radare2 cLEMENCy plugins
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
DEF CON 25 CTF Finals service binaries
clemency
.gitignore
README.md

README.md

r2cLEMENCy

DEF CON 25 CTF Finals, organized by Legitimate Business Syndicate, used a brand new architecture called cLEMENCy. It features many bizarre designs:

  • 9-bit bytes (referred as nytes)
  • 27-bit general-purpose registers
  • Middle-endian
    • A word of 2 nytes is represented as a[1] << 9 | a[0]
    • A word of 3 nytes is represented as a[1] << 27 | a[2] << 18 | a[0]
  • Variable length instructions (18,27,36,54 bits) which are serialized in middle-endian. Opcodes are between 5 bits and 18 bits.

Memory mappings:

[0000000,4000000) Main Program Memory
[4000000,400001e) Clock IO
[4010000,4011000) Flag IO
[5000000,5002000) Data Received
[5002000,5002003) Data Received Size
[5010000,5012000) Data Sent
[5012000,5012003) Data Sent Size
[5100000,5104000) NFO file
[7ffff00,7ffff1c) Interrupt Pointers
[7ffff80,8000000) Processor Identification and Features

This repository contains a bunch of radare2 plugins for cLEMENCy.

Building

This repository can be built either standalone or as a subdirectory of radare2-extras.

Standalone

Specify PKG_CONFIG_PATH if you install radare2 to a user directory.

# cd clemency
PKG_CONFIG_PATH=~/.config/radare2/prefix/lib/pkgconfig make

Subdirectory of radare2-extras

(cd ..  # cd radare2-extras
./configure --prefix=~/.config/radare2/prefix  # generates options.mk
)
make

make info to see used environment variables.

Installation

  • make symstall: install symlinks to R2PM_PLUGDIR and R2PM_SHAREDIR
  • make install: install files

Usage

DEF CON CTF 2017 Final Scores and Data Dumps

DEF CON 25 CTF Finals service binaries/ contains service binaries used in DEF CON CTF Finals.

r2 -e asm.parser=clcy -e asm.midflags=1 -a clcy clcy:///tmp/babyecho

Components

  • io/io_clcy.c: expands 9-bit to 16-bit and unexpands 16-bit when closing
  • core/core_clcy.c: hexdump commands tailored to 9-bit
  • bin/bin_clcy.c: creates sections for cLEMENCy memory mappings, and sets up the NFO section
  • asm/asm_clcy.c: disassembler and assembler. include/opcode-inc.h is taken from https://github.com/pwning/defcon25-public by Plaid Parliament of Pwning
  • anal/anal_clcy.c: instruction classifier and ESIL translator
  • parse/parse_clcy.c: C-like pseudo disassembler and variable substituter

Features

io_clcy

  • Expand 9-bit to 16-bit

bin_clcy

  • Loader: om

core_clcy

  • 9-bit hexdump: _px _pw _pt

asm_clcy

  • Disassembler: pd
  • Instruction descriptions: e asm.describe=1
  • Assembler: e io.cache=1; wa ldt r1, [r0+0x57, 5]

anal_clcy

  • Instruction analyzer
  • ESIL translator: e asm.emu=1

parse_clcy

  • C-like pseudo disassembler: aa; pdc