InCTF 2019 writeup's

Our Team Invaders end up at 9th position
With points 4375 points


cliche_crackme (Rev)

By dissambling the exectuable; It is just encrypting our input Checking with data string

It is doing simply

data = b'\xd7\xcc\xdd\xcf\xe4\xbd\xd1\x9d\xdd\xdc\xc8\xd1\xce\x9a\x9a\xc8\xd5\x99\xdd\xc8\x99\xcf\xc8\xe0\x99\xdb\xd4\xc8\xe0\x9d\xdc\xc8\xd2\xdd\xa8\xe6\xd1\xe2\xd4\xe9\xc2\xd6\xa2\xe2\xe1\xcd\xd6\xd3\x9f\x9f\xcd\xda\x9e\xe2\xcd\x9e\xd4\xcd\xe5\x9e\xe0\xd9\xcd\xe5\xa2\xe1\xcd\xd7\xe2\xad\xeb\xd7\xc9\xde\xb7\xcb\x97\xd7\xd6\xc2\xcb\xc8\x94\x94\xc2\xcf\x93\xd7\xc2\x93\xc9\xc2\xda\x93\xd5\xce\xc2\xda\x97\xd6\xc2\xcc\xd7\xa2\xe0\xda\xef\xc8\xdc\xa8\xe8\xe7\xd3\xdc\xd9\xa5\xa5\xd3\xe0\xa4\xe8\xd3\xa4\xda\xd3\xeb\xa4\xe6\xdf\xd3\xeb\xa8\xe7\xd3\xdd\xe8\xb3\xf1\xe1\xba\xce\x9a\xda\xd9\xc5\xce\xcb\x97\x97\xc5\xd2\x96\xda\xc5\x96\xcc\xc5\xdd\x96\xd8\xd1\xc5\xdd\x9a\xd9\xc5\xcf\xda\xa5\xe3\xcf\xe3\xaf\xef\xee\xda\xe3\xe0\xac\xac\xda\xe7\xab\xef\xda\xab\xe1\xda\xf2\xab\xed\xe6\xda\xf2\xaf\xee\xda\xe4\xef\xba\xf8\xbc\x88\xc8\xc7\xb3\xbc\xb9\x85\x85\xb3\xc0\x84\xc8\xb3\x84\xba\xb3\xcb\x84\xc6\xbf\xb3\xcb\x88\xc7\xb3\xbd\xc8\x93\xd1\x9c\xdc\xdb\xc7\xd0\xcd\x99\x99\xc7\xd4\x98\xdc\xc7\x98\xce\xc7\xdf\x98\xda\xd3\xc7\xdf\x9c\xdb\xc7\xd1\xdc\xa7\xe5\xa8\xa7\x93\x9c\x99ee\x93\xa0d\xa8\x93d\x9a\x93\xabd\xa6\x9f\x93\xabh\xa7\x93\x9d\xa8s\xb1\xe7\xd3\xdc\xd9\xa5\xa5\xd3\xe0\xa4\xe8\xd3\xa4\xda\xd3\xeb\xa4\xe6\xdf\xd3\xeb\xa8\xe7\xd3\xdd\xe8\xb3\xf1\xd2\xdb\xd8\xa4\xa4\xd2\xdf\xa3\xe7\xd2\xa3\xd9\xd2\xea\xa3\xe5\xde\xd2\xea\xa7\xe6\xd2\xdc\xe7\xb2\xf0\xc7\xc4\x90\x90\xbe\xcb\x8f\xd3\xbe\x8f\xc5\xbe\xd6\x8f\xd1\xca\xbe\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\xcd\x99\x99\xc7\xd4\x98\xdc\xc7\x98\xce\xc7\xdf\x98\xda\xd3\xc7\xdf\x9c\xdb\xc7\xd1\xdc\xa7\xe5\x96\x96\xc4\xd1\x95\xd9\xc4\x95\xcb\xc4\xdc\x95\xd7\xd0\xc4\xdc\x99\xd8\xc4\xce\xd9\xa4\xe2b\x90\x9da\xa5\x90a\x97\x90\xa8a\xa3\x9c\x90\xa8e\xa4\x90\x9a\xa5p\xae\x90\x9da\xa5\x90a\x97\x90\xa8a\xa3\x9c\x90\xa8e\xa4\x90\x9a\xa5p\xae\xcb\x8f\xd3\xbe\x8f\xc5\xbe\xd6\x8f\xd1\xca\xbe\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\x9c\xe0\xcb\x9c\xd2\xcb\xe3\x9c\xde\xd7\xcb\xe3\xa0\xdf\xcb\xd5\xe0\xab\xe9\xa4\x8f`\x96\x8f\xa7`\xa2\x9b\x8f\xa7d\xa3\x8f\x99\xa4o\xad\xd3\xa4\xda\xd3\xeb\xa4\xe6\xdf\xd3\xeb\xa8\xe7\xd3\xdd\xe8\xb3\xf1\x8f\xc5\xbe\xd6\x8f\xd1\xca\xbe\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\x96\x8f\xa7`\xa2\x9b\x8f\xa7d\xa3\x8f\x99\xa4o\xad\xc5\xdd\x96\xd8\xd1\xc5\xdd\x9a\xd9\xc5\xcf\xda\xa5\xe3\xd6\x8f\xd1\xca\xbe\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\xa7\xe9\xe2\xd6\xee\xab\xea\xd6\xe0\xeb\xb6\xf4\xa2\x9b\x8f\xa7d\xa3\x8f\x99\xa4o\xad\xdd\xd1\xe9\xa6\xe5\xd1\xdb\xe6\xb1\xef\xca\xe2\x9f\xde\xca\xd4\xdf\xaa\xe8\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\xab\xea\xd6\xe0\xeb\xb6\xf4\xa7\x93\x9d\xa8s\xb1\xd2\xdc\xe7\xb2\xf0\xc8\xd3\x9e\xdc\xdd\xa8\xe6\xb3\xf1\xbc'

