write-ups-challenges-2020-2021/Risky-Business/README.md

== Title ==

Risky Business

== Description ==
Warning: Difficult challenge.

I found a RISC-V emulator lying around. I heard that there's a flag in there somewhere...
To help you get started, I'll give you an ELF binary that runs on the emulator. It won't help you find the flag, but it will help you figure out what the binaries look like.

== Flag ==

IGCTF{RISC-V_is_amazing_and_so_are_you}

== Files ==
Participants should receive the riscv_sim_RV64 and the example file.

== Deployment ==
/

== Solution ==
First of all, a command that lets you compile riscv assembly code for the emulator:
Of course, clang needs to be compiled with support for riscv.

clang  -nostdlib -Ttext 0x80000000 --target=riscv64-unknown-freebsd -march=rv64g -mno-relax -o binary source.S

Before we move on to writing some code, we can have a look at the emulator in Ghidra.
Searching for strings will allow us to find a number of strings called FLAG_PART1, FLAG_PART2, etc.
Upon further inspection, these variables will contain (contiguous) addresses of parts of the flag starting at 0xd000.

These raw addresses are not addressable. There is still an offset missing. Searching through the address space in assembly, or closely inspecting the decompiled emulator should yield the correct offset, namely 0x2000000 (start of CLINT).

Writing some assembly code that reads these addresses into registers should print the flag in hexadecimal format in the log of the emulator.

An example is given in the solution/ directory. This directory also contains some macros that take care of the initialisation of the emulator. They can be found online, for example here: https://github.com/riscv/riscv-test-env/blob/master/p/riscv_test.h
The other macro file can be found in the same repository.

Compiling and running the provided code will load the flag in register x12. Grepping on "x12" through the logs of the emulator will yield the flag in hex.