ARMs Race — HackTheBox

Description

The famous hacker Script K. Iddie has finally been caught after many years of cybercrime. Before he was caught, he released a server sending mysterious data, and promised his 0-days to anyone who could solve his multi-level hacking challenge. Now everyone is in an ARMs race to get his exploits. Can you be the one to solve Iddie's puzzle?

Target: TCP service sending 50 levels of ARM machine code to emulate.

Analysis

Interaction Protocol

• Connect to TCP service
• Server sends 50 levels
• Each level format: Level X/50: <hex_encoded_ARM_machine_code>\nRegister r0:
• Must respond with the value of register r0 after code execution
• Timeout on each response — manual solving is impossible

Machine Code Analysis

• ARM32 little-endian machine code
• Disassembly via Capstone shows:
  • movw/movt — loading 32-bit immediate values into registers r1, r2
  • Arithmetic/logical operations on r0: add, sub, mul, eor (xor), and, orr, rsb (reverse subtract), adc (add with carry), sbc (subtract with carry)
• Code size grows progressively:
  • Levels 1-10: ~468 bytes
  • Levels 11-20: ~932 bytes
  • Levels 21-30: ~1400 bytes
  • Levels 31-40: ~1880 bytes
  • Levels 41-50: ~2340 bytes
• All operations on 32-bit unsigned values

Solution Approach

Using Unicorn Engine to emulate ARM code on each level:

1. Receive hex code from server
2. Decode to bytes
3. Emulate via Unicorn (ARM32 LE)
4. Read r0 value
5. Send response in hex

Solution

#!/usr/bin/env python3
from pwn import *
from unicorn import *
from unicorn.arm_const import *
import binascii
import re

HOST = '94.237.63.176'
PORT = 36131
ADDRESS = 0x10000
STACK_ADDR = 0x800000

def emulate_arm(code_bytes):
    """Emulates ARM32 LE code and returns r0 value."""
    mu = Uc(UC_ARCH_ARM, UC_MODE_ARM | UC_MODE_LITTLE_ENDIAN)
    mu.mem_map(ADDRESS, 2 * 1024 * 1024)
    mu.mem_map(STACK_ADDR, 2 * 1024 * 1024)
    mu.mem_write(ADDRESS, code_bytes)
    mu.reg_write(UC_ARM_REG_SP, STACK_ADDR + 1024 * 1024)
    
    # Initialize all registers to zero
    for reg in [UC_ARM_REG_R0, UC_ARM_REG_R1, UC_ARM_REG_R2, UC_ARM_REG_R3,
                UC_ARM_REG_R4, UC_ARM_REG_R5, UC_ARM_REG_R6, UC_ARM_REG_R7,
                UC_ARM_REG_R8, UC_ARM_REG_R9, UC_ARM_REG_R10, UC_ARM_REG_R11,
                UC_ARM_REG_R12, UC_ARM_REG_LR]:
        mu.reg_write(reg, 0)
    
    try:
        mu.emu_start(ADDRESS, ADDRESS + len(code_bytes))
    except UcError as e:
        pass  # Code may terminate abnormally
    
    return mu.reg_read(UC_ARM_REG_R0)

def main():
    io = remote(HOST, PORT)
    
    for level in range(50):
        data = io.recvuntil(b'Register r0:')
        data_str = data.decode(errors='replace')
        
        match = re.search(r'Level\s+(\d+)/50:\s*([0-9a-fA-F]+)', data_str)
        hex_code = match.group(2)
        code_bytes = binascii.unhexlify(hex_code)
        
        r0 = emulate_arm(code_bytes)
        answer = hex(r0 & 0xFFFFFFFF)
        io.sendline(answer.encode())
    
    remaining = io.recvall(timeout=10)
    print(remaining.decode(errors='replace'))
    io.close()

if __name__ == '__main__':
    main()

Notes

• The flag itself lists all valid approaches: Unicorn, Capstone, QEMU subprocess, Raspberry Pi — "anything but manually"
• Unicorn Engine is the optimal choice: lightweight CPU emulator without needing a full OS or QEMU
• Important to initialize all registers to zero and allocate stack for correct emulation
• Response must be sent in hex format with & 0xFFFFFFFF mask for 32-bit value