The filename ends with ‘ino.hex’, which hints towards an Arduino binary; which uses an AVR microcontroller. A strin gin the binary hints towards an Arduino UNO, which has an ATmega328P microcontroller, specifically. I know quite a bit of AVR assembly, so this challenge was pretty easy for me. I disassembled the binary, scrolled through it and pretty quickly found this:
.sec1:00000a90 95 eb ldi r25, 0xB5 ; 181
.sec1:00000a92 99 83 std Y+1, r25 ; 0x01
.sec1:00000a94 9a 83 std Y+2, r25 ; 0x02
.sec1:00000a96 96 e8 ldi r25, 0x86 ; 134
.sec1:00000a98 9b 83 std Y+3, r25 ; 0x03
.sec1:00000a9a 94 eb ldi r25, 0xB4 ; 180
.sec1:00000a9c 9c 83 std Y+4, r25 ; 0x04
.sec1:00000a9e 94 ef ldi r25, 0xF4 ; 244
.sec1:00000aa0 9d 83 std Y+5, r25 ; 0x05
.sec1:00000aa2 93 eb ldi r25, 0xB3 ; 179
.sec1:00000aa4 9e 83 std Y+6, r25 ; 0x06
.sec1:00000aa6 91 ef ldi r25, 0xF1 ; 241
.sec1:00000aa8 9f 83 std Y+7, r25 ; 0x07
.sec1:00000aaa 20 eb ldi r18, 0xB0 ; 176
.sec1:00000aac 28 87 std Y+8, r18 ; 0x08
.sec1:00000aae 29 87 std Y+9, r18 ; 0x09
.sec1:00000ab0 9a 87 std Y+10, r25 ; 0x0a
.sec1:00000ab2 9d ee ldi r25, 0xED ; 237
.sec1:00000ab4 9b 87 std Y+11, r25 ; 0x0b
.sec1:00000ab6 90 e8 ldi r25, 0x80 ; 128
.sec1:00000ab8 9c 87 std Y+12, r25 ; 0x0c
.sec1:00000aba 9b eb ldi r25, 0xBB ; 187
.sec1:00000abc 9d 87 std Y+13, r25 ; 0x0d
.sec1:00000abe 9f e8 ldi r25, 0x8F ; 143
.sec1:00000ac0 9e 87 std Y+14, r25 ; 0x0e
.sec1:00000ac2 9f eb ldi r25, 0xBF ; 191
.sec1:00000ac4 9f 87 std Y+15, r25 ; 0x0f
.sec1:00000ac6 9d e8 ldi r25, 0x8D ; 141
.sec1:00000ac8 98 8b std Y+16, r25 ; 0x10
.sec1:00000aca 96 ec ldi r25, 0xC6 ; 198
.sec1:00000acc 99 8b std Y+17, r25 ; 0x11
.sec1:00000ace 95 e8 ldi r25, 0x85 ; 133
.sec1:00000ad0 9a 8b std Y+18, r25 ; 0x12
.sec1:00000ad2 97 e8 ldi r25, 0x87 ; 135
.sec1:00000ad4 9b 8b std Y+19, r25 ; 0x13
.sec1:00000ad6 90 ec ldi r25, 0xC0 ; 192
.sec1:00000ad8 9c 8b std Y+20, r25 ; 0x14
.sec1:00000ada 94 e9 ldi r25, 0x94 ; 148
.sec1:00000adc 9d 8b std Y+21, r25 ; 0x15
.sec1:00000ade 91 e8 ldi r25, 0x81 ; 129
.sec1:00000ae0 9e 8b std Y+22, r25 ; 0x16
.sec1:00000ae2 9c e8 ldi r25, 0x8C ; 140
.sec1:00000ae4 9f 8b std Y+23, r25 ; 0x17
.sec1:00000ae6 ac e6 ldi r26, 0x6C ; 108
.sec1:00000ae8 b5 e0 ldi r27, 0x05 ; 5
.sec1:00000aea 20 e0 ldi r18, 0x00 ; 0
.sec1:00000aec 91 91 ld r25, Z+
.sec1:00000aee 98 27 eor r25, r24
.sec1:00000af0 92 0f add r25, r18
.sec1:00000af2 9d 93 st X+, r25
.sec1:00000af4 2f 5f subi r18, 0xFF ; 255
.sec1:00000af6 27 31 cpi r18, 0x17 ; 23
.sec1:00000af8 c9 f7 brne .-14 ; 0x00000aec
.sec1:00000afa 80 91 76 05 lds r24, 0x0576
.sec1:00000afe 80 34 cpi r24, 0x40 ; 64
.sec1:00000b00 a1 f4 brne .+40 ; 0x00000b2a
This loads a bunch of characters onto the stack and then loops through them while doing an XOR and ADD, then compares one of the characters to @ to validate the output. I wrote a simple piece of C code to bruteforce this:
unsigned char crackme[24] = {
0xB5, 0xB5, 0x86, 0xB4, 0xF4, 0xB3, 0xF1, 0xB0, 0xB0, 0xF1, 0xED, 0x80,
0xBB, 0x8F, 0xBF, 0x8D, 0xC6, 0x85, 0x87, 0xC0, 0x94, 0x81, 0x8C, 0x6C
};
int main() {
int x, y;
for (x = 0; x < 255; x++) {
char tmp[25];
memcpy(tmp, crackme, 24);
tmp[24] = 0;
for (y = 0; y < 24; y++) {
tmp[y] ^= x;
tmp[y] += y;
}
printf("%s\n", tmp);
}
}
This came up with a readable flag pretty quickly.
