Challenge: Solution to “Memgraph Capture The Flag” – Discover

Challenge: Solution to “Memgraph Capture The Flag” – Discover

  • Apple
  • August 10, 2021
  • No Comment
  • 74
  • 11 minutes read


Flag icon on gray background

The “Memgraph Capture the Flag” challenge invites you to learn and practice memory debugging and command line symbolization. If you have not yet tried the challenge or do not want the steps required to complete it to be damaged, we recommend that you return to the original page of the challenge. Otherwise, keep reading!

Challenge: Memgraph captures the flag

The challenge begins with the following: “One of our engineers has hidden a memory Easter egg in our secret application. We are trying to trace it, but all we know is that it has a format flag_<unknown_string_here>@WWDC. You will need to use the command line tools provided by macOS to investigate the memory problem, recover missing symbols, and capture the rogue flag.

The following solution is one of the possible ways to capture the flag. For starters, the challenge article provides you with a memgraph file and a dSYM, along with the following clue: “Memgraph is a special binary plist. What can you find in its properties?”

To view the properties of a Memgraph, use plutil. At the exit, you will find more tracks:

$ plutil -p secret.memgraph
...
"hint" => "the flag is hiding in a memory leak"
...
"one_more_hint" => "you might also want to explore the 'symbols' in the dSYM”
...

The track invites you to investigate the memory leak, meanwhile one_more_hint encourages you to use the symbols The CLI tool. In the WWDC21 session “Symbolization: Beyond the Basics”, engineer Alejandro Lucena mentioned that it is a good idea to specify the architecture with this tool. As such, you can use memgraph to know the architecture of the “secret” application.

You can try heap, leaks o vmmap. When used with a memgraph, the first lines are the same at the output of each of these tools. Here’s how to learn which architecture uses the “secret” process: Code Type: X86-64.

As detailed in the WWDC21 session “Detecting and Diagnosing Memory Problems”, you can use the vmmap command against memgraph files in addition to targeting the running process. Running against this memgraph provides the following information:

$ vmmap -summary secret.memgraph 
Process:         secret [2901]
Path:            /Users/*/secret
Load Address:    0x10d264000
Identifier:      secret
Version:         0
Code Type:       X86-64
Platform:        macOS
Parent Process:  zsh [1438]
...

You are now ready to use the symbols command. Use the -noSources option to restrict output to symbol names so you have less output to look at. Hidden among the “secret” dSYM symbols, you’ll find another path to the solution:

$ symbols -arch x86_64 -noSources secret.dSYM [macOS Monterey+, Xcode 13+]
or
$ symbols -arch x86_64 -noSources secret.dSYM/Contents/Resources/DWARF/secret [macOS before Monterey, Xcode before 13]
...
hint_find_the_secret_addresses_of_the_memory_leak
...

The filtered memory in this memgraph is starting to look interesting, it’s probably a specific filtered address. Let’s see what secret directions the track refers to. To determine if the “secret” application was losing memory, you can check for memgraph leaks with leaks command line tool.

Do you want to pay attention to this part of the output:

$ leaks secret.memgraph
...
STACK OF 5 INSTANCES OF 'ROOT LEAK: <CFArray>':
6   hint                               0x7fff204edf3d how would you translate secret Addresses TO Symbols? + 1
5   secret                                0x10d267ee8 0x10d264000 + 16104
4   secret                                0x10d267dc5 0x10d264000 + 15813
3   secret                                0x10d267ccf 0x10d264000 + 15567
2   com.apple.CoreFoundation           0x7fff2059576f __CFArrayCreateInit + 190
1   com.apple.CoreFoundation           0x7fff2054df07 _CFRuntimeCreateInstance + 587
0   libsystem_malloc.dylib             0x7fff20314071 _malloc_zone_malloc + 242 
...

In this output, you will find five leaks, all of them originating in the same place in the code. They are joined by the same stack of calls each time CFArray he was assigned, but never released. Here are three secret addresses: 0x10d267ee8, 0x10d267dc5 i 0x10d267ccf – along with a new track with interesting capital letters. This track indicates that you should try and use it atos tool to symbolize secret addresses.

