Insomni’hack 2013 : Armory wargame

As arm CPU are getting more and more used, we decided to create an arm-based wargame consisting of 4 challenges.

The first one, described here, is a reverse engineering challenge that will give you the credentials to access the actual raspberry pi box.

Here is the beginning of the disassembled code:


As you can see, the first check is done again the strlen that must match 6
Then the program parses argv[1][0] and add it to argv[1][1], the result should be 0xa6
Then argv[1][2] is substracted to argv[1][1], the result should be 5.

Here is the c code for all the checks:

[code language=”cpp”]if (strlen(argv[1]) != 6)
if (argv[1][0]+argv[1][1] != 166)
if (argv[1][1]-argv[1][2] != 5)
if (argv[1][2]+argv[1][3] != 157)
if (argv[1][3]-argv[1][4] != -66)
if (argv[1][4]+argv[1][5] != 163)
if (argv[1][5]-strlen(argv[1]) != 43)

So, we can either try to guess the correct sequence or start from the end as strlen(argv[1]) is known. This gives the string


After that, the real challenge was to be able to run the program without having to reverse the decrypt function 🙂
Any armv6 compatible system could have been used, and we even validated the challenge for the team unable to run the program.

That gave you:
# ./armory 4rm0r1
Nice, you now have access to the armory!
There are 5 available terminals to get your weapons:


Login is : level1
Pass is : In33dmoarweap0ns

Be nice, those hosts are based on low cost raspberry Pi !
Use 'who' and try to get one not in use

Be careful with your exploits on this host, don't let someone else steal your flags :-)

Your flag for this challenge:

Now, if you want to be able to run the raspberry pi system in order to try the challenges, there are 3 ways:

  • Qemu-user emulation in chroot
  • Qemu-system emulation
  • On an actual raspberry pi

Qemu-user chroot:
The archive is made for x86_64 systems but it should be easy to make it work on x86 architecture by reading

You need the binmft_misc kernel module to make it work. Simply untar the following archive somewhere :

Once untargz’ed go inside the directory and run If all goes well, you should be chrooted inside a full arm environment and be able to run native arm code on your x86_64 system

Qemu-system with the image:

Download and
Gunzip the image and launch qemu with :
qemu-system-arm -kernel kernel-qemu -cpu arm1176 -m 256 -M versatilepb -append "root=/dev/sda3" -hda image.img -display sdl

You will have some errors about missing kernel module but the console prompt will come eventually.
User is root and password is toor

Native raspberry pi:
Should be pretty straightforward, just download and copy it over a sdcard (in this case /dev/mmcblk0) like this :
dd if=image.img of=/dev/mmcblk0 bs=10M
User is root and password is toor

It might take a while to launch the ssh daemon but it is due to the dns name resolution.