Mental Adventure Beginning [Warmup]
Aero CTF 2020

Mental Adventure Beginning

This is where the damage to your mental health begins. We do not advise you to open it.

  • NOTE There is not symbol 5 in flag
  • NOTE all flag's symbols in uppercase
  • Download: aero2020_mental.rar

Recon

PIC binary, convert HEX to BIN:

objcopy -I ihex -O binary Beginning.HEX beginning.bin

Schematic:

schematic

We can see the 14-segment display is hooked up to GPIO PORT C and GPIO PORT D. To be more precise, the lower six bits of port C are used and all 8 bits of port D are used.

From wikipedia:

14segment

Extracting

I extracted the following values from the binary:

PORTC PORTD
--------------
0x3f, 0x44,
0x18, 0x04,
0x36, 0x88,
0xfc, 0x08,
0x19, 0x88,
0xed, 0x88,
0xef, 0x88,
0x38, 0x00,
0xff, 0x88,
0xfd, 0x88,
0xfb, 0x88,
0x3c, 0x2a,
0xe7, 0x00,
0x3c, 0x22,
0xe7, 0x80,
0xe3, 0x80,
0xef, 0x08,
0xdb, 0x88,
0xe4, 0x22,
0xde, 0x00,
0x03, 0x94,
0xc7, 0x00,
0xdb, 0x05,
0xdb, 0x11,
0xff, 0x00,
0xf3, 0x88,
0xff, 0x10,
0xf3, 0x98,
0xed, 0x88,
0xe0, 0x22,
0xdf, 0x00,
0xc3, 0x44,
0x1b, 0x50,
0x00, 0x55,
0x00, 0x25,
0xe4, 0x44,
0x00, 0xa2,
0x00, 0x2a,
0x04, 0x00,

Somehow, when the bits are mapped to the 14 segment display, we don't get correct characters. Maybe the wire order is different from the "standard".

Getting the alphabet

Renderer (in lolphp) to figure out the order:

<?php
$d=[
[0x3f, 0x44],
[0x18, 0x04],
[0x36, 0x88],
[0xfc, 0x08],
[0x19, 0x88],
[0xed, 0x88],
[0xef, 0x88],
[0x38, 0x00],
[0xff, 0x88],
[0xfd, 0x88],
[0xfb, 0x88],
[0x3c, 0x2a],
[0xe7, 0x00],
[0x3c, 0x22],
[0xe7, 0x80],
[0xe3, 0x80],
[0xef, 0x08],
[0xdb, 0x88],
[0xe4, 0x22],
[0xde, 0x00],
[0x03, 0x94],
[0xc7, 0x00],
[0xdb, 0x05],
[0xdb, 0x11],
[0xff, 0x00],
[0xf3, 0x88],
[0xff, 0x10],
[0xf3, 0x98],
[0xed, 0x88],
[0xe0, 0x22],
[0xdf, 0x00],
[0xc3, 0x44],
[0x1b, 0x50],
[0x00, 0x55],
[0x00, 0x25],
[0xe4, 0x44],
[0x00, 0xa2],
[0x00, 0x2a],
[0x04, 0x00],
];

define('W', 64);

$segments=[
    /* 0  A */ [ [0, 0], [W, 0] ],
    /* 1  B */ [ [W, 0], [W, W] ],
    /* 2  C */ [ [W, W], [W, W*2] ],
    /* 3  D */ [ [0,W*2], [W, W*2] ],
    /* 4  E */ [ [0,W], [0,W*2] ],
    /* 5  F */ [ [0,0], [0,W] ],

    /* 6  H */ [ [0,0], [W/2,W] ],
    /* 7  I */ [ [W/2,0], [W/2,W] ],
    /* 8  J */ [ [W/2,W], [W,0] ],
    /* 9  K */ [ [0,W*2], [W/2, W] ],
    /* 10 L */ [ [W/2,W], [W/2, W*2] ],
    /* 11 M */ [ [W/2,W], [W, W*2 ] ],

    /* 12 G1 */ [ [0,W], [W/2,W] ],
    /* 13 G2 */ [ [W/2,W], [W,W] ]
];

$segorder=[
    5,
    4,
    3,
    2,
    1,
    0,

    6,
    7,
    8,
    13,

    11,
    10,

    9,
    12
];

$n = 0;

foreach($d as $entry) {
    $val = ($entry[0] & 0x3f) | ($entry[1]<<6);

    $im = imagecreatetruecolor(512, 512);
    $white = imagecolorallocate($im, 255,255,255);
    $red = imagecolorallocate($im, 255, 0, 0);

    for($i=0; $i<14; $i++) {
        if ($val & (1<<$i)) {
            $segment = $segments[ $segorder[$i] ];
            imageline($im, 
                $segment[0][0], $segment[0][1],
                $segment[1][0], $segment[1][1],
                $red
            );
        }
    }
    imagepng($im, "./out/".sprintf("%02d", $n).".png");
    $n++;
}

This renders the alphabet as a set of PNG images. The actual alphabet turned out to be... drumroll: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ{}_

A lot of work for something simple :-)

Solution

Dumping the flag order array:

<?php
$alpha = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ{}_";
$v = [
    0x0A,0x0E,0x1B,0x18,0x24,0x19,0x12,0x0C,0x26,0x12,0x1C,0x26,
    0x1C,0x12,0x16,0x19,0x15,0x0E,0x26,0x1A,0x04,0x0A,0x08,0x14,
    0x01,0x15,0x07,0x25,
];
foreach($v as $vv) {
    echo $alpha[$vv];
}
echo "\n";

Flag

AERO{PIC_IS_SIMPLE_Q4A8K1L7}