ctf-writeups

Warp

The warp tunnel is letting people past our firewall!

File link: warp

Run warp with sudo, use bpftool to dump info:

# https://docs.cilium.io/en/latest/reference-guides/bpf/debug_and_test.html
$ sudo bpftool prog
xdp  name xdp_prog  tag xxxxxxxxxxxxxxxx
        loaded_at xxxxxxxxxxxxxxxxxxxxxxxx  uid 0
        xlated 3264B  jited 1922B  memlock 4096B  map_ids 158,159
        btf_id 293
$ sudo bpftool prog dump xlated id 988
int xdp_prog(struct xdp_md * ctx):
; void *data_end = (void *)(long)ctx->data_end;
(79) r7 = *(u64 *)(r1 +8)
; void *data = (void *)(long)ctx->data;
(79) r1 = *(u64 *)(r1 +0)
; if (data + sizeof(struct ethhdr) > data_end)
(bf) r6 = r1
(07) r6 += 14
; if (data + sizeof(struct ethhdr) > data_end)
(2d) if r6 > r7 goto pc+401
(bf) r2 = r1
(07) r2 += 34
; if (h_proto != 0x0800)
(2d) if r2 > r7 goto pc+398
(69) r2 = *(u16 *)(r1 +12)
(55) if r2 != 0x8 goto pc+396
; u32 ip_header_len = ip->ihl * 4;
(71) r2 = *(u8 *)(r6 +0)
; u32 ip_header_len = ip->ihl * 4;
(67) r2 <<= 2
(57) r2 &= 60
(b7) r3 = 20
; if (ip_header_len < sizeof(struct iphdr))
(2d) if r3 > r2 goto pc+391
; if (ip->protocol == IPPROTO_UDP) {
(71) r1 = *(u8 *)(r1 +23)
; if (ip->protocol == IPPROTO_UDP) {
(15) if r1 == 0x6 goto pc+4
(55) if r1 != 0x11 goto pc+388
; struct udphdr *udp = (void *)ip + ip_header_len;
(0f) r6 += r2
; payload = (void *)(udp + 1);
(07) r6 += 8
; } else if (ip->protocol == IPPROTO_TCP) {
(05) goto pc+10
; struct tcphdr *tcp = (void *)ip + ip_header_len;
(0f) r6 += r2
; if ((void *)(tcp + 1) > data_end)
(bf) r1 = r6
(07) r1 += 20
; if ((void *)(tcp + 1) > data_end)
(2d) if r1 > r7 goto pc+381
; __u32 tcp_hdr_len = tcp->doff * 4;
(69) r1 = *(u16 *)(r6 +12)
; __u32 tcp_hdr_len = tcp->doff * 4;
(77) r1 >>= 2
(57) r1 &= 60
; if (tcp_hdr_len < sizeof(struct tcphdr))
(0f) r6 += r1
(b7) r2 = 20
(2d) if r2 > r1 goto pc+375
; if (payload + prefix_size > data_end)
(bf) r8 = r6
(07) r8 += 4
; if (payload + prefix_size > data_end)
(2d) if r8 > r7 goto pc+372
; if (__builtin_memcmp(payload, prefix, prefix_size) != 0)
(71) r1 = *(u8 *)(r6 +1)
(67) r1 <<= 8
(71) r2 = *(u8 *)(r6 +0)
(4f) r1 |= r2
(71) r2 = *(u8 *)(r6 +2)
(67) r2 <<= 16
(71) r3 = *(u8 *)(r6 +3)
(67) r3 <<= 24
(4f) r3 |= r2
(4f) r3 |= r1
; if (__builtin_memcmp(payload, prefix, prefix_size) != 0)
(55) if r3 != 0x70723457 goto pc+361
; struct event *e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
(18) r1 = map[id:149]
(b7) r2 = 33
(b7) r3 = 0
(85) call bpf_ringbuf_reserve#309632
; if (!e)
(15) if r0 == 0x0 goto pc+355
; if (event_data + i >= data_end)
(3d) if r8 >= r7 goto pc+156
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +4)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +0) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 5
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+151
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +5)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +1) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 6
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+146
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +6)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +2) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 7
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+141
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +7)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +3) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 8
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+136
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +8)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +4) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 9
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+131
