This is actually a challenge from the qualifiers, but because this challenge will be used in the Finals again so we weren’t allowed to post about it until after the finals. More on that later, here’s the writeup.

LSCVM: Immaculate Invasion


During our recon on the notorious fools of LightSpeedCorp, we have discovered this service which runs on a really simple, tiny, trivial, virtual machine that they have created. We are not sure of its purpose, but it certainly looks fun to play with. 9001

IMPORTANT: We highly recommend you to fully understand this challenge as we will use this VM again in the Final.


Looking at the strings in the binary, it looks like we are dealing with a Stack based vm, and those long strings are probably the instructions.


If we try running it we’ll get an error.

cddc/re/LSCVM ➜ ./lscvm-ii
[-] Flag file open error: No such file or directory

We find the code that is throwing the error and we can see it is trying to read a file called flag.

Read flag

Let’s create a file called flag to fix this error.

echo 'CTF{flag}' > flag

Now when we run it we can see that it asks us for an ID which we have to figure out.

cddc/re/LSCVM ➜ ./lscvm-ii

=== Welcome to LSCVM(LightSpeed Corp Virtual Machine) ===

ID : 1
[-] Wrong id

After doing some analysis, I figured out that if argc is 2 the program will print out ‘debug’ information.

cddc/re/LSCVM ➜ ./lscvm-ii a
@0 c [ 02 ]
@1 f [ 02 05 ]
@2 M [ 0a ]
@3 c [ 0a 02 ]
@4 f [ 0a 02 05 ]
@5 M [ 0a 0a ]
@6 h [ 0a 0a 07 ]
@7 i [ 0a 0a 07 08 ]
@8 M [ 0a 0a 38 ]
@9 f [ 0a 0a 38 05 ]
@10 A [ 0a 0a 3d ]

The information can be interpreted this way.

Instruction pointer instruction output Stack after running instruction
@0 c [ 02 ]
@1 f [ 02 05 ]
@2 M [ 0a ]

Using the debug output and static analysis, I was able to recover the whole instruction set.

Opcode (Hex) Opcode (Char) Assmebly Comment
Default NIL nop no operation, waste cycle
0x0a \n nop no operation, waste cycle
0x20 \s nop no operation, waste cycle
0x41 A add Pop 2 values from stack and push the addition
0x42 B hlt Stop executing code
0x43 C jmp Pop and jump to value
0x44 D pop Pop a value and do nothing
0x45 E read Pop addr and push val. 0 <= addr <= 0x3fff
0x46 F sclone pop value n and (clone) push n+1 th previous stack value
0x47 G ipadd Pop value and add it to IP (Instruction Pointer)
0x48 H sshift pop value n and shift n+1 th previous stack value to the top of the stack
0x49 I pint Pop value and Print as int
0x4a J cmp pop 2 values and push 0 if equal, 1 if first pop is smaller else -1. 0
0x4b K write first pop is addr, 2nd pop is value to write
0x4d M mul Pop 2 values from stack and push the multiplication
0x50 P pchar Pops value from stack and print as char
0x52 R rjmp Jump to previous jump location, cant do twice in a row, because it consumes the previous jump location.
0x53 S sub subtract 1st pop from 2nd pop push result
0x56 V div Divide (floor) 2nd pop by 1st pop and push result
0x5a Z ipcadd conditional add to IP, if 2nd pop is 0, add 1st pop to IP
0x61 a p0 Push 0x00 to stack
0x62 b p1 Push 0x01 to stack
0x63 c p2 Push 0x02 to stack
0x64 d p3 Push 0x03 to stack
0x65 e p4 Push 0x04 to stack
0x66 f p5 Push 0x05 to stack
0x67 g p6 Push 0x06 to stack
0x68 h p7 Push 0x07 to stack
0x69 i p8 Push 0x08 to stack
0x6a j p9 Push 0x09 to stack

The input we are giving the program is actually being executed by the vm as code.

To get the flag, we have to provide the vm with code that will write lsc_user to the vm memory, and then provide another code that will write hi_darkspeed-corp! to the vm memory.

Get flag conditions

Using the instruction set recovered I wrote this script to generate the vm code required to write the strings to memory and submit it to the service.

#!/usr/bin/env python3
import socket

nums = {

def write_str(target):
    output = ''
    for i in range(len(target)):
        output += nums[ord(target[i])] + nums[i]

    return output + 'K' * len(target)

id_code = write_str('lsc_user')
pass_code = write_str('hi_darkspeed-corp!')
print('ID: {}\nPassword: {}\n'.format(id_code, pass_code))

print('Connecting to service...')
while True:
    msg = client.recv(1024).decode()
    if msg:
        if '$CDDC19${' in msg:
cddc/re/LSCVM ➜ ./
ID: jjMdjMAajjMfhMbSAbjjMcjMAcjjMchMAdjjMfhMbAAejjMfhMbSAfjjMcjMAcAgjjMfhMcSAhKKKKKKKK
Password: jjMdhMcAAajjMdhMdAAbjjMchMAcjjMcjMAbAdjjMcjMAcSejjMfhMcSAfjjMdjMAbSgjjMfhMbSAhjjMfhMeSA

Connecting to service...

=== Welcome to LSCVM(LightSpeed Corp Virtual Machine) ===

ID : Password :
Login Successful! $CDDC19${IcY_GrE37ings_Fr0M_LigHT5pEeDC0Rp}

lsc_user, Good Bye!




The organizers stated in the qualifiers LSCVM challenges that it is important to fully understand the VM as it will be used again in the Finals.

IMPORTANT: We highly recommend you to fully understand this challenge as we will use this VM again in the Final.

The way they brought this accross made me think that it will play a big part in the finals, so I built a tool for the purpose of working on LSCVM challenge(s) during the Finals. However LSCVM was not a big part of the Finals and I didn’t get to use my tool at all.

The finals also had Rings where you have to solve a certain number of challenges to unlock the next ring. Personally I don’t think the rings concept is a good idea, because what if it just so happens the participant can’t solve the starting challenges but they can solve the ones in the next or next next ring? I would’ve preferred it if the challenges were all available at the start.

I understand that it was implemented to limit the number of teams that can attempt the hardware challenges because they don’t have enought equipment for everyone to attempt at the same time, but this can also be done by only unlocking the hardware challenges once a team reach a certain number of points/solves, instead of implementing Rings.

There’s not gonna be any writeup for the finals challenges cause I did everything on the provided laptop and didn’t transfer the files out.