Saturday, 28 December 2019

InfernoCTF 2019

Darkcrackme
1. Main function

  • Being not waste of time, i saw pseudocode.

  • Simple, we can see that username is "1_4m_th3_wh1t3r0s3". And "sub_4013F9" will do something with our username and password to check.
  • Password is our flag.
2. Sub_4013F9


  • According to the last function, i will rename the variable, 'a1' => 'username' and 'a2' => 'pass'; 'v5' => 'Ulen' and 'v4' => 'Plen'.
  • We can see thar function have 3 condition.
    • First, length of  'username' and 'pass' are less or equal 40.
    • Second, ' Plen = (Ulen << 1) || (Ulen << 1) + 1' (it's mean: Plen = 36 or 37, because we already have Ulen).
    • Last, ' Ulen + Plen = (Ulen + 8) ^ 0x2C ' => ' 18 + x = (18 + 8) ^ 0x2C = 54 ' => Plen = 36
  • Depend on strcmp(s1, username), we know that 'sub_401291' (check_1) will changed our password to username.

3. Sub_401291 (Check_1)

  • I had rename some variable depend in thier function.
  • For each pair of char, we go through 'sub_4011A7' ('check_2') and receive 'pos_1', 'pos_2'

Sub_4011A7 (check_2)

  • The function of  'check_2' is return a position of  char ( 'pass[i]', 'pass[i + 1]' ) (pass_element) in 'Default_String'.
  • Next, darkcrackme use 'sub_401201' (make_arr) to do something with 'pos_1', 'pos_2' and return 'arr_1', 'arr_2'.

Sub_401201 (make_arr)

  • It's a simple math.

  • And the last one on 'sub_401291', darkcrackme made an array 'nptr', collected from 'arr_1' and 'arr_2' and convert to long number 'v1'.

  • Finally, ANS will be collected all 'v1' and became 's1' (aka '1_4m_th3_wh1t3r0s3')

4. In short

5. Solution
  • For the solution, i just convert all character into binary, rebuild 'arr_1', 'arr_2' and 'find_pos' 'pos_1', 'pos_2' and make a 'pass'.

5. Flag is: infernoCTF{CvBsCxOwBsCfOiZvBsZsOiCvCfZvZkCnZhZv}


Where did he GO?

It's a simple reverse code, you just swap whole the string.

Flag is: infernoCTF{g0_Pr0gRaMM1ng_1s_Gr3At!!}

No comments:

Post a Comment

Sending successfully

Flare-on 8

               List: 01 - credchecker 02 - known 03 - antioch 04 - myaquaticlife   01 - credchecker 01_credchecker.7z Đây là một bài ...