RCTF-2021-HarmonyOS赛题WP

• Author：ZERO-A-ONE
• Date：2021-08-08

0x1 出题意图

本体定位为基础的逆向题目，主要是为了熟悉Open HarmonyOS操作系统环境，熟悉基于OpenHarmony Hi3861V100开发板的RISC-V环境，熟悉IoT环境下常用的Musl-Libc环境

0x2 出题过程

2.1 编译系统固件

riscv32_virt/ 子目录包含部分Qemu RISC-V虚拟化平台验证的OpenHarmony kernel_liteos_m的代码，目录名为riscv32_virt。 RISC-V 虚拟化平台是一个 qemu-system-riscv32 的目标设备，通过它来模拟一个通用的、基于RISC-V架构的单板

这次模拟的配置是：RISC-V架构，1个CPU，128M内存

提示: 系统内存硬编码为128MB

我们采用的是OpenHarmony OS的2.2.0 LTS版本，因为这个版本首先推出了支持QEMU模拟Hi3861V100的成熟方案，所以我先去研究了一下2.2.0 LTS版本如何编写Hi3861V100自己的程序

首先对于2.2.0 LTS版本Hi3861V100如果我们的固件是运行于QEMU中的话，主要的逻辑代码在

/device/qemu/riscv32_virt/test/test_demo.c

为了降低分析难度，我依然选择的是简单的凯撒加密，最后的源码如下

/*
 * Copyright (c) 2013-2019 Huawei Technologies Co., Ltd. All rights reserved.
 * Copyright (c) 2020-2021 Huawei Device Co., Ltd. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without modification,
 * are permitted provided that the following conditions are met:
 *
 * 1. Redistributions of source code must retain the above copyright notice, this list of
 *    conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright notice, this list
 *    of conditions and the following disclaimer in the documentation and/or other materials
 *    provided with the distribution.
 *
 * 3. Neither the name of the copyright holder nor the names of its contributors may be used
 *    to endorse or promote products derived from this software without specific prior written
 *    permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "los_task.h"
#include "los_debug.h"

static void TaskSampleEntry2(void)
{
    
    
    while(1) {
    
    
        printf("OpenHarmony OS LTS 2.2.0 Beta 2\n\r");
        LOS_TaskDelay(1000);
    }
}


static void TaskSampleEntry1(void)
{
    
    
    while(1) {
    
    
        printf("Welcome to RCTF 2021...\n\r");
        printf("You Get a gift: HARMONYDREAMITPOSSIBLE\n\r");
        printf("What is the result of encryption?\n\r");
        char flag[] = "HARMONYDREAMITPOSSIBLE";
        int k = 3;
        char l[26]={
    
    'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z'};
        for(int i=0;i<22;i++) {
    
    
            if((flag[i]+k)<='Z')
                {
    
    flag[i] = flag[i] + k;}
            else
            {
    
    
                int j = (flag[i]+k-'Z') % 26;
                flag[i] = l[j-1];
            }
        }
        //printf("The result of encryption: %s\n\r",flag);
        LOS_TaskDelay(1000);
    }
}


unsigned int LosAppInit(VOID)
{
    
    
    unsigned int ret;
    unsigned int taskID1, taskID2;
    TSK_INIT_PARAM_S task1 = {
    
     0 };
    task1.pfnTaskEntry = (TSK_ENTRY_FUNC)TaskSampleEntry1;
    task1.uwStackSize  = 0x1000;
    task1.pcName       = "TaskSampleEntry1";
    task1.usTaskPrio   = 6;
    ret = LOS_TaskCreate(&taskID1, &task1);
    if (ret != LOS_OK) {
    
    
        printf("Create Task failed! ERROR: 0x%x\n", ret);
        return ret;
    }

    task1.pfnTaskEntry = (TSK_ENTRY_FUNC)TaskSampleEntry2;
    task1.uwStackSize  = 0x1000;
    task1.pcName       = "TaskSampleEntry2";
    task1.usTaskPrio   = 7;
    ret = LOS_TaskCreate(&taskID2, &task1);
    if (ret != LOS_OK) {
    
    
        printf("Create Task failed! ERROR: 0x%x\n", ret);
    }

    return ret;
}

然后进行编译

$ cd device/qemu/riscv32_virt
$ hb build -f

这个命令构建会产生 liteos 的镜像文件。

在构建完成之后，对应的镜像文件在如下目录：

../../../out/riscv32_virt/bin/liteos

2.2 在Qemu中运行镜像

需要安装qemu-system-riscv32

运行的指令主要推介使用编译后自行生成的.qemu_run.sh脚本

./qemu_run.sh ./liteos

2.3 GDB调试

需要在编译的时候

$ cd device/qemu/riscv32_virt
$ vim liteos_m/config.gni

将 board_opt_flags 中的

board_opt_flags = [ "-O2" ]

编译选项修改为:

board_opt_flags = [
  "-g",
  "-O0",
]

保存并退出，重新编译:

$ hb build -f

然后我们需要修改一下系统生成的.qemu_run.sh脚本，主要添加开启GDB Server的选项

set -e

EXEFILE=$1

if [ "$EXEFILE" == "" ]; then
echo "Specify the path to the executable file"
echo "For example:"
echo "./qemu_sifive_run.sh out/OHOS_Image"
exit
fi

qemu-system-riscv32  -s -S    \
  -m 128M                  \
  -bios none               \
  -machine virt            \
  -kernel $EXEFILE         \
  -nographic               \
  -append "root=/dev/vda or console=ttyS0"

在一个窗口中输入命令

./qemu_run.sh ./liteos

在另一个窗口中输入命令

$ riscv32-unknown-elf-gdb ./liteos
(gdb) target remote localhost:1234
(gdb) b main

提示: 采用gdb调试时，可执行文件必须选择 out/riscv32_virt/unstripped/bin 目录下的可执行文件

0x3 题面

中文：

​ 你好呀，黑客们！你是否听说过在中国神话中的盘古开天辟地的神话？

英文：

​ Hello, hackers! Have you ever heard of pangu, the creator of the world in Chinese mythology?

0x4 题解

可以通过GDB调试，或者也可以通过IDA挂载RISC-V 32Bit的插件发现关键加密逻辑，不难发现关键加密逻辑即为简单的凯撒加密，之前得到了明文：HARMONYDREAMITPOSSIBLE，不难得出密文：KDUPRQBGUHDPLWSRVVLEOH，故最后flag为：RCTF{KDUPRQBGUHDPLWSRVVLEOH}

0x5 参考文档

• open-harmony-emulator
• xctf高校挑战赛2020-华为harmonyos和hms专场WP（pwn部分）
• XCTF华为鸿蒙专场ARM Pwn1
• HarmonyOS获取源码及Ubuntu编译环境准备
• OpenHarmony 1.1.0 LTS 正式发布
• 鸿蒙系统的编译流程及分析v1.0
• linux环境下体验华为OpenHarmony 1.1.0 LTS
• KLEE 源码安装（Ubuntu 16.04 + LLVM 9）
• 构建系统GN的初次使用
• OpenHarmony 各版本源码地址
• Docker编译环境
• 运行Hello OHOS（编译、烧录）
• HarmonyOS QEMU