iHack 2013 Forensic track #1 - time machine


iHack 2013 Forensic track #1 - time machine

This track was really fun to realize, because I was in a nostalgic mood and wanted to try something exotic at the same time.  I decided I had to try to run a legacy OS, older than the MS-DOS versions I used to work with when younger and I remembered a college teacher saying he begain working with computers on CP/M.  Then i went on the hunt to get an [probably] abandonware copy and to find out how to run it on a modern PC.  I began experimenting with YAZE on Linux, but it was really far from being a complete experience.  Then when search-whining on Google, I discovered another tool.


Since I was in the mood to experiment stuff and knowing I like to learn about data structure/recognition/recovery and the 2012’s iHack was quickly coming...lets do all of that at the same time.  The objectives would be to find out what is that unknown file, how to identify it and finally, how to use/exploit it to further explore.  Oh and also to RTFM ;)

Contestants were presented with a file named bttf (in honor to the description and the movie Back to the Future) with no further identification.  First step would be to check for some header identification

# file bttf
bttf: data

Doesn’t say much...time to hexedit to find this in the first buffers :

  • 00000920   58 DF 7F 00  20 20 20 20  20 20 20 20  20 20 20 20  20 20 20 20  43 4F 50 59  52 49 47 48  54 20 28 43  X...                COPYRIGHT (C


  • 00000940   29 20 31 39  37 39 2C 20  44 49 47 49  54 41 4C 20  52 45 53 45  41 52 43 48  20 20 00 00  00 00 00 00  ) 1979, DIGITAL RESEARCH  ......


  • 00003180   02 13 04 15  06 17 08 19  0A 1B 0C 1D  0E 1F 10 0D  0A 36 34 4B  20 43 50 2F  4D 20 56 65  72 73 69 6F  .................64K CP/M Versio


  • 000031A0   6E 20 32 2E  32 20 28 53  49 4D 48 20  41 4C 54 41  49 52 20 38  38 30 30 2C  20 42 49 4F  53 20 56 E5  n 2.2 (SIMH ALTAIR 8800, BIOS V.



That’s a lot of data.  SiMH is the emulator/virtual machine i found to run CP/M and just to spice things, on a ‘virtual’ Altair 8800 machine, just quickly google it.  Our file is just a disk file, not the emulator itself and reading the SiMH doc pages would tell you you can load disk images with a command in order to access that data.


Once you get there...explore the disk, learn the commands, their syntax and we quickly discover the use of mBasic scripts, such as ELIZA.BAS...or KILLFLAG.BAS.  The latter was just to scare people a bit, in case they’d wipe that file by running it.   You had to load the file in the mbasic editor and then list its lines, as it’s procedural ‘coding’.

LIST

20 A$="lcmUgdGhlIGJlc3uLi5"

30 AB$="yZW1lbWJlciBCVNJQz8="

40 SWAP A$,B$

50 C$=SEG$(A$,INT(RND*20+),1)

60 D$=C$

70 PRINT FRE("")

80 FLAG$=A$,B,AB$

90 PRINT FLAG$

Ok


That script isn’t supposed to run properly, just to force contestants to analyze the process manually (or to take the time and opportunity to learn some BASIC (I first had the techno trip to do it in 6502 asm) to fix it) in order to get to the flag.  Understanding the mBasic functions used would tell you how the vars are scrambled and assembled.  Of course, some data was there only to misroute you!

flag : b2xkIHRpbWVzIHdlcmUgdGhlIGJlc3QuLi5yZW1lbWJlciBCQVNJQz8= (decode it if you want...)