ARMs Race — HackTheBox

Description

The famous hacker Script K. Iddie has finally been caught after many years of cybercrime. Before he was caught, he released a server sending mysterious data, and promised his 0-days to anyone who could solve his multi-level hacking challenge. Now everyone is in an ARMs race to get his exploits. Can you be the one to solve Iddie's puzzle?

Target: TCP service sending 50 levels of ARM machine code to emulate.

Analysis

Interaction Protocol

• Connect to TCP service
• Server sends 50 levels
• Each level format: Level X/50: <hex_encoded_ARM_machine_code>\nRegister r0:
• Must respond with the value of register r0 after code execution
• Timeout on each response — manual solving is impossible

Machine Code Analysis

• ARM32 little-endian machine code
• Disassembly via Capstone shows:
  • movw/movt — loading 32-bit immediate values into registers r1, r2
  • Arithmetic/logical operations on r0: add, sub, mul, eor (xor), and, orr, rsb (reverse subtract), adc (add with carry), sbc (subtract with carry)
• Code size grows progressively:
  • Levels 1-10: ~468 bytes
  • Levels 11-20: ~932 bytes
  • Levels 21-30: ~1400 bytes
  • Levels 31-40: ~1880 bytes
  • Levels 41-50: ~2340 bytes
• All operations on 32-bit unsigned values

Solution Approach

Using Unicorn Engine to emulate ARM code on each level:

1. Receive hex code from server
2. Decode to bytes
3. Emulate via Unicorn (ARM32 LE)
4. Read r0 value
5. Send response in hex

Solution

#!/usr/bin/env python3
from pwn import *
from unicorn import *
from unicorn.arm_const import *
import binascii
import re

HOST = '94.237.63.176'
PORT = 36131
ADDRESS = 0x10000
STACK_ADDR = 0x800000

...