HSCTF 6_2020

• In this contest, I had solved 6 (1 unofficial) challenges.

AP Lab English Language

AP Lab Computer Science Principles

dis

Ice Cream Bytes

Recursion Reverse

AP Lab 3D Design (unofficial)

AP Lab English Language

script

• This challenge gave us a script that done something like swap index of characters of the input. After that, if input is equal to "1dd3|y_3tttb5g`q]^dhn3j" , the input is correct.

• For the algorithms, transpose function choose new character for each character in "ret" base on "input" and "transpose". Then, all characters xor with numbers corresponding. Do it for three times.

• For example, 
• input = "abcxyz"
• transpose = {4, 2, 3, 1, 0, 5}
• Then, ret = "ycxbaz"

• For the solution, if I have "ret" string, I can get the previous string.

• There are two ways to solve.

script

• First solution: reverse the action.

• Second solution:  for each order, trying all printable character, follow the exactly step of source, and then compare.

AP Lab Computer Science Principles

script

• This challenge requests "input", decreases each char with its order and plus with the length of the character as decimal number on ascii table.

• For the solution, with each order, I try all possible printable char and do exactly the action of source code.

script

dis

• I received a disassembly of python code named "disas".

script

• Depend on some documents on the Internet, I knew how the disassembly code show out.

• References: 1, 2, 3, 4

• In short:
  • LOAD_FAST: local variable.
  • LOAD_GLOBAL: global variable, function.
  • LOAD_CONST: number.
  • FOR_ITER  24 (to 48): for loop from line 24 to line 48.
  • CALL_FUNCTION  n: call the function was LOAD_GLOBAL in n+1 previous line. Arguments are n nearest line.

• This is original python code after rewrite.

script

• This is solution when I reversed all calculation.

script

Ice Cream Bytes

• This challenge gave me 2 file: IceCreamBytes.java and IceCreamManual.txt.

• In short:
• First, java file read and collect some characters from IceCreamManual.txt in function fillMachine().
• Second, input run through numbers of function and compare with previous string which returned from function fillMachine().

 

• For the solution, we need reverse the processing:
  • toppings(chocolateShuffle(vanillaShuffle(strawberryShuffle(input))))
• To this:
  • strawberryShuffle(vanillaShuffle(chocolateShuffle(toppings(string))))

• Also, all calculations in those functions must be reversed.
• Here is the script.

Recursion Reverse

• This challenge gave me Ascii.java

• For the algorithms, script get the input and then put it into flagTransformed().
• Each character plus with pickNum( its_index (or i) ):
  • Calculate sum of first i number.
  • If it is even then return the num else continue call new function.

• Note:
  • When order equal to 11, num will very very big and if we use for loop, time is very slowly. To deal with it, I replaced it with O(1) calculation.
  • The type of num is int32, that means I have to use numpy.uint32 in order to convert num to int32 number before return.

• As usual, for the solution, I try all printable character on each index, calculate and compare with the given string.

script

AP Lab 3D Design (unofficial)

• This challenge gave me a file named AP3DDesign.class. In order to read code, I use this website to decompile class file to java file. AP3DDesign.java

• In short, 

• Input receives 25 character, then splits into 5x5 matrix, each of them are converted to 8 bit binary. As a result, we have 5x5x8 matrix.

• Next, for each order in binary number, function shuffle1() will swap the corresponding binary bit in each element of that row together.

• Finally, shufle2() will xor the corresponding element.

• For the solution, I just xor and re-swap with the correct position.

• This is my script.

• Because of some reasons, author did not upload the challenge again, so that I could not test my solution. Perhaps it is right.

Defenit CTF 2020

In this CTF, I just only can solved Rev - MoM's Touch.

Description: My mom wants me to bring a flag.. Please get my flag back to me!

Script

• As usual, use Exeinfope to find the format.

• Next, I ran it in Linux for preview and then put it in to IDA, started to reading it.

• As I saw, if the length equal to 0x49, script will call sub_80487A0 and check the flag.
• Press F5 in sub_80487A0, I had pseudo-code.

• In short, sub will get rand() as v3, something at dword_80492AC[calculate base on v3] and dword_80492AC[swap bit of v1 (v1 is the order)].
• And then, we have the comparison of 

dword_80492AC[calculate base on v3] ^ dword_80492AC[swap bit of v1] ^ inp[v1] == dword_8049144[v1]

• dword_80492AC is hidden, dword_8049144[v1] is public. Easily, I knew that I could get inp[v1] if I xor the other 3 variables.

• To do that, I used library gdb for python in oder to:
• First, send fake_input.
• Second, I used the xored_number xor with fake_input in order to get dword_80492AC[calculate base on v3] ^ dword_80492AC[swap bit of v1].
• Then, I can xor with dword_8049144 and get the true_flag.
• Finally, set ZF = 0 in order to continue the for loop.