def Encode(S):
    L = []
    for i in range(len(S)):
        for j in range(i+1,len(S)):
            L.append(ord(S[i])+ord(S[j]))
    return bytes(L)

if Encode(input("Enter flag : ")) == data:
    print("Congratz - You have earned it")
else:
    print("You\'ve got to do better")

Revesing the Encode function, We can get the flag from given data!

Using a Simple math

import math
data = b'\xd7\xcc\xdd\xcf\xe4\xbd\xd1\x9d\xdd\xdc\xc8\xd1\xce\x9a\x9a\xc8\xd5\x99\xdd\xc8\x99\xcf\xc8\xe0\x99\xdb\xd4\xc8\xe0\x9d\xdc\xc8\xd2\xdd\xa8\xe6\xd1\xe2\xd4\xe9\xc2\xd6\xa2\xe2\xe1\xcd\xd6\xd3\x9f\x9f\xcd\xda\x9e\xe2\xcd\x9e\xd4\xcd\xe5\x9e\xe0\xd9\xcd\xe5\xa2\xe1\xcd\xd7\xe2\xad\xeb\xd7\xc9\xde\xb7\xcb\x97\xd7\xd6\xc2\xcb\xc8\x94\x94\xc2\xcf\x93\xd7\xc2\x93\xc9\xc2\xda\x93\xd5\xce\xc2\xda\x97\xd6\xc2\xcc\xd7\xa2\xe0\xda\xef\xc8\xdc\xa8\xe8\xe7\xd3\xdc\xd9\xa5\xa5\xd3\xe0\xa4\xe8\xd3\xa4\xda\xd3\xeb\xa4\xe6\xdf\xd3\xeb\xa8\xe7\xd3\xdd\xe8\xb3\xf1\xe1\xba\xce\x9a\xda\xd9\xc5\xce\xcb\x97\x97\xc5\xd2\x96\xda\xc5\x96\xcc\xc5\xdd\x96\xd8\xd1\xc5\xdd\x9a\xd9\xc5\xcf\xda\xa5\xe3\xcf\xe3\xaf\xef\xee\xda\xe3\xe0\xac\xac\xda\xe7\xab\xef\xda\xab\xe1\xda\xf2\xab\xed\xe6\xda\xf2\xaf\xee\xda\xe4\xef\xba\xf8\xbc\x88\xc8\xc7\xb3\xbc\xb9\x85\x85\xb3\xc0\x84\xc8\xb3\x84\xba\xb3\xcb\x84\xc6\xbf\xb3\xcb\x88\xc7\xb3\xbd\xc8\x93\xd1\x9c\xdc\xdb\xc7\xd0\xcd\x99\x99\xc7\xd4\x98\xdc\xc7\x98\xce\xc7\xdf\x98\xda\xd3\xc7\xdf\x9c\xdb\xc7\xd1\xdc\xa7\xe5\xa8\xa7\x93\x9c\x99ee\x93\xa0d\xa8\x93d\x9a\x93\xabd\xa6\x9f\x93\xabh\xa7\x93\x9d\xa8s\xb1\xe7\xd3\xdc\xd9\xa5\xa5\xd3\xe0\xa4\xe8\xd3\xa4\xda\xd3\xeb\xa4\xe6\xdf\xd3\xeb\xa8\xe7\xd3\xdd\xe8\xb3\xf1\xd2\xdb\xd8\xa4\xa4\xd2\xdf\xa3\xe7\xd2\xa3\xd9\xd2\xea\xa3\xe5\xde\xd2\xea\xa7\xe6\xd2\xdc\xe7\xb2\xf0\xc7\xc4\x90\x90\xbe\xcb\x8f\xd3\xbe\x8f\xc5\xbe\xd6\x8f\xd1\xca\xbe\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