) << 2
i2 = (i >> 1) & 1
i1 = i & 1
b.append(chr(upper | i2 | (i1 << 1)))
print "".join(b)
# SECCON{H\+p?S!g5I}
SECCON{H\+p?S!g5I}'Hacking > Write-up' 카테고리의 다른 글
| Midnight Sun CTF 2020 Qual - pysonIVY (0) | 2020.04.06 |
|---|---|
| Codegate 2018 Final - G0Crack(Rev) (0) | 2018.04.09 |