Bonus (morse code)
Since the filename is re’morse’; I figured something morse-code related must be in the file. I found the following in the ‘const’ area of the binary with a hex editor:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000D60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D7 75 ..............×u
00000D70 07 00 5D 5D 00 00 00 00 00 00 D5 D5 01 00 00 00 ..]]......ÕÕ....
00000D80 00 00 5D 05 00 00 DD DD 05 00 D7 5D 00 00 D7 5D ..]...ÝÝ..×]..×]
00000D90 07 00 00 00 00 00 5D 17 00 00 77 75 07 00 57 75 ......]...wu..Wu
00000DA0 00 00 5D D7 01 00 57 17 00 00 77 77 07 00 DD DD ..]×..W...ww..ÝÝ
00000DB0 01 00 75 77 00 00 D5 1D 00 00 55 07 00 00 55 01 ..uw..Õ...U...U.
00000DC0 00 00 57 05 00 00 77 15 00 00 77 57 00 00 77 77 ..W...w...wW..ww
00000DD0 01 00 77 57 01 00 D7 75 01 00 00 00 00 00 57 1D ..wW..×u......W.
00000DE0 00 00 00 00 00 00 75 57 00 00 DD 75 01 00 1D 00 ......uW..Ýu....
00000DF0 00 00 57 01 00 00 D7 05 00 00 57 00 00 00 01 00 ..W...×...W.....
00000E00 00 00 75 01 00 00 77 01 00 00 55 00 00 00 05 00 ..u...w...U.....
00000E10 00 00 DD 1D 00 00 D7 01 00 00 5D 01 00 00 77 00 ..Ý...×...]...w.
00000E20 00 00 17 00 00 00 77 07 00 00 DD 05 00 00 77 1D ......w...Ý...w.
00000E30 00 00 5D 00 00 00 15 00 00 00 07 00 00 00 75 00 ..]...........u.
00000E40 00 00 D5 01 00 00 DD 01 00 00 57 07 00 00 D7 1D ..Õ...Ý...W...×.
00000E50 00 00 77 05 00 00 00 00 00 00 00 00 00 00 00 00 ..w.............
00000E60 00 00 00 00 00 00 75 D7 01 00 00 00 00 00 1D 00 ......u×........
00000E70 00 00 57 01 00 00 D7 05 00 00 57 00 00 00 01 00 ..W...×...W.....
00000E80 00 00 75 01 00 00 77 01 00 00 55 00 00 00 05 00 ..u...w...U.....
00000E90 00 00 DD 1D 00 00 D7 01 00 00 5D 01 00 00 77 00 ..Ý...×...]...w.
00000EA0 00 00 17 00 00 00 77 07 00 00 DD 05 00 00 77 1D ......w...Ý...w.
00000EB0 00 00 5D 00 00 00 15 00 00 00 07 00 00 00 75 00 ..]...........u.
00000EC0 00 00 D5 01 00 00 DD 01 00 00 57 07 00 00 D7 1D ..Õ...Ý...W...×.
00000ED0 00 00 77 05 00 00 00 00 00 00 00 00 00 00 00 00 ..w.............