\xcd\x99\x99\xc7\xd4\x98\xdc\xc7\x98\xce\xc7\xdf\x98\xda\xd3\xc7\xdf\x9c\xdb\xc7\xd1\xdc\xa7\xe5\x96\x96\xc4\xd1\x95\xd9\xc4\x95\xcb\xc4\xdc\x95\xd7\xd0\xc4\xdc\x99\xd8\xc4\xce\xd9\xa4\xe2b\x90\x9da\xa5\x90a\x97\x90\xa8a\xa3\x9c\x90\xa8e\xa4\x90\x9a\xa5p\xae\x90\x9da\xa5\x90a\x97\x90\xa8a\xa3\x9c\x90\xa8e\xa4\x90\x9a\xa5p\xae\xcb\x8f\xd3\xbe\x8f\xc5\xbe\xd6\x8f\xd1\xca\xbe\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\x9c\xe0\xcb\x9c\xd2\xcb\xe3\x9c\xde\xd7\xcb\xe3\xa0\xdf\xcb\xd5\xe0\xab\xe9\xa4\x8f`\x96\x8f\xa7`\xa2\x9b\x8f\xa7d\xa3\x8f\x99\xa4o\xad\xd3\xa4\xda\xd3\xeb\xa4\xe6\xdf\xd3\xeb\xa8\xe7\xd3\xdd\xe8\xb3\xf1\x8f\xc5\xbe\xd6\x8f\xd1\xca\xbe\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\x96\x8f\xa7`\xa2\x9b\x8f\xa7d\xa3\x8f\x99\xa4o\xad\xc5\xdd\x96\xd8\xd1\xc5\xdd\x9a\xd9\xc5\xcf\xda\xa5\xe3\xd6\x8f\xd1\xca\xbe\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\xa7\xe9\xe2\xd6\xee\xab\xea\xd6\xe0\xeb\xb6\xf4\xa2\x9b\x8f\xa7d\xa3\x8f\x99\xa4o\xad\xdd\xd1\xe9\xa6\xe5\xd1\xdb\xe6\xb1\xef\xca\xe2\x9f\xde\xca\xd4\xdf\xaa\xe8\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\xab\xea\xd6\xe0\xeb\xb6\xf4\xa7\x93\x9d\xa8s\xb1\xd2\xdc\xe7\xb2\xf0\xc8\xd3\x9e\xdc\xdd\xa8\xe6\xb3\xf1\xbc'

def Input_length(V):
    a = 1 ; b = -1 ; c = -2*V
    d = math.sqrt((b**2) - (4*a*c))
    sol1 = (-b-d)/2
    sol2 = (-b+d)/2
    return int(max(sol2,sol1))

def Decode(L):
    Len = Input_length(len(L))
    f0 = L[0] ; f1 = L[1] ; f2 = L[Len-1]
    Str = []
    Str.append(int( (f0 + (f1-f2) ) /2) ) # First Char
    for i in range(Len-1): # Then we can get other chars
        Str.append(int( L[i]-Str[0] ))
    return ''.join(map(chr,Str))

flag = Decode(data)
print("[+] flag is :",flag)
$ python3 rev.py 
[+] flag is : inctf{Th4ts_he11_l0t_0f_w0rk_w4s_it?}


s3cur3-r3v (Web)

Given challenge .