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +9)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +5) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 10
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+126
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +10)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +6) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 11
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+121
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +11)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +7) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 12
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+116
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +12)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +8) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 13
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+111
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +13)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +9) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 14
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+106
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +14)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +10) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 15
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+101
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +15)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +11) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 16
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+96
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +16)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +12) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 17
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+91
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +17)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +13) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 18
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+86
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +18)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +14) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 19
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+81
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +19)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +15) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 20
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+76
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +20)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +16) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 21
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+71
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +21)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +17) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 22
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+66
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +22)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +18) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 23
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+61
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +23)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +19) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 24
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+56
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +24)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +20) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 25
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+51
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +25)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +21) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 26
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+46
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +26)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +22) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 27
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+41
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +27)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +23) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 28
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+36
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +28)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +24) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 29
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+31
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +29)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +25) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 30
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+26
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +30)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +26) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 31
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+21
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +31)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +27) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 32
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+16
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +32)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +28) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 33
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+11
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +33)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +29) = r1
; if (event_data + i >= data_end)
(bf) r1 = r6
(07) r1 += 34
; if (event_data + i >= data_end)
(3d) if r1 >= r7 goto pc+6
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +34)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +30) = r1
; if (event_data + i >= data_end)
(07) r6 += 35
; if (event_data + i >= data_end)
(3d) if r6 >= r7 goto pc+2
; e->text[i] = ((char *)event_data)[i];
(71) r1 = *(u8 *)(r6 +0)
; e->text[i] = ((char *)event_data)[i];
(73) *(u8 *)(r0 +31) = r1
(b7) r1 = 0
(b7) r2 = 33
(05) goto pc+51
(0f) r3 += r1
(73) *(u8 *)(r3 +0) = r4
; for (int i = 0; i < sizeof(check); i++) {
(07) r1 += 1
; for (int i = 0; i < sizeof(check); i++) {
(55) if r1 != 0x1e goto pc+47
; if (__builtin_memcmp(e->text, f.text, sizeof(check)) == 0) {
(71) r2 = *(u8 *)(r10 -28)
(67) r2 <<= 8
(71) r1 = *(u8 *)(r10 -29)
(4f) r2 |= r1
(71) r3 = *(u8 *)(r10 -27)
(67) r3 <<= 16
(71) r1 = *(u8 *)(r10 -26)
(67) r1 <<= 24
(4f) r1 |= r3
(71) r4 = *(u8 *)(r10 -32)
(67) r4 <<= 8
(71) r3 = *(u8 *)(r10 -33)
(4f) r4 |= r3
(71) r5 = *(u8 *)(r10 -31)
(67) r5 <<= 16
(71) r3 = *(u8 *)(r10 -30)
(67) r3 <<= 24
(4f) r3 |= r5
(4f) r3 |= r4
(4f) r1 |= r2
(71) r4 = *(u8 *)(r0 +1)
(67) r4 <<= 8
(71) r2 = *(u8 *)(r0 +0)
(4f) r4 |= r2
(71) r5 = *(u8 *)(r0 +2)
(67) r5 <<= 16
(71) r2 = *(u8 *)(r0 +3)
(67) r2 <<= 24
(4f) r2 |= r5
(67) r1 <<= 32
(4f) r1 |= r3
(4f) r2 |= r4
(71) r3 = *(u8 *)(r0 +5)
(67) r3 <<= 8
(71) r4 = *(u8 *)(r0 +4)
(4f) r3 |= r4
(71) r4 = *(u8 *)(r0 +6)
(67) r4 <<= 16
(71) r5 = *(u8 *)(r0 +7)
(67) r5 <<= 24
(4f) r5 |= r4
(4f) r5 |= r3
(67) r5 <<= 32
(4f) r5 |= r2
(1d) if r5 == r1 goto pc+18
(b7) r1 = 1
(05) goto pc+137
(bf) r3 = r10
(07) r3 += -33
; f->text[i] = check[i] ^ 0x60;
(18) r4 = map[id:148][0]+16
(0f) r4 += r1
(71) r4 = *(u8 *)(r4 +0)
; f->text[i] = check[i] ^ 0x60;
(a7) r4 ^= 96
(67) r4 <<= 56
(c7) r4 s>>= 56
; if (f->text[i] >= 33 && f->text[i] <= 126) {
