Hackvent 2019: Day 22

Hackvent 2019270

Challenge

HV19.22 The command ... is lost

Introduction
Santa bought this gadget when it was released in 2010. He did his own DYI project to control his sledge by serial communication over IR. Unfortunately Santa lost the source code for it and doesn't remember the command needed to send to the sledge. The only thing left is this file: thecommand7.data

Santa likes to start a new DYI project with more commands in January, but first he needs to know the old command. So, now it's on you to help out Santa.

Resource mirror: HV19-Day22-thecommand7.data_.txt

Solution

We inspect our data file and Google some of the hex sequences inside like :100000000C9435000C945D000C945D000C945D0024 and :00000001FF. We soon realise its the hex dump (or machine code) for a program for an AVR micro controller. Based on our search it seems like the dump came from the Atmel ATmega128. We decide to try and use run this hex file in some AVR emulator. As we are on windows we will try using Atmel studio which we have used before for other projects. First we replace spaces with newlines in our hex dump as this seems to allow third party tools to read the file easier.

Next we generate some Atmel ASM code from our hex file using the third party tool ReAVR:

Hackvent 2019 - Day 22 - ReAVR

This generates some Atmel compatible ASM code which we try to run directly in Atmel Studio in an empty ASM assembler project.

We receive one error which tells us that rcall 0x0F78 has a relative jump which is out of reach. We comment it out for now to attempt to run the program.
We let the program run in our debugger and then pause it after some time and inspect our registers in the data segment:

Hackvent 2019 - Day 22 - ReAVR Registers

Thankfully, it contains our daily flag!

Flag:

HV19{H3y_Sl3dg3_m33t_m3_at_th3_n3xt_c0rn3r}

Leave a comment

(required)(will not be published)(required)

Comments

There are no comments yet. Be the first to add one!