Hello, can you reverse this object code for me ??? I would be thankfull to you.

line #* E I O op fetch ext return operands ------------------------------------------------------------------------------------- 2 0 E > NOP 51 1 FETCH_R global $1 '_GET' 2 FETCH_DIM_R $2 $1, 'flag' 3 ASSIGN !0, $2 53 4 FETCH_IS $4 '_GET' 5 ISSET_ISEMPTY_DIM_OBJ 33554432 ~5 $4, 'flag' 6 > JMPZ ~5, ->10 54 7 > INIT_FCALL 'printflag' 8 SEND_VAR !0 9 DO_FCALL 0 58 10 > > RETURN 1 line #* E I O op fetch ext return operands ------------------------------------------------------------------------------------- 2 0 E > RECV !0 3 1 ASSIGN !1, 'Yaay+here+is+your+flag%3A+' 4 2 ASSIGN !2, 'Naay+try+harder+%21%21%21' 6 3 BIND_GLOBAL !3, 'flag' 8 4 ASSIGN !4, '' 10 5 ASSIGN !5, 32 6 > JMP ->13 12 7 > INIT_FCALL 'chr' 8 SEND_VAR !5 9 DO_ICALL $16 10 ASSIGN_CONCAT 0 !4, $16 10 11 POST_INC ~18 !5 12 FREE ~18 13 > IS_SMALLER ~19 !5, 97 14 > JMPNZ ~19, ->7 15 15 > STRLEN ~20 !0 16 MOD ~21 ~20, 4 17 IS_NOT_EQUAL ~22 ~21, 0 18 > JMPZ ~22, ->20 17 19 > > EXIT 'BAD+INPUT' 20 20 > STRLEN ~24 !0 21 MUL ~25 ~24, 3 22 DIV ~26 ~25, 4 23 INIT_FCALL 'strrpos' 24 SEND_VAR !0 25 SEND_VAL '%60' 26 DO_ICALL $27 27 IS_SMALLER ~28 0, $27 28 > JMPZ ~28, ->37 29 > STRLEN ~29 !0 30 INIT_FCALL 'strrpos' 31 SEND_VAR !0 32 SEND_VAL '%60' 33 DO_ICALL $30 34 SUB ~31 ~29, $30 35 QM_ASSIGN ~32 ~31 36 > JMP ->38 37 > QM_ASSIGN ~32 0 38 > SUB ~33 ~26, ~32 39 ASSIGN_DIM !6 40 OP_DATA ~33 21 41 INIT_FCALL 'str_split' 42 SEND_VAR !0 43 DO_ICALL $34 44 ASSIGN !7, $34 22 45 ASSIGN !8, 0 23 46 ASSIGN !9, 24 47 ASSIGN !5, 0 48 > JMP ->110 25 49 > INIT_FCALL 'strpos' 50 SEND_VAR !4 51 FETCH_DIM_R $40 !7, !5 52 SEND_VAR $40 53 DO_ICALL $41 54 ASSIGN_DIM !9, 0 55 OP_DATA $41 26 56 INIT_FCALL 'strpos' 57 SEND_VAR !4 58 ADD ~43 !5, 1 59 FETCH_DIM_R $44 !7, ~43 60 SEND_VAR $44 61 DO_ICALL $45 62 ASSIGN_DIM !9, 1 63 OP_DATA $45 27 64 INIT_FCALL 'strpos' 65 SEND_VAR !4 66 ADD ~47 !5, 2 67 FETCH_DIM_R $48 !7, ~47 68 SEND_VAR $48 69 DO_ICALL $49 70 ASSIGN_DIM !9, 2 71 OP_DATA $49 28 72 INIT_FCALL 'strpos' 73 SEND_VAR !4 74 ADD ~51 !5, 3 75 FETCH_DIM_R $52 !7, ~51 76 SEND_VAR $52 77 DO_ICALL $53 78 ASSIGN_DIM !9, 3 79 OP_DATA $53 29 80 POST_INC ~54 !8 81 FETCH_DIM_R $56 !9, 0 82 SL ~57 $56, 2 83 FETCH_DIM_R $58 !9, 1 84 SR ~59 $58, 4 85 BW_OR ~60 ~57, ~59 86 ASSIGN_DIM !6, ~54 87 OP_DATA ~60 30 88 FETCH_DIM_R $61 !9, 2 89 IS_SMALLER ~62 $61, 64 90 > JMPZ ~62, ->109 31 91 > POST_INC ~63 !8 92 FETCH_DIM_R $65 !9, 1 93 SL ~66 $65, 4 94 FETCH_DIM_R $67 !9, 2 95 SR ~68 $67, 2 96 BW_OR ~69 ~66, ~68 97 ASSIGN_DIM !6, ~63 98 OP_DATA ~69 32 99 FETCH_DIM_R $70 !9, 3 100 IS_SMALLER ~71 $70, 64 101 > JMPZ ~71, ->109 33 102 > POST_INC ~72 !8 103 FETCH_DIM_R $74 !9, 2 104 SL ~75 $74, 6 105 FETCH_DIM_R $76 !9, 3 106 BW_OR ~77 ~75, $76 107 ASSIGN_DIM !6, ~72 108 OP_DATA ~77 24 109 > ASSIGN_ADD 0 !5, 4 110 > INIT_FCALL 'count' 111 SEND_VAR !7 112 DO_ICALL $79 113 IS_SMALLER ~80 !5, $79 114 > JMPNZ ~80, ->49 37 115 > ASSIGN !10, '' 38 116 ASSIGN !5, 0 117 > JMP ->125 40 118 > INIT_FCALL 'chr' 119 FETCH_DIM_R $83 !6, !5 120 SEND_VAR $83 121 DO_ICALL $84 122 ASSIGN_CONCAT 0 !10, $84 38 123 POST_INC ~86 !5 124 FREE ~86 125 > INIT_FCALL 'count' 126 SEND_VAR !6 127 DO_ICALL $87 128 IS_SMALLER ~88 !5, $87 129 > JMPNZ ~88, ->118 42 130 > ASSIGN !11, 'YtPEU%10E%24%19%5DV%11UE%92E%04%D8%5De%99%5D5RQ%25SAU%98YuVU%16%10e%85%D1I%96%13Y%96%17M%85%D6E%85%D6Q%04V' 43 131 IS_IDENTICAL ~90 !10, !11 132 > JMPZ ~90, ->136 44 133 > CONCAT ~91 !1, !3 134 ECHO ~91 135 > JMP ->137 47 136 > ECHO !2 49 137 > > RETURN null

