picoCTF: Some Assembly Required 2
I wrote this CTF writeup a while ago and put it on my main webpage. It works better on my blog instead, so I decided to post it here.
picoCTF: Some Assembly Required 2
This challenge is a cross between Web and Binary Exploitation. It deals with obfuscated JavaScript code that interacts with WebAssembly.
We are presented with a fairly simple website. It has a single textbox and a submit button where we can verify the correctness of our flag. Looking at the source code, clicking the submit button leads to a method called onButtonPress()
.
<button onclick="onButtonPress()">Submit</button>
However, the attached JavaScript file that has onButtonPress()
is obfuscated:
function onButtonPress() {
const _0x50ea62 = _0x5c00;
let _0x5f4170 = document[_0x50ea62(0xd8)](_0x50ea62(0xda))[_0x50ea62(0xc5)];
for (let _0x19d3ca = 0x0; _0x19d3ca < _0x5f4170['length']; _0x19d3ca++) {
exports[_0x50ea62(0xc4)](_0x5f4170[_0x50ea62(0xd1)](_0x19d3ca), _0x19d3ca);
}
exports['copy_char'](0x0, _0x5f4170[_0x50ea62(0xd7)]),
exports[_0x50ea62(0xca)]() == 0x1 ? document['getElementById'](_0x50ea62(0xd3))[_0x50ea62(0xd0)] = _0x50ea62(0xce) : document[_0x50ea62(0xd8)](_0x50ea62(0xd3))['innerHTML'] = _0x50ea62(0xd5);
}
However, it’s evident that this code is iterating through each character in the textbox (reference to getElementById
and length
) and passing it into some function called copy_char
.
Looking at the WASM code, we are presented with the function copy_char
(func $copy_char (;3;) (export "copy_char") (param $var0 i32) (param $var1 i32)
(local $var2 i32)
(local $var3 i32)
(local $var4 i32)
(local $var5 i32)
(local $var6 i32)
(local $var7 i32)
(local $var8 i32)
(local $var9 i32)
(local $var10 i32)
global.get $global0
local.set $var2
i32.const 16
local.set $var3
local.get $var2
local.get $var3
i32.sub
local.set $var4
local.get $var4
local.get $var0
i32.store offset=12
local.get $var4
local.get $var1
i32.store offset=8
local.get $var4
i32.load offset=12
local.set $var5
block $label0
local.get $var5
i32.eqz
br_if $label0
local.get $var4
i32.load offset=12
local.set $var6
i32.const 8
local.set $var7
local.get $var6
local.get $var7
i32.xor
local.set $var8
local.get $var4
local.get $var8
i32.store offset=12
end $label0
local.get $var4
i32.load offset=12
local.set $var9
local.get $var4
i32.load offset=8
local.set $var10
local.get $var10
local.get $var9
i32.store8 offset=1072
return
)
and a random string variable:
(data (i32.const 1024) "xakgK\5cNs>n;jl90;9:mjn9m<0n9::0::881<00?>u\00\00")
Going step-by-step in the copy_char
function, we see that it takes the character in $var0
, XOR
’s it with 8
, and puts it in $var1
:
i32.const 8
local.set $var7
local.get $var6
local.get $var7
i32.xor
XOR
ing the string "xakgK\5cNs>n;jl90;9:mjn9m<0n9::0::881<00?>u\00\00"
with 8
yields:
picoC\rkF{6f3bd18312ebf1e48f12282200948876}\x08\x08
which is our flag!