(6d) if r2 s> r4 goto pc-61
; f->text[i] = 33 + ((f->text[i] + 14) % 94u);
(07) r4 += 14
(67) r4 <<= 32
(77) r4 >>= 32
; f->text[i] = 33 + ((f->text[i] + 14) % 94u);
(97) r4 %= 94
; f->text[i] = 33 + ((f->text[i] + 14) % 94u);
(07) r4 += 33
(05) goto pc-67
; if (__builtin_memcmp(e->text, f.text, sizeof(check)) == 0) {
(71) r2 = *(u8 *)(r10 -20)
(67) r2 <<= 8
(71) r1 = *(u8 *)(r10 -21)
(4f) r2 |= r1
(71) r3 = *(u8 *)(r10 -19)
(67) r3 <<= 16
(71) r1 = *(u8 *)(r10 -18)
(67) r1 <<= 24
(4f) r1 |= r3
(71) r4 = *(u8 *)(r10 -24)
(67) r4 <<= 8
(71) r3 = *(u8 *)(r10 -25)
(4f) r4 |= r3
(71) r5 = *(u8 *)(r10 -23)
(67) r5 <<= 16
(71) r3 = *(u8 *)(r10 -22)
(67) r3 <<= 24
(4f) r3 |= r5
(4f) r3 |= r4
(4f) r1 |= r2
(71) r4 = *(u8 *)(r0 +9)
(67) r4 <<= 8
(71) r2 = *(u8 *)(r0 +8)
(4f) r4 |= r2
(71) r5 = *(u8 *)(r0 +10)
(67) r5 <<= 16
(71) r2 = *(u8 *)(r0 +11)
(67) r2 <<= 24
(4f) r2 |= r5
(67) r1 <<= 32
(4f) r1 |= r3
(4f) r2 |= r4
(71) r3 = *(u8 *)(r0 +13)
(67) r3 <<= 8
(71) r4 = *(u8 *)(r0 +12)
(4f) r3 |= r4
(71) r4 = *(u8 *)(r0 +14)
(67) r4 <<= 16
(71) r5 = *(u8 *)(r0 +15)
(67) r5 <<= 24
(4f) r5 |= r4
(4f) r5 |= r3
(67) r5 <<= 32
(4f) r5 |= r2
(5d) if r5 != r1 goto pc-63
(71) r2 = *(u8 *)(r10 -12)
(67) r2 <<= 8
(71) r1 = *(u8 *)(r10 -13)
(4f) r2 |= r1
(71) r3 = *(u8 *)(r10 -11)
(67) r3 <<= 16
(71) r1 = *(u8 *)(r10 -10)
(67) r1 <<= 24
(4f) r1 |= r3
(71) r4 = *(u8 *)(r10 -16)
(67) r4 <<= 8
(71) r3 = *(u8 *)(r10 -17)
(4f) r4 |= r3
(71) r5 = *(u8 *)(r10 -15)
(67) r5 <<= 16
(71) r3 = *(u8 *)(r10 -14)
(67) r3 <<= 24
(4f) r3 |= r5
(4f) r3 |= r4
(4f) r1 |= r2
(71) r4 = *(u8 *)(r0 +17)
(67) r4 <<= 8
(71) r2 = *(u8 *)(r0 +16)
(4f) r4 |= r2
(71) r5 = *(u8 *)(r0 +18)
(67) r5 <<= 16
(71) r2 = *(u8 *)(r0 +19)
(67) r2 <<= 24
(4f) r2 |= r5
(67) r1 <<= 32
(4f) r1 |= r3
(4f) r2 |= r4
(71) r3 = *(u8 *)(r0 +21)
(67) r3 <<= 8
(71) r4 = *(u8 *)(r0 +20)
(4f) r3 |= r4
(71) r4 = *(u8 *)(r0 +22)
(67) r4 <<= 16
(71) r5 = *(u8 *)(r0 +23)
(67) r5 <<= 24
(4f) r5 |= r4
(4f) r5 |= r3
(67) r5 <<= 32
(4f) r5 |= r2
(5d) if r5 != r1 goto pc-108
(71) r2 = *(u8 *)(r10 -8)
(67) r2 <<= 8
(71) r1 = *(u8 *)(r10 -9)
(4f) r2 |= r1
(71) r3 = *(u8 *)(r10 -7)
(67) r3 <<= 16
(71) r1 = *(u8 *)(r10 -6)
(67) r1 <<= 24
(4f) r1 |= r3
(4f) r1 |= r2
(71) r2 = *(u8 *)(r0 +25)
(67) r2 <<= 8
(71) r3 = *(u8 *)(r0 +24)
(4f) r2 |= r3
(71) r3 = *(u8 *)(r0 +26)
(67) r3 <<= 16
(71) r4 = *(u8 *)(r0 +27)
(67) r4 <<= 24
(4f) r4 |= r3
(4f) r4 |= r2
(5d) if r4 != r1 goto pc-129
(71) r2 = *(u8 *)(r10 -4)
(67) r2 <<= 8
(71) r1 = *(u8 *)(r10 -5)
(4f) r2 |= r1
(71) r1 = *(u8 *)(r0 +28)
(71) r3 = *(u8 *)(r0 +29)
(67) r3 <<= 8
(4f) r3 |= r1
(b7) r1 = 0
(5d) if r3 != r2 goto pc-139
(b7) r2 = 1
; if (__builtin_memcmp(e->text, f.text, sizeof(check)) == 0) {
(15) if r1 == 0x0 goto pc+1
(b7) r2 = 0
(73) *(u8 *)(r0 +32) = r2
; bpf_ringbuf_submit(e, 0);
(bf) r1 = r0
(b7) r2 = 0
(85) call bpf_ringbuf_submit#311184
; }
(b7) r0 = 2
(95) exit
$ sudo /sbin/bpftool map dump id 159
key:
00 00 00
value:
34 72 70 00 00 00 00  00 00 00 00 00 00 00 00
26 5f 2c 5f 3f 5f 50  58 21 00 50 11 41 15 50
20 55 56 50 58 3f 50  53 23 23 23 23 2e
Found 1 element

We can see there is logic that processes data from the map:

if (__builtin_memcmp(e->text, f.text, sizeof(check)) == 0) {
  f->text[i] = check[i] ^ 0x60;
  if (f->text[i] >= 33 && f->text[i] <= 126) {
    f->text[i] = 33 + ((f->text[i] + 14) % 94u);
    bpf_ringbuf_submit(e, 0);
  }
}

Solve script in python:

b = bytes.fromhex("""24 26 5f 2c 5f 3f 5f 50  58 21 00 50 11 41 15 50
54 20 55 56 50 58 3f 50  53 23 23 23 23 2e
""")
s = bytes([ch ^ 0x60 for ch in b])
for ch in s:
    if ch >= 33 and ch <= 126:
        print(chr(33 + (ch + 14) % 94), end="")
    else:
        print(chr(ch), end="")

Flag: sun{n0n_gp1_BPF_code_g0_brrrr}.