Giters

MaskRay / r2cLEMENCy

radare2 cLEMENCy plugins

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

r2cLEMENCy

DEF CON 25 CTF Finals, organized by Legitimate Business Syndicate, used a brand new architecture called cLEMENCy. It features many bizarre designs:

  • 9-bit bytes (referred as nytes)
  • 27-bit general-purpose registers
  • Middle-endian
    • A word of 2 nytes is represented as a[1] << 9 | a[0]
    • A word of 3 nytes is represented as a[1] << 27 | a[2] << 18 | a[0]
  • Variable length instructions (18,27,36,54 bits) which are serialized in middle-endian. Opcodes are between 5 bits and 18 bits.

Memory mappings:

[0000000,4000000) Main Program Memory
[4000000,400001e) Clock IO
[4010000,4011000) Flag IO
[5000000,5002000) Data Received
[5002000,5002003) Data Received Size
[5010000,5012000) Data Sent
[5012000,5012003) Data Sent Size
[5100000,5104000) NFO file
[7ffff00,7ffff1c) Interrupt Pointers
[7ffff80,8000000) Processor Identification and Features

This repository contains a bunch of radare2 plugins for cLEMENCy.

Building

This repository can be built either standalone or as a subdirectory of radare2-extras.

Standalone

Specify PKG_CONFIG_PATH if you install radare2 to a user directory.

# cd clemency
PKG_CONFIG_PATH=~/.config/radare2/prefix/lib/pkgconfig make

Subdirectory of radare2-extras

(cd ..  # cd radare2-extras
./configure --prefix=~/.config/radare2/prefix  # generates options.mk
)
make

make info to see used environment variables.

Installation

  • make symstall: install symlinks to R2PM_PLUGDIR and R2PM_SHAREDIR
  • make install: install files

Usage

DEF CON CTF 2017 Final Scores and Data Dumps

DEF CON 25 CTF Finals service binaries/ contains service binaries used in DEF CON CTF Finals.

r2 -e asm.parser=clcy -e asm.midflags=1 -a clcy clcy:///tmp/babyecho

Components

  • io/io_clcy.c: expands 9-bit to 16-bit and unexpands 16-bit when closing
  • core/core_clcy.c: hexdump commands tailored to 9-bit
  • bin/bin_clcy.c: creates sections for cLEMENCy memory mappings, and sets up the NFO section
  • asm/asm_clcy.c: disassembler and assembler. include/opcode-inc.h is taken from https://github.com/pwning/defcon25-public by Plaid Parliament of Pwning
  • anal/anal_clcy.c: instruction classifier and ESIL translator
  • parse/parse_clcy.c: C-like pseudo disassembler and variable substituter

Features

io_clcy

  • Expand 9-bit to 16-bit

bin_clcy

  • Loader: om

core_clcy

  • 9-bit hexdump: _px _pw _pt

asm_clcy

  • Disassembler: pd
  • Instruction descriptions: e asm.describe=1
  • Assembler: e io.cache=1; wa ldt r1, [r0+0x57, 5]

anal_clcy

  • Instruction analyzer
  • ESIL translator: e asm.emu=1

parse_clcy

  • C-like pseudo disassembler: aa; pdc

About

radare2 cLEMENCy plugins

Languages

Language:C 97.1%Language:Makefile 1.8%Language:C++ 1.1%