To call atos, you need several components: the DWARF binary in dSYM, the architecture, and the addresses to symbolize. However, you lose the upload address and you can find it for the “secret” binary image within the call stack of leaks next to the three secret addresses: 0x10d264000. You can also find it in the parts of the process description and the list of binary images leaks way out:

$ leaks secret.memgraph
Process:         secret [2901]
Path:            /Users/*/secret
Load Address:    0x10d264000
...
Binary Images:
       0x10d264000 -        0x10d267ff7 +secret (0) <6676D338-8C26-3019-B919-88C1CB4AA324> /Users//secret
...

Now, you can use atos to translate secret addresses into symbols:

$ atos -o secret.dSYM/Contents/Resources/DWARF/secret -arch x86_64 -l 0x10d264000 0x10d267ee8 0x10d267dc5 0x10d267ccf
main (in secret) (main.m:226)
very_nice_function (in secret) (main.m:205)
good_job_but_the_flag_is_inlined (in secret) (main.m:186)

You’re approaching: the flag is aligned, so you need to add it -i command line option during the call atos to also show built-in features:

$ atos -o secret.dSYM/Contents/Resources/DWARF/secret -arch x86_64 -l 0x10d264000 0x10d267ee8 0x10d267dc5 0x10d267ccf -i
main (in secret) (main.m:413)

very_nice_function (in secret) (main.m:392)

IGZsYWdfbWVNMHJ5VDBPTHNEZWJ1R0cxbmdQcjBAV1dEQyAg (in secret) (main.m:86)
whats_wrong_with_encoding (in secret) (main.m:204)
omg_you_found_it (in secret) (main.m:333)
good_job_but_the_flag_is_inlined (in secret) (main.m:373)

Closer still! Run this command and you will get a string of numbers that looks like it could be encoded in base64. Run this decoding and you will get:

$ echo "IGZsYWdfbWVNMHJ5VDBPTHNEZWJ1R0cxbmdQcjBAV1dEQyAg" | base64 -d
 flag_meM0ryT0OLsDebuGG1ngPr0@WWDC  %

Note: Be sure to pass the as well -arch flag a atosbecause atos default to the architecture you are actively using. For example, if you run this command from x86_64 (either on x86 hardware or Rosetta 2), you won’t see any changes. But if you run the tool from an Apple Silicon machine without the -arch flag, you will receive strings for the wrong architecture:

IOKdmuKWiOKVkOKVkOKWiOKdmiAg4p2a4paI4pWQ4pWQ4paI4p2a (in secret) (main.m:396)
IOKWhyDiloUg4paIIOKWhSDilocg4paCIOKWgyDiloEg4paB (in secret) (main.m:381)

Convert them from their base64 encoding and you’ll get some really nice ASCII art weights.

❚█══█❚ ❚█══█❚

▇ ▅ █ ▅ ▇ ▂ ▃ ▁ ▁

While they may be helpful in filling the fitness rings on your Apple Watch, you need to -arch x86_64 parameter to capture this particular flag.

One last tip: secret.memgraph was generated when the “secret” process was running. MallocStackLogging skill; this allows you to see the call stack on the filter. Don’t forget to enable it MallocStackLogging for your own application when generating memgraphs. This can be done by configuring the schema in Xcode (Run> Diagnostics> MallocStackLogging = Live Assignments Only) or with the environment variable when starting from a terminal:

`$ MallocStackLogging=lite <command>`

This is just a path you can take to get the flag using the built-in command line tools in macOS for debugging and symbolizing memory. Check out the full Coding and Design Challenges repository for other fun coding and designing scans, or delve deeper into debugging with our latest WWDC21 videos.

Resources

Symbolization: beyond the basics

Detect and diagnose memory problems

Explore more coding and design challenges



Source link

Related post

Open House: What steps can be taken to check the rising cases of suicides among youths? : The Tribune India

Open House: What steps can be taken to check…

Education institution should set up helplines To begin with, it should be made clear that stress is a physical reaction to…
Here are the top 25 start-ups to work for in India

Here are the top 25 start-ups to work for…

It’s also great to see young professionals embracing India’s startup ecosystem, with 56% of all hires at the top 25 startups…
Micro:bit launches new Python Editor to help more children learn text-based coding languages

Micro:bit launches new Python Editor to help more children learn…

Micro:bit Educational Foundation, the educational nonprofit on a mission to improve children’s digital skills, today announced that it’s even easier for…

Leave a Reply

Your email address will not be published.