I thought it would be interesting to decode this, so I wrote a bit of C to do that:
unsigned char rawData[384] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xD7, 0x75, 0x07, 0x00, 0x5D, 0x5D, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xD5, 0xD5, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5D, 0x05,
0x00, 0x00, 0xDD, 0xDD, 0x05, 0x00, 0xD7, 0x5D, 0x00, 0x00, 0xD7, 0x5D,
0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5D, 0x17, 0x00, 0x00, 0x77, 0x75,
0x07, 0x00, 0x57, 0x75, 0x00, 0x00, 0x5D, 0xD7, 0x01, 0x00, 0x57, 0x17,
0x00, 0x00, 0x77, 0x77, 0x07, 0x00, 0xDD, 0xDD, 0x01, 0x00, 0x75, 0x77,
0x00, 0x00, 0xD5, 0x1D, 0x00, 0x00, 0x55, 0x07, 0x00, 0x00, 0x55, 0x01,
0x00, 0x00, 0x57, 0x05, 0x00, 0x00, 0x77, 0x15, 0x00, 0x00, 0x77, 0x57,
0x00, 0x00, 0x77, 0x77, 0x01, 0x00, 0x77, 0x57, 0x01, 0x00, 0xD7, 0x75,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x1D, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x75, 0x57, 0x00, 0x00, 0xDD, 0x75, 0x01, 0x00, 0x1D, 0x00,
0x00, 0x00, 0x57, 0x01, 0x00, 0x00, 0xD7, 0x05, 0x00, 0x00, 0x57, 0x00,
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x75, 0x01, 0x00, 0x00, 0x77, 0x01,
0x00, 0x00, 0x55, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0xDD, 0x1D,
0x00, 0x00, 0xD7, 0x01, 0x00, 0x00, 0x5D, 0x01, 0x00, 0x00, 0x77, 0x00,
0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x77, 0x07, 0x00, 0x00, 0xDD, 0x05,
0x00, 0x00, 0x77, 0x1D, 0x00, 0x00, 0x5D, 0x00, 0x00, 0x00, 0x15, 0x00,
0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x75, 0x00, 0x00, 0x00, 0xD5, 0x01,
0x00, 0x00, 0xDD, 0x01, 0x00, 0x00, 0x57, 0x07, 0x00, 0x00, 0xD7, 0x1D,
0x00, 0x00, 0x77, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x75, 0xD7,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1D, 0x00, 0x00, 0x00, 0x57, 0x01,
0x00, 0x00, 0xD7, 0x05, 0x00, 0x00, 0x57, 0x00, 0x00, 0x00, 0x01, 0x00,
0x00, 0x00, 0x75, 0x01, 0x00, 0x00, 0x77, 0x01, 0x00, 0x00, 0x55, 0x00,
0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0xDD, 0x1D, 0x00, 0x00, 0xD7, 0x01,
0x00, 0x00, 0x5D, 0x01, 0x00, 0x00, 0x77, 0x00, 0x00, 0x00, 0x17, 0x00,
0x00, 0x00, 0x77, 0x07, 0x00, 0x00, 0xDD, 0x05, 0x00, 0x00, 0x77, 0x1D,
0x00, 0x00, 0x5D, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x07, 0x00,
0x00, 0x00, 0x75, 0x00, 0x00, 0x00, 0xD5, 0x01, 0x00, 0x00, 0xDD, 0x01,
0x00, 0x00, 0x57, 0x07, 0x00, 0x00, 0xD7, 0x1D, 0x00, 0x00, 0x77, 0x05,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
int main() {
int bit = 0;
int parts = 0;
int sp = 0;
int bytePos = 0;
for (bytePos = 0; bytePos < sizeof(rawData); bytePos++) {
for (bit = 0; bit < 8; bit++) {
if (rawData[bytePos] & (1 << bit)) {
parts <<= 1;
parts |= 1;
} else {
if ((parts == 0) && (!sp)) { putchar('\n'); sp = 1; }
else if (parts == 1) { putchar('.'); sp = 0; }
else if (parts == 7) { putchar('-'); sp = 0; }
parts = 0;
}
}
}
system("pause");
}
Output:
-.-.--
.-..-.
...-..-
.-...
.----.
-.--.
-.--.-
.-.-.
--..--
-....-
.-.-.-
-..-.
-----
.----
..---
...--
....-
.....
-....
--...
---..
----.
---...
-.-.-.
-...-
..--..
.--.-.
.-
-...
-.-.
-..
.
..-.
--.
....
..
.---
-.-
.-..
--
-.
---
.--.
--.-
.-.
...
-
..-
...-
.--
-..-
-.--
--..
..--.-
.-
-...
-.-.
-..
.
..-.
--.
....
..
.---
-.-
.-..
--
-.
---
.--.
--.-
.-.
...
-
..-
...-
.--
-..-
-.--
--..
That is indeed the morse alphabet :)