radare2 cLEMENCy plugins
DEF CON 25 CTF Finals, organized by Legitimate Business Syndicate, used a brand new architecture called cLEMENCy. It features many bizarre designs:
a[1] << 9 | a[0]
a[1] << 27 | a[2] << 18 | a[0]
Memory mappings:
[0000000,4000000) Main Program Memory
[4000000,400001e) Clock IO
[4010000,4011000) Flag IO
[5000000,5002000) Data Received
[5002000,5002003) Data Received Size
[5010000,5012000) Data Sent
[5012000,5012003) Data Sent Size
[5100000,5104000) NFO file
[7ffff00,7ffff1c) Interrupt Pointers
[7ffff80,8000000) Processor Identification and Features
This repository contains a bunch of radare2 plugins for cLEMENCy.
This repository can be built either standalone or as a subdirectory of radare2-extras.
Specify PKG_CONFIG_PATH
if you install radare2 to a user directory.
# cd clemency
PKG_CONFIG_PATH=~/.config/radare2/prefix/lib/pkgconfig make
(cd .. # cd radare2-extras
./configure --prefix=~/.config/radare2/prefix # generates options.mk
)
make
make info
to see used environment variables.
make symstall
: install symlinks to R2PM_PLUGDIR
and R2PM_SHAREDIR
make install
: install filesDEF CON CTF 2017 Final Scores and Data Dumps
DEF CON 25 CTF Finals service binaries/
contains service binaries used in DEF CON CTF Finals.
r2 -e asm.parser=clcy -e asm.midflags=1 -a clcy clcy:///tmp/babyecho
io/io_clcy.c
: expands 9-bit to 16-bit and unexpands 16-bit when closingcore/core_clcy.c
: hexdump commands tailored to 9-bitbin/bin_clcy.c
: creates sections for cLEMENCy memory mappings, and sets up the NFO sectionasm/asm_clcy.c
: disassembler and assembler. include/opcode-inc.h
is taken from https://github.com/pwning/defcon25-public by Plaid Parliament of Pwninganal/anal_clcy.c
: instruction classifier and ESIL translatorparse/parse_clcy.c
: C-like pseudo disassembler and variable substituterio_clcy
bin_clcy
om
core_clcy
_px
_pw
_pt
asm_clcy
pd
e asm.describe=1
e io.cache=1; wa ldt r1, [r0+0x57, 5]
anal_clcy
e asm.emu=1
parse_clcy
aa; pdc