SECCON 2014 - Let's Disassemble

We are given a service that returns hex bytes that are assembly instructions. Our job is to create a client to respond with the correct instruction cooresponding to the given assembly.

What language do we disassemble to, you might ask? Let’s ask radare!

Finding the given language

I used radare for this task. Radare is a multi-architecture and multi-platform command line reverse engineering toolkit. One tool in the tool box is rasm2 which can take hex digits and convert them into the cooresponding assembly instruction.

I looked at the supported languages via rasm2 -L

$ rasm2 -L
_dA_  8          8051        PD      8051 Intel CPU
_dA_  16 32      arc         GPL3    Argonaut RISC Core
_dAe  16 32 64   arm         BSD     Capstone ARM disassembler
adA_  16 32 64   arm.gnu     GPL3    Acorn RISC Machine CPU
_d__  16 32      arm.winedbg LGPL2   WineDBG's ARM disassembler
_dA_  16 32      avr         GPL     AVR Atmel
adAe  16 32      bf          LGPL3   Brainfuck
_dA_  16         cr16        LGPL3   cr16 disassembly plugin
_dA_  16         csr         PD      Cambridge Silicon Radio (CSR)
adA_  32 64      dalvik      LGPL3   AndroidVM Dalvik
ad__  16         dcpu16      PD      Mojang's DCPU-16
_dA_  32 64      ebc         LGPL3   EFI Bytecode
_dAe  8          gb          LGPL3   GameBoy(TM) (z80-like)
_dA_  16         h8300       LGPL3   H8/300 disassembly plugin
_d__             i4004       LGPL3   Intel 4004 microprocessor
_dA_  8          i8080       BSD     Intel 8080 CPU
adA_  32         java        Apache  Java bytecode
_dA_  16 32      m68k        BSD     Motorola 68000
_dA_  32         malbolge    LGPL3   Malbolge Ternary VM
adAe  16 32 64   mips        BSD     Capstone MIPS disassembler
adAe  32 64      mips.gnu    GPL3    MIPS CPU
_d__  16 32 64   msil        PD      .NET Microsoft Intermediate Language
_dA_  16         msp430      LGPL3   msp430 disassembly plugin
_dAe  32         nios2       GPL3    NIOS II Embedded Processor
_dA_  32 64      ppc         BSD     Capstone PowerPC disassembler
_dA_  32 64      ppc.gnu     GPL3    PowerPC
ad__             rar         LGPL3   RAR VM
_dA_  32         sh          GPL3    SuperH-4 CPU
_dAe  32 64      sparc       BSD     Capstone SPARC disassembler
_dA_  32 64      sparc.gnu   GPL3    Scalable Processor Architecture
_d__  16         spc700      LGPL3   spc700, snes' sound-chip
_d__  32         sysz        BSD     SystemZ CPU disassembler
_dA_  32         tms320      LGPLv3  TMS320 DSP family
_dA_  32         v850        LGPL3   v850 disassembly plugin
_dA_  32         ws          LGPL3   Whitespace esotheric VM
_dAe  16 32 64   x86         BSD     Capstone X86 disassembler
a___  32 64      LGPL3   x86 handmade assembler
ad__  32         x86.olly    GPL2    OllyDBG X86 disassembler
_dAe  16 32 64   x86.udis    BSD     udis86 x86-16,32,64
_dAe  32         xcore       BSD     Capstone XCore disassembler
adA_  8          z80         NC-GPL2 Zilog Z80
ad__  8 16       psosvm      BSD     Smartcard PSOS Virtual Machine
_d__  32         propeller   LGPL3   propeller disassembly plugin
_d__  8 16       6502        LGPL3   6502/NES/C64/T-1000 CPU
a___  16 32 64   x86.nasm    LGPL3   X86 nasm assembler
_d__  8 16       snes        LGPL3   SuperNES CPU
a___  16 32 64      LGPL3   Intel X86 GNU Assembler

By simply looped through this list sending back a response to the server until I received a second question. My initial assumption was that the server is single architecture, so once I found one successful answer, the rest should be easy-peasy.

for curr_arch in archs:
    with remote(addr, port) as r:
        arch = curr_arch
        # Grab problem
        msg = r.recv(timeout=3)
        print msg

        # Recv only the assembly from problem
        asm = msg.split('\n')[0].split(':')[1].replace(' ','')

        # Call rasm2 with the assembly and correct architecture
        res = subprocess.check_output('rasm2 -d "{}" -a {}'.format(asm, arch), shell=True)
            print '{0} {1} {0}'.format('-'*20, arch)
  "In: {} Out: {}".format(asm, res))
            if '#2' in r.recv(timeout=2):
                print "FOUND IT"
        except Exception as e:
            print str(e)

The script stopped at language z80.

$ rasm2 -d AC -a z80
xor h

Using this language moving forward, there was one more small bug to iron out before getting the golden flag.

rasm2 spit out a few commands where the offset arithmetic was adding a negative number instead of simply subtracting the correct value. The server wasn’t too happy about this. The solution was to simply calculate the negative value and replace the offset with the correct subtraction.

After solving 100 problems:

[*] In: CB23 Out: sla e
[*] In: 85 Out: add a, l
[*] In: EDA9 Out: cpd
[*] In: DDCBAF7E Out: bit 7, (ix-81)
The flag is SECCON{I love Z80. How about you?}

Final Exploit

from pwn import *
import subprocess
import re
import string

addr = ''
port = 23168

archs = [

for curr_arch in archs:
    with remote(addr, port) as r:
        while True:
            arch = 'z80'
            # Grab problem
            msg = r.recv(timeout=3)
            if 'Congra' in msg:
                print r.recv(timeout=3)

            # Get only the assembly from problem
            asm = msg.split('\n')[0].split(':')[1].replace(' ','')
            # Call rasm2 with the assembly and correct architecture
            res = subprocess.check_output('rasm2 -d "{}" -a {}'.format(asm, arch), shell=True)

            There was a problem with signed offsets in rasm that the servers didn't enjoy.
            The solution was to get the cooresponding negative number and subtract that
            instead of adding a positive numher
            m ='\+(0x[89abcdefABCDEF].)', res)
            if m:
                # res = subprocess.check_output('rasm2 -d "{}" -a {}'.format(asm, arch), shell=True)
                offset = int(, 16)
                signed_offset = str(~(offset-257))
                offset = '0x{}'.format(str(hex(offset))[2:4].upper())
                # signed_offset = '0x{}'.format(str(hex(signed_offset))[2:4].upper()).replace('X','')
                res = res.replace('+' + offset, '-' + signed_offset)
                res = re.sub(r'a, ','',res)
                res = re.sub(r', ([{}])'.format(string.letters),r',\1',res)
      "In: {} Out: {}".format(asm, res))
            except Exception as e:
                print str(e)
For relevant code for this writeup:
git clone