Sebastian's Blog

software engineer. infosec enthusiast.

HACKvent 2019

HV19.20 i want to play a game

December 20, 2019
Sebastian
Challenge Description

The attached zip file contains a binary named game. Using ghidra to analyze the file showed, that this is some PS4 executable. The code opens a file /mnt/usb0/PS4UPDATE.PUP, validates the md5 hash and xors some content of the file with a key contained in the executable. As ghidra was unable to properly resolve references, it took some time to find the right key. Finding the PS4UPDATE.PUP online was no problem tho. I recreated the code using a small c program.

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
#include <stdio.h>
#include <stdlib.h>
int main() {
FILE* bin = fopen("PS4UPDATE.PUP", "rb");
int offset = 0x1337;
char key[26] = {0xCE, 0x55, 0x95, 0x4E, 0x38, 0xC5, 0x89, 0xA5, 0x1B, 0x6F, 0x5E, 0x25, 0xD2, 0x1D, 0x2A, 0x2B, 0x5E, 0x7B, 0x39, 0x14, 0x8E, 0xD0, 0xF0, 0xF8, 0xF8, 0xA5};
char data[26];
do {
fseek(bin, offset, 0);
fread(data, 26, 1, bin);
int i = 0;
do {
key[i] = key[i] ^ data[i];
i = i + 1;
} while (i != 0x1a);
offset += 0x1337;
} while (offset != 0x1714908);
for (int i = 0; i < 26; i++) {
printf("%c", key[i]);
}
printf("\n");
}
#include <stdio.h> #include <stdlib.h> int main() { FILE* bin = fopen("PS4UPDATE.PUP", "rb"); int offset = 0x1337; char key[26] = {0xCE, 0x55, 0x95, 0x4E, 0x38, 0xC5, 0x89, 0xA5, 0x1B, 0x6F, 0x5E, 0x25, 0xD2, 0x1D, 0x2A, 0x2B, 0x5E, 0x7B, 0x39, 0x14, 0x8E, 0xD0, 0xF0, 0xF8, 0xF8, 0xA5}; char data[26]; do { fseek(bin, offset, 0); fread(data, 26, 1, bin); int i = 0; do { key[i] = key[i] ^ data[i]; i = i + 1; } while (i != 0x1a); offset += 0x1337; } while (offset != 0x1714908); for (int i = 0; i < 26; i++) { printf("%c", key[i]); } printf("\n"); }
#include <stdio.h>
#include <stdlib.h>

int main() {
	FILE* bin = fopen("PS4UPDATE.PUP", "rb");

	int offset = 0x1337;
	char key[26] = {0xCE, 0x55, 0x95, 0x4E, 0x38, 0xC5, 0x89, 0xA5, 0x1B, 0x6F, 0x5E, 0x25, 0xD2, 0x1D, 0x2A, 0x2B, 0x5E, 0x7B, 0x39, 0x14, 0x8E, 0xD0, 0xF0, 0xF8, 0xF8, 0xA5};

	char data[26];

	do {
		fseek(bin, offset, 0);
		fread(data, 26, 1, bin);

		int i = 0;
		do {
			key[i] = key[i] ^ data[i];
			i = i + 1;
		} while (i != 0x1a);
		offset += 0x1337;
	} while (offset != 0x1714908);

	for (int i = 0; i < 26; i++) {
		printf("%c", key[i]);
	}
	printf("\n");
}

Running this returns the flag HV19{C0nsole_H0mebr3w_FTW}.

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.