-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdojo.yml
181 lines (161 loc) · 5.94 KB
/
dojo.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
id: arm-architecture
name: ARM Architecture
type: public
award:
emoji: 🦾
description: |
ARM processors are a competitor to the intel processors most of the dojo focuses on.
Dominating the mobile computing space, these chips excel at power-efficient processing.
Recently, ARM processors can also be found in personal computers, with Apple's
M1 and M2 chips serving as notable examples.
This is an open-source community dojo exploring the aarch64 architecture.
Pull requests are welcome! https://github.com/pwncollege/arm-dojo
modules:
- id: intro-to-arm
name: Introduction to ARM
description: |
Unlike amd64, ARM assembly (aarch64) is a RISC architecture with a small number of fast
instructions. This module provides a short crash-course to get familiar with some of
the key differences in aarch64. Drawing directly from the "Assembly Crash Course" module
where possible to highlight differences.
challenges:
- id: set-register
name: Level1
description: Set a register value.
- id: set-register-large
name: Level2
description: Set a register to a large value.
- id: line-eq
name: Level3
description: Basic arithmetic.
- id: line-eq-single
name: Level4
description: Efficient arithmetic.
- id: mod
name: Level5
description: Perform a modulo operation.
- id: bitshift
name: Level6
description: Perform bitshift operations.
- id: mem-access
name: Level7
description: Loading and storing values.
- id: mem-access-pair
name: Level8
description: Loading and storing pairs.
- id: pop-push
name: Level9
description: Working with the stack.
- id: reg-swap
name: Level10
description: Swapping register values.
- id: mem-access-array
name: Level11
description: Compute a sum from an array.
- id: mem-access-array-six
name: Level12
description: Efficiently compute a sum from an array.
- id: jumps
name: Level13
description: The branch instruction.
- id: avg
name: Level14
description: Write an average function.
- id: fib
name: Level15
description: Write a fib function.
resources:
- name: "General Tips"
type: markdown
content: |
The dojo box CPU is amd64 architecture. Working with a non-native architecture has its own unique challenges.
The simplest way to interact with these challenges is with a short pwntools script.
A template you can use is shown below.
```
#!/usr/bin/env python3
from pwn import *
context.arch = 'aarch64'
asm_bytes = asm("""
PUT YOUR AARCH64 ASSEMBLY HERE
""")
with process('/challenge/run') as p:
p.send(asm_bytes)
p.stdin.close()
p.interactive()
```
- name: "Helpful Resources"
type: markdown
content: |
- [Official ARMv8 Documentation](https://developer.arm.com/documentation/den0024/a/)
- [ARM aarch64 Instruction Set Guide](https://developer.arm.com/documentation/102374/0101/Overview)
- id: arm-rop
name: ARM64 ROP
image: pwncollege/arm-rop
description: |
ARM64 has a number of differences in the calling convention, prologues, and epilogues that cause ROP to be different than on x86_64.
Because these challenges are running on an x86-64 host, you might need any of the `aarch64-linux-gnu-*` tools, such as `aarch64-linux-gnu-objdump`.
gdb is now a 2-step process:
In one terminal / tmux window:
```bash
$ /usr/bin/qemu-aarch64-static -g 1234 /challenge/level-1-0
```
In another:
```bash
$ gdb-multiarch /challenge/level-1-0
(gdb) target remote localhost:1234
```
visibility:
start: "2024-09-04T20:00:00-07:00"
challenges:
- id: level-1-0
name: level-1-0
description: |
The goal of this level is quite simple: redirect control flow to the win function.
- id: level-1-1
name: level-1-1
description: |
The goal of this level is quite simple: redirect control flow to the win function.
- id: level-2-0
name: level-2-0
description: |
Now let's see about redirect control flow to multiple functions.
- id: level-2-1
name: level-2-1
description: |
Now let's see about redirect control flow to multiple functions.
- id: level-3-0
name: level-3-0
description: |
What about passing arguments to multiple functions?
- id: level-3-1
name: level-3-1
description: |
What about passing arguments to multiple functions?
- id: level-3-0-a
name: level-3-0-a
description: |
If you did the last one correctly this should be easy.
- id: level-3-1-a
name: level-3-1-a
description: |
If you did the last one correctly this should be easy.
- id: level-4-0
name: level-4-0
description: |
Now, let's just pop stuff
- id: level-4-1
name: level-4-1
description: |
Now, let's just pop stuff
- id: static-binary-rop
name: static-binary-rop
description: |
Now that you have the hang of things, how about you pop a statically compiled binary with no inserted gadgets?
- id: level-4-1-gcc
name: level-4-1-gcc
description: |
Other compilers are different, let's now do a few levels that are compiled by gcc instead of clang to see the difference.
- id: level-3-1-a-gcc
name: hard-level-3-1-a-gcc
description: |
It seems that compilers can do very strange things, including breaking things, yet I have faith in the hackers...