exits

勉強記録

HarekazeCTF2018 writeup

HarekazeCTF 2018


I made a problem "grom".

grom

This problem was solved by 6 teams.

f:id:yue82:20180211190137p:plain

Thank you for challenging!

Problem

f:id:yue82:20180211190203p:plain:w200


Let's play on the beach.

Hint: Make waves!


Solution

grom.v is a verilog HDL program.

In grom.v, there are some modules.

$ cat grom.v | grep ^module
module grom ( input  clk, output fin );
module m_080dff705050b75f7e7b8427e914c4b8 (input en, input a, input b, output c);
module m_861cf77c15adc42769c0afb7690a5b51 (input en, input a, input b, output c);
module m_c56c7fa9d959ee9019eb4f00a2a78815 (input en, input a, input b, output c);
module m_de213ed0a801c2b6e7c24720bcf77d06 (input en, input a, input b, output c);
module m_f62643c44848a7717bd50b3508dd6320 (input en, input a, input b, output c);
module m_20f50981ecea610cdbb5b264be20dfae (input en, input a, input b, output c);

From these names, the main module would be module grom ( input clk, output fin ). You can write a simulation program like sim_grom.v from grom module's I/O.

// sim_grom.v
`timescale 1 ps / 1 ps
module sim_grom;
  parameter STEP = 100;

  // generate clock
  reg clk;
  always begin
    clk = 1;
    #( STEP/2 );
    clk = 0;
    #( STEP/2 );
  end

  // connect grom module
  grom grom( .clk(clk), .fin(fin) );

  // start simulation
  initial begin
    // dump setting for vvp
    $dumpfile("sim_grom.vcd");
    $dumpvars(0,sim_grom);

    while(!fin) @( posedge clk );

    $finish;
  end

endmodule

You can run the programs using some free verilog compiler and simulator such as Icarus Verilog. But, you have to look at the waveforms, not just to run. There are some free waveform display tools such as GTKWave.

For example, you can do as follows.

$ iverilog sim_grom.v grom.v    # compile
$ vvp a.out                     # simulate
$ gtkwave sim_grom.vcd          # display waveform

Look at the waveform, you can find there are some wires beginning with f_. The waveforms of f_*** are different from other waveforms.

f:id:yue82:20180211190837p:plain

By rearranging the waves of f_*** so that you can see the word "HarekazeCTF{", you can find the flag.

f:id:yue82:20180211190845p:plain

Flag is HarekazeCTF{1v3_G077a_5urf1nG_P!k4cI-Iu}.