• This is the result.

set breakpoint at 0x8048804 to get ecx (fake_input) after defined at 0x8048800
set breakpoint at 0x8048819 to get ecx (xored_number) and set ZF = 0

• The code: solve.py

• Addition. In order to run the code, open terminal and type < gdb ./momsTouch > to start gdb debugger. Then, type python and paste the code, enter.

auburn 4/2020

I played this ctf at ZombieBot team and only solve 4,5/11 easy RE challenge

• Cracker Barrel
• Mr. Game and Watch
• Sora
• Don't Break Me
• Not yet: Chestburster

• Github

Cracker Barrel

cracker_barrel

• Using Ghidra, I saw this:

• 3 input for check_1, check_2, check_3. Receive true for each check.

• Input must be "starwars" in order to set uVar2 = 1 = True

• Reverse the input 2 must equal to "si siht egassem terces" -> "secret message this is"

• For each  pvVar2[i * 4] = (input[i] + 2) ^ 0x14. Then,  pvVar2 = local_48.  local_48 = [z...!...!...b...6...~...w...n...&...`]

• input 3 = l33t hax0r

Mr. Game and Watch

mr_game_and_watch

• Use http://www.javadecompilers.com to decompile .class and get source.

• Again, I had 3 input for crack_1, crack_2, crack_3.

• Crack_1:
• MD5(input) == d5c67e2fc5f5f155dff8da4bdc914f41
• decrypt online = input = "masterchief"

• Crack_2
• SHA1(input) == decrypt(secret_2, key_2)
• decrypt():
• return += secret_2[i] ^ key_2
• SHA1_decrypt(return) = input = "princesspeach"

• Crack_3
• encrypt(sha-256(input) , key_3) == sec_3
• sha-256(inp) = de_encrypt(sec_3 , key_3)
• encrypt():
• return += input[i] ^ key_3
• sha-256_decrypt(return) = input = "solidsnake"

Sora

sora

• Using Ghidra, I found the function encrypt()

• __block is our input.

• As you can see, we have the algorithms:
• (input[i] * 8 + 0x13) % 0x3d + 0x41 == secret[i]
• secret = "aQLpavpKQcCVpfcg"

• It is simple now, just find all posible character can be computed into secret.

Don't Break Me

dont_break_me

• Open with IDA, I saw this:

• It is a simple script that encrypt(input), save into s2, and compare with something from get_string(), save into s1.

• Look into encrypt()

• get_string()

• Using shift + E to export data and get the given string.

• For encrypt() function, like previous chall, if we send a character, we receive another character and compare with given string. But the algoritms is seem to be different from assembly code.

• This challenge have 2 ways to solve.

• First, send all possible character and find out the previous version of given string.

• Second, finding character by re-compute the algorithm from assembly.

• a_2 is second param (= 0x11), a_3 is third param (=0xC)

• Note: This challenge have debugger_check() in order to prevent player. Wanna by pass, just set breakpoint at following address and set ecx = 1. 

Chestburster

• This challenge did not have decriptions, just given an exe.
• Open with IDA, I saw

• sub_2E1120() had a long process that, in short, change a position of the input and compare with "welcome_to_the_jungle!"

• For this chall, I just simple wrote down the algo and reverse the role of input and output.

• Script
• input = "lmo_ewce_j!eo_tulgneht"

• When I write it into server, it led me to port 30009 and "question.php".

• Unfortunately, I can not find the rest of this challenge.

• You can read the rest of this challenge solution on this, from Archercreat. He is very great!

b01lers 3/2020

In this CTF, I had only solved first chall of rev.

Chugga chugga

• This chall is too long for lazy guy like me to do. I have admitted that I just only solve this chall 8 hours till the CTF end.

• As usual,  I open it on IDA and look for string, can't find anything there. Next, look at the fucntion name, I had main_main, main_win. 
• Look at main_win and follow the string, I see the congratulation!

• So that, come back to main_main and find the condition.
• Follow back from main_win, I can make a breakpoint to notice the trace of true condition.

• At the begin, after receive an input from fmt_Fscam, the input is stored at [rsp+0A8h+INPUT]
• rdx take the input, rcx stored the length of input (rdx and rcx could be changed).
• Our mission is rebuild a condition by following, change the input and solve the Simul Equation.

• This is note

batamlinux

simple

• As the name, it's a simple challenge.
• Following the condition, we can find the password. It's the flag.

simple 0.2

• Another simple challenge, you just look around carefully, where have a little weird.

• Using Hex-view carefully, i can get the flag.

flag{B4sics_4r3_ManDat0ry}

tic tac toe

• It's a simple dynamic analysis. 

• I saw 3 function, and the 'mem' had stranged things.
• Use F2 to editting and getting through 'mem', i got flag.