CTF
Search…
SECCON 2019 - Qualification

PPKeyboard

We were given two file, PPKeyboard.exe and packets.pcapng
Take a quick look at packets.pcapng, we realize there is device connected and communicated through USB
Since the exe file's name is PPKeyboard.exe, we can guess it's a keyboard. Actually, it's MIDI keyboard. Actually, it's Electronic Piano keyboard. (If you curious why, take a look at MIDI's message/protocol here http://www.music-software-development.com/midi-tutorial.html , though knowledge about MIDI message/protocol is not required to solve this challenge)
The PPKeyboard.exe first check if there is any available MIDI devices. If there is any, it will try to open the device
Quick search on MSDN, we find out definition of midiInOpen
1
MMRESULT midiInOpen(
2
LPHMIDIIN phmi,
3
UINT uDeviceID,
4
DWORD_PTR dwCallback,
5
DWORD_PTR dwInstance,
6
DWORD fdwOpen
7
);
Copied!
What important here is callback function sub_7FF792A01070
Take a look at sub_7FF792A01070, we easily realize it's parsing somewhat data in a4
We take a quick look back at the pcapng file, and filter out those packets that contains data
So basically the callback function sub_7FF792A01070 is created to handle those MIDI's messages and print out a hex string. Since they compare a4 > 0x7F0000, so I was thinking that we have to change the byte's order
1
Ex : 97047f -> 7f0497
Copied!
So I just dump the pcapng to csv and wrote a python script to parse and re-order the data
seccon_midi.csv
15KB
Binary
dumper_csv.py
1
import csv
2
3
def parse_st(s):
4
return '0x' + s[6] + s[7] + s[4] + s[5] + s[2] + s[3]
5
arr = []
6
arr_channel = []
7
with open('seccon_midi.csv', 'rb') as csv_file:
8
csv_reader = csv.reader(csv_file, delimiter=',')
9
line_count = 0
10
for row in csv_reader:
11
arr.append(row[6])
12
13
arr = arr[1:]
14
arr_parsed = []
15
for i in range(0, len(arr)):
16
arr_parsed.append(parse_st(arr[i]))
17
18
arr2 =[]
19
for i in range(0, len(arr_parsed)):
20
tmp = int(arr_parsed[i], 16)
21
if tmp > 0x7F0000:
22
arr2.append(hex(tmp))
23
print len(arr)
24
print str(arr2).replace('\'', '')
Copied!
So it's pretty trivial from now on, just quickly recode the callback function
callback.cpp
1
#include <iostream>
2
#include <stdio.h>
3
4
using namespace std;
5
int main() {
6
unsigned int arr[268] = { 0x7f0497, 0x7f0899, 0x7f0697, 0x7f0599, 0x7f0797, 0x7f0999, 0x7f0297, 0x7f0099, 0x7f0697, 0x7f0799, 0x7f0797, 0x7f0599, 0x7f0797, 0x7f0999, 0x7f0797, 0x7f0399, 0x7f0297, 0x7f0199, 0x7f0297, 0x7f0099, 0x7f0497, 0x7f0699, 0x7f0497, 0x7f0c99, 0x7f0497, 0x7f0199, 0x7f0497, 0x7f0799, 0x7f0297, 0x7f0099, 0x7f0697, 0x7f0999, 0x7f0797, 0x7f0399, 0x7f0297, 0x7f0099, 0x7f0597, 0x7f0399, 0x7f0497, 0x7f0599, 0x7f0497, 0x7f0399, 0x7f0497, 0x7f0399, 0x7f0497, 0x7f0f99, 0x7f0497, 0x7f0e99, 0x7f0797, 0x7f0b99, 0x7f0397, 0x7f0399, 0x7f0697, 0x7f0e99, 0x7f0397, 0x7f0799, 0x7f0397, 0x7f0399, 0x7f0797, 0x7f0299, 0x7f0397, 0x7f0399, 0x7f0697, 0x7f0499, 0x7f0597, 0x7f0f99, 0x7f0697, 0x7f0699, 0x7f0797, 0x7f0299, 0x7f0397, 0x7f0099, 0x7f0697, 0x7f0d99, 0x7f0597, 0x7f0f99, 0x7f0397, 0x7f0799, 0x7f0697, 0x7f0899, 0x7f0397, 0x7f0399, 0x7f0597, 0x7f0f99, 0x7f0797, 0x7f0099, 0x7f0397, 0x7f0399, 0x7f0797, 0x7f0299, 0x7f0697, 0x7f0699, 0x7f0397, 0x7f0099, 0x7f0797, 0x7f0299, 0x7f0697, 0x7f0d99, 0x7f0397, 0x7f0499, 0x7f0697, 0x7f0e99, 0x7f0697, 0x7f0399, 0x7f0397, 0x7f0399, 0x7f0597, 0x7f0f99, 0x7f0797, 0x7f0099, 0x7f0397, 0x7f0499, 0x7f0697, 0x7f0499, 0x7f0597, 0x7f0f99, 0x7f0697, 0x7f0b99, 0x7f0397, 0x7f0399, 0x7f0797, 0x7f0999, 0x7f0697, 0x7f0299, 0x7f0397, 0x7f0099, 0x7f0397, 0x7f0499, 0x7f0797, 0x7f0299, 0x7f0697, 0x7f0499, 0x7f0797, 0x7f0d99 };
7
for (int i = 0; i < 268; i++) {
8
unsigned int a4 = arr[i];
9
if ((unsigned __int8)a4 == 0x97) {
10
printf("%x", ((a4 & 0xFFF) - 0x97) >> 8);
11
}
12
else if ((unsigned __int8)a4 == 0x99) {
13
printf("%x", ((a4 & 0xFFF) - 0x99) >> 8);
14
}
15
}
16
return 0;
17
}
Copied!
We got a hex string
1
48657920677579732120464c414720697320534543434f4e7b336e37337233645f6672306d5f3768335f7033726630726d346e63335f7034645f6b337962303472647d
Copied!
Finally, decode it, we got
1
Hey guys! FLAG is SECCON{3n73r3d_fr0m_7h3_p3rf0rm4nc3_p4d_k3yb04rd}
Copied!
Last modified 2yr ago
Copy link