ARMs Race

Technical Walkthrough

Writeup

Challenge

• Name: ARMs-Race
• Category: Reversing
• Difficulty: Easy
• Mode: remote

Summary

The remote service sends 50 levels of ARM machine-code snippets. For each level it asks for the final value of a named ARM register. The solve is to parse the hex blob, emulate it in ARM mode, read the requested register, and submit the unsigned decimal value.

Artifact Inventory

• Remote service: <TARGET>:32727.
• No local archive was provided for this challenge.
• Initial remote probe: analysis/remote/initial-probe.bin.
• Redacted solver transcript: analysis/remote/solver-transcript-redacted.txt.

Analysis

The first probe showed the protocol shape:

Level 1/50: <hex ARM code>
Register r0:

The hex decoded to little-endian ARM instructions. The first level was locally validated with Capstone and Unicorn; the validation output is stored in analysis/remote/level1-emulation-validation.txt.

The solver uses:

• Unicorn <secret redacted> / <secret redacted>
• a mapped code page at 0x10000
• a mapped stack at 0x30000
• zero-initialized registers except sp
• emu_start(base, base + len(code))

After emulation, the requested register is read and returned as an unsigned 32-bit decimal integer. This repeated cleanly through 50 levels.

The RAG query returned no useful prior match, so it was recorded as MISSING; local protocol evidence and Unicorn validation were used as the evidence basis.

Solve

Run:

Reversing/ARMs-Race/.venv/bin/python Reversing/ARMs-Race/solve/solve.py

The solver:

1. Connects to the remote service.
2. Reads until a level/register prompt is found.
3. Extracts the ARM hex blob and requested register.
4. Emulates the blob with Unicorn.
5. Sends the register value.
6. Repeats until the final flag is returned.

Outputs:

• loot/flag-candidate.txt
• loot/remote-transcript.raw
• analysis/remote/solver-transcript-redacted.txt
• analysis/remote/solve-summary.json

The harness captured the validated flag into loot/flag.txt.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• For remote reversing challenges that provide executable snippets, emulation is usually safer than hand-decoding or symbolic guessing.
• Keep raw service transcripts under loot/ if a flag may appear; maintain a redacted transcript under analysis/ for writeup and audit.
• Returning unsigned 32-bit register values matched the service format for all levels.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: ARMs-Race
• Category: Reversing
• Difficulty: Easy
• Mode: remote
• Remote instance: <TARGET>:32727
• Start time: 2026-06-09T10:10:32Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• Remote service at <TARGET>:32727 sends lines shaped like Level N/50: <hex ARM code> followed by Register rX:.
• The first probe saved the raw banner and first challenge to analysis/remote/initial-probe.bin.
• Level 1 contained 476 bytes of little-endian ARM mode code and requested r0.
• Workspace-local unicorn and capstone were installed in .venv for deterministic emulation/disassembly.
• Local validation emulated the first ARM blob successfully and produced an unsigned register value; see analysis/remote/level1-emulation-validation.txt.
• Planned solver loop: parse each level, map requested rN to the corresponding Unicorn ARM register, emulate the blob, submit the unsigned decimal register value, and repeat through 50 levels.
• Reproducible solver completed 50/50 levels against the remote service; see analysis/remote/solve-summary.json.
• Raw transcript is stored in loot/remote-transcript.raw; a redacted copy is stored in analysis/remote/solver-transcript-redacted.txt.
• Harness captured the final flag into loot/flag.txt.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Reversing
• Challenge: ARMs-Race
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1.

Reusable Lessons

-

Dead Ends

-

Tool Quirks

-

Evidence Paths

-

Ingestion Decision

• Proposed for LightRAG: yes/no
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches

Memory Summary

approval_required: true

Sanitized Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Reversing
• Challenge: ARMs-Race
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1.

Reusable Lessons

-

Dead Ends

-

Tool Quirks

-

Evidence Paths

-

Ingestion Decision

• Proposed for LightRAG: yes/no
• Requires user approval before ingestion: yes

Notes

Notes

Scope

• Challenge: ARMs-Race
• Category: Reversing
• Difficulty: Easy
• Mode: remote
• Remote instance: <TARGET>:32727
• Start time: 2026-06-09T10:10:32Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• Remote service at <TARGET>:32727 sends lines shaped like Level N/50: <hex ARM code> followed by Register rX:.
• The first probe saved the raw banner and first challenge to analysis/remote/initial-probe.bin.
• Level 1 contained 476 bytes of little-endian ARM mode code and requested r0.
• Workspace-local unicorn and capstone were installed in .venv for deterministic emulation/disassembly.
• Local validation emulated the first ARM blob successfully and produced an unsigned register value; see analysis/remote/level1-emulation-validation.txt.
• Planned solver loop: parse each level, map requested rN to the corresponding Unicorn ARM register, emulate the blob, submit the unsigned decimal register value, and repeat through 50 levels.
• Reproducible solver completed 50/50 levels against the remote service; see analysis/remote/solve-summary.json.
• Raw transcript is stored in loot/remote-transcript.raw; a redacted copy is stored in analysis/remote/solver-transcript-redacted.txt.
• Harness captured the final flag into loot/flag.txt.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.