Tokyo Westerns CTF 2020 - writeups.

[Rev] Reversing iS Amazing

It is a warmup chall, Given a rsa file, a 64 bit executable.
Decompiled the executable with ghidra. As the binary is dynamically linked, we still have the external library function calls.
Those are openssl library API calls, by going through the documentation and code.
in the binary it has an EVP key, Cipher text.
The binary is creating a RSA private key from EVP Key , then encrypting our input and checking with cipher text.
Dumped the EVP Key, Cipher text from the binary. Written a decrypting code with same api calls (as we have private key).
$ gcc rsa-reverse.c -o rev -lssl -lcrypto
$ ./rev 

[+] Trying to decrypt !...

[+] Data decrypted
[+] Data Length = 28
[+] Data = TWCTF{Rivest_Shamir_Adleman}
Flag : TWCTF{Rivest_Shamir_Adleman}

[Rev] Tamarin

Given an apk file. by unpacking it going through files found file).
a Xamarin/Monodroid application bundle from which we can unbundle it get DLL files.
which i have learned from past `Alles 2020 CTF` Secret Notes chall , I tried a lot, sadly didn't solved it, due to lack of knowledge on this concept.

Used the tool :
Unpacked , and found a Tamarin.dll file. Used dnSpy to decompile and see the dll file
The code is small. The length is due to 22*32 array of uint 32 numbers.
The code has 4 functions namely, Func1, Func2, Func3, Func4.
Func1 is simply power function. pow(base, exp); Used in Func2
Func2 is a Polynomial equation evaluator by recursion. Solve(Coefficients, X_value, pos)
Func3 is random number generator function
Func4 is the flag checking function, where it uses Func2, Func3

Func4 function (Some Math part TLDR;)

from basics checks, we can know the length of input string 88 (4**22), 22 is length of 2D Array(22 x 32) namely equations_arr.
The 22 * 32 Array is nothing but coefficents of 22 equations.
For each iteration it uses one array from equations_arr and a uint number by combining 4 bytes from our input .

For each iteration

That number constructed from 4 bytes of input is used as the Constant for the equation taken from equations_arr.
f(x) = a32(x**32) + a31(x**31) . . . . . . . . . . + a1(x) + Constant
That constant is our input and a32..a1 are coefficeients given in equation_arr along with final value
x = Func3() # a random number
for i in range(10000):
	x = f(x)  # a32(x**32) + a31(x**31) . . . . . . . . . . + a1(x) + Constant
x == final_value # final check

At first I cant understand how can it manage to get the final value, in spite of random `X` value and only with the correct constant.
To check it, I written identical code in python and testing it on sample values.
The results are surprising as everytime it merging to same value, eventhough with different X value.

Checked how it is happening
And found that, in those 10,000 iterations, it is coming to a fixed point. `x == f(x)`. so the next iterations cant even effect it.
It keeps on repeat that value.

I didn't get why this(coming to fixed point) is happening, it may be something with the modular math. as we have uint (32 bits) which simply means (% 2**32).
Note : But just by assuming all those `22 final values` are also fixed points ` x = f(x) `.
Now we have everything
a32(x**32) + a31(x**31) . . . . . . . . . . + a1(x) + Constant = x
Constant = x - [ a32(x**32) + a31(x**31) . . . . . . . . . . + a1(x) ]
Where x is final value, a32..a1 are coefficents. we can get constant in reverse. Boom:)
Lets calculate the constants for all 22 equations. Flag : TWCTF{Xm4r1n_15_4bl3_70_6en3r4t3_N471v3_C0d3_w17h_VS_3n73rpr153_bu7_17_c0n741n5_D07_N3t_B1n4ry}

Thanks for reading !...


Popular posts from this blog

Alles CTF 2020 Writeups

BugPoc's XSS challenge, Buggy Calculator writeup