- Author:ZERO-A-ONE
- Date:2021-08-08
0x1 出题意图
本体定位为基础的逆向题目,主要是为了熟悉Open HarmonyOS操作系统环境,熟悉基于OpenHarmony Hi3861V100开发板的RISC-V环境,熟悉IoT环境下常用的Musl-Libc环境
0x2 出题过程
2.1 编译系统固件
riscv32_virt/
子目录包含部分Qemu RISC-V虚拟化平台验证的OpenHarmony kernel_liteos_m的代码,目录名为riscv32_virt。 RISC-V 虚拟化平台是一个 qemu-system-riscv32
的目标设备,通过它来模拟一个通用的、基于RISC-V架构的单板
这次模拟的配置是:RISC-V架构,1个CPU,128M内存
提示: 系统内存硬编码为128MB
我们采用的是OpenHarmony OS的2.2.0 LTS版本,因为这个版本首先推出了支持QEMU模拟Hi3861V100的成熟方案,所以我先去研究了一下2.2.0 LTS版本如何编写Hi3861V100自己的程序
首先对于2.2.0 LTS版本Hi3861V100如果我们的固件是运行于QEMU中的话,主要的逻辑代码在
/device/qemu/riscv32_virt/test/test_demo.c
为了降低分析难度,我依然选择的是简单的凯撒加密,最后的源码如下
/*
* Copyright (c) 2013-2019 Huawei Technologies Co., Ltd. All rights reserved.
* Copyright (c) 2020-2021 Huawei Device Co., Ltd. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this list of
* conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright notice, this list
* of conditions and the following disclaimer in the documentation and/or other materials
* provided with the distribution.
*
* 3. Neither the name of the copyright holder nor the names of its contributors may be used
* to endorse or promote products derived from this software without specific prior written
* permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
* OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
* OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "los_task.h"
#include "los_debug.h"
static void TaskSampleEntry2(void)
{
while(1) {
printf("OpenHarmony OS LTS 2.2.0 Beta 2\n\r");
LOS_TaskDelay(1000);
}
}
static void TaskSampleEntry1(void)
{
while(1) {
printf("Welcome to RCTF 2021...\n\r");
printf("You Get a gift: HARMONYDREAMITPOSSIBLE\n\r");
printf("What is the result of encryption?\n\r");
char flag[] = "HARMONYDREAMITPOSSIBLE";
int k = 3;
char l[26]={'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z'};
for(int i=0;i<22;i++) {
if((flag[i]+k)<='Z')
{flag[i] = flag[i] + k;}
else
{
int j = (flag[i]+k-'Z') % 26;
flag[i] = l[j-1];
}
}
//printf("The result of encryption: %s\n\r",flag);
LOS_TaskDelay(1000);
}
}
unsigned int LosAppInit(VOID)
{
unsigned int ret;
unsigned int taskID1, taskID2;
TSK_INIT_PARAM_S task1 = { 0 };
task1.pfnTaskEntry = (TSK_ENTRY_FUNC)TaskSampleEntry1;
task1.uwStackSize = 0x1000;
task1.pcName = "TaskSampleEntry1";
task1.usTaskPrio = 6;
ret = LOS_TaskCreate(&taskID1, &task1);
if (ret != LOS_OK) {
printf("Create Task failed! ERROR: 0x%x\n", ret);
return ret;
}
task1.pfnTaskEntry = (TSK_ENTRY_FUNC)TaskSampleEntry2;
task1.uwStackSize = 0x1000;
task1.pcName = "TaskSampleEntry2";
task1.usTaskPrio = 7;
ret = LOS_TaskCreate(&taskID2, &task1);
if (ret != LOS_OK) {
printf("Create Task failed! ERROR: 0x%x\n", ret);
}
return ret;
}
然后进行编译
$ cd device/qemu/riscv32_virt
$ hb build -f
这个命令构建会产生 liteos
的镜像文件。
在构建完成之后,对应的镜像文件在如下目录:
../../../out/riscv32_virt/bin/liteos
2.2 在Qemu中运行镜像
需要安装qemu-system-riscv32
运行的指令主要推介使用编译后自行生成的.qemu_run.sh
脚本
./qemu_run.sh ./liteos
2.3 GDB调试
需要在编译的时候
$ cd device/qemu/riscv32_virt
$ vim liteos_m/config.gni
将 board_opt_flags
中的
board_opt_flags = [ "-O2" ]
编译选项修改为:
board_opt_flags = [
"-g",
"-O0",
]
保存并退出,重新编译:
$ hb build -f
然后我们需要修改一下系统生成的.qemu_run.sh
脚本,主要添加开启GDB Server的选项
set -e
EXEFILE=$1
if [ "$EXEFILE" == "" ]; then
echo "Specify the path to the executable file"
echo "For example:"
echo "./qemu_sifive_run.sh out/OHOS_Image"
exit
fi
qemu-system-riscv32 -s -S \
-m 128M \
-bios none \
-machine virt \
-kernel $EXEFILE \
-nographic \
-append "root=/dev/vda or console=ttyS0"
在一个窗口中输入命令
./qemu_run.sh ./liteos
在另一个窗口中输入命令
$ riscv32-unknown-elf-gdb ./liteos
(gdb) target remote localhost:1234
(gdb) b main
提示: 采用gdb调试时,可执行文件必须选择 out/riscv32_virt/unstripped/bin
目录下的可执行文件
0x3 题面
中文:
你好呀,黑客们!你是否听说过在中国神话中的盘古开天辟地的神话?
英文:
Hello, hackers! Have you ever heard of pangu, the creator of the world in Chinese mythology?
0x4 题解
可以通过GDB调试,或者也可以通过IDA挂载RISC-V 32Bit的插件发现关键加密逻辑,不难发现关键加密逻辑即为简单的凯撒加密,之前得到了明文:HARMONYDREAMITPOSSIBLE,不难得出密文:KDUPRQBGUHDPLWSRVVLEOH,故最后flag为:RCTF{KDUPRQBGUHDPLWSRVVLEOH}