Hubbub
3 minutes to read
We are given a binary file called Hubbub:
$ file Hubbub
Hubbub: ELF 32-bit LSB executable, Atmel AVR 8-bit, version 1 (SYSV), statically linked, with debug_info, not stripped
Arduino setup
This file corresponds to a extracted Arduino firmware. One can notice this by looking at the output of strings:
$ strings Hubbub | grep ino
/home/jamie/.arduino15/packages/arduino/hardware/avr/1.8.6/cores/arduino
/home/jamie/.arduino15/packages/arduino/tools/avr-gcc/7.3.0-atmel3.6.1-arduino7/avr/include
/home/jamie/.arduino15/packages/arduino/hardware/avr/1.8.6/variants/eightanaloginputs/../standard
Hubbub.ino
pins_arduino.h
We can use Ghidra to analyze this file. But first, we need to configure AVR coverage in Ghidra. For this, I followed this guide, which says the following:
First, place the file atmega328.pspec in the directory
Ghidra/Processors/Atmel/data/languages. Then, modify the fileGhidra/Processors/Atmel/data/languages/avr8.ldefsand add the<language>tag highlighted in the following listing:
<?xml version="1.0" encoding="UTF-8"?>
<language_definitions>
<!-- [...] -->
<language processor="AVR8"
endian="little"
size="16"
variant="atmega328"
version="1.0"
slafile="avr8eind.sla"
processorspec="atmega328.pspec"
manualindexfile="../manuals/AVR8.idx"
id="avr8:LE:16:atmega328">
<description>AVR8 for an Atmega 328</description>
<compiler name="gcc" spec="avr8egcc.cspec" id="gcc"/>
<external_name tool="gnu" name="avr:51"/>
<external_name tool="gnu" name="avr:6"/>
<external_name tool="IDA-PRO" name="avr"/>
</language>
<!-- [...] -->
</language_definitions>
Decompilation
At this point, we can load the binary in Ghidra, selecting the atmega328 architecture. We will see the following main function:
void main() {
// ...
delay(0, 400);
tone(0, 300);
delay(0, 400);
delay(0, 400);
tone(0, 300);
delay(0, 400);
delay(0, 400);
tone(0, 300);
delay(0, 400);
delay(0, 400);
tone(0, 300);
delay(0, 400);
delay(0, 1000);
delay(0, 400);
tone(0, 600);
delay(0, 400);
delay(0, 1000);
delay(0, 400);
tone(0, 600);
delay(0, 400);
delay(0, 400);
// ...
tone(0, 600);
delay(0, 400);
delay(0, 1000);
delay(0, 400);
tone(0, 600);
delay(0, 400);
delay(0, 400);
tone(0, 300);
delay(0, 400);
do {
/* WARNING: Do nothing block with infinite loop */
} while (true);
}
I had to tweak some function calls that were not correctly interpreted. Namely, tone is expected to receive two arguments (pin and frequency); and delay expects a single argument (ms). I couldn’t manage to fix delay for some reason, but it didn’t really matter in the end.
I don’t know if we can run this binary on a simulation tool or not. The fact is that I didn’t find any tool for this, so I was left with my guessing skills. Since we are dealing with tone and delay, maybe we can think of Morse code. And indeed, it is Morse code!
Morse code
It turns out that tone(0, 300) stands for . and tone(0, 600) stands for -. Then, delay(0, 1000) is a separator between symbols and delay(0, 2000) is a separator between words:
// code: .... (H)
delay(0,400); tone(0,300); delay(0,400);
delay(0,400); tone(0,300); delay(0,400);
delay(0,400); tone(0,300); delay(0,400);
delay(0,400); tone(0,300); delay(0,400);
delay(0,1000); // symbol separator
// code: - (T)
delay(0,400); tone(0,600); delay(0,400);
delay(0,1000); // symbol separator
// code: -... (B)
delay(0,400); tone(0,600); delay(0,400);
delay(0,400); tone(0,300); delay(0,400);
delay(0,400); tone(0,300); delay(0,400);
delay(0,400); tone(0,300); delay(0,400);
delay(0,2000); // word separator
// code: .- (A)
delay(0,400); tone(0,300); delay(0,400);
delay(0,400); tone(0,600); delay(0,400);
delay(0,2000); // word separator
// code: -. (N)
delay(0,400); tone(0,600); delay(0,400);
delay(0,400); tone(0,300); delay(0,400);
delay(0,1000); // symbol separator
// code: --- (O)
delay(0,400); tone(0,600); delay(0,400);
delay(0,400); tone(0,600); delay(0,400);
delay(0,400); tone(0,600); delay(0,400);
delay(0,1000); // symbol separator
// ...
So, manually, we have HTB A NO.
Flag
We can use some text-editing skills to translate each of the parts to ., -, spaces as symbol separators and / as word separators. Then, we throw it to CyberChef and we are done:
So, the flag is:
HTB{A NOISY BUZZER COMMANDS ATTENTION}