Given PHP Object code. we can create our php object code using https://3v4l.org

By analyzing the given OP_CODE, It is nothing but a Base64 implementation with different chars chr(32) to chr(96)

This php code is taking $_GET['flag'] and passing it printflag function

There the $_GET['flag'] is decoded and Checked equality with 'YtPEU%10E%24%19%5DV%11UE%92E%04%D8%5De%99%5D5RQ%25SAU%98YuVU%16%10e%85%D1I%96%13Y%96%17M%85%D6E%85%D6Q%04V'

The task performed there is simply

def Decode(S):
    L = []
    S = [Chars.find(x) for x in S]
    for i in range(0,len(S),4):
        L.append( (S[i]<<2 | S[i+1]>>4)%256 )
        L.append( (S[i+1]<<4 | S[i+2]>>2)%256 )
        L.append( (S[i+2]<<6 | S[i+3])%256 )
    return bytes(L)
Final = b'YtPEU\x10E$\x19]V\x11UE\x92E\x04\xd8]e\x99]5RQ%SAU\x98YuVU\x16\x10e\x85\xd1I\x96\x13Y\x96\x17M\x85\xd6E\x85\xd6Q\x04V'

flag = intput("Enter flag : ")
if Decode(flag) == Final:
    print("printing real flag")
else:
    print("Not equal")
Chars = bytes( list(range(32,97)) )

Our Task is to Encode the Final and send it to php

def Encode(S):
    L = []
    for i in range(0,len(S),3):
        L1 = S[i]>>2
        L2 = ((S[i] % 4)<<4) | (S[i+1]>>4)
        L3 = ((S[i+1] % 16)<<2) | (S[i+2]>>6)
        L4 = S[i+2] % 64
        L.append( Chars[L1] ); L.append( Chars[L2] ); L.append( Chars[L3] ); L.append( Chars[L4] )
    return bytes(L)

Final = b'YtPEU\x10E$\x19]V\x11UE\x92E\x04\xd8]e\x99]5RQ%SAU\x98YuVU\x16\x10e\x85\xd1I\x96\x13Y\x96\x17M\x85\xd6E\x85\xd6Q\x04V'
print(Encode(Final))
$ python3 rev.py 
b'671015401209758154621038766973524253056867565180987129836987387618764016'

Using that flag to get the real flag!

$ curl http://3.15.186.35/?flag=671015401209758154621038766973524253056867565180987129836987387618764016  | grep flag:
Yaay here is your flag: inctf{d1d_y0u_n0t_f1nd_th3_b453_64_3ncrypt10n_s000000_3asy}

Comments

Popular posts from this blog

Confidence CTF 2020 `Cat web` challenge writeup

Tokyo Westerns CTF 2020 - writeups.

Alles CTF 2020 Writeups