Monday, 6 April 2020

auburn 4/2020


I played this ctf at ZombieBot team and only solve 4,5/11 easy RE challenge
Cracker Barrel
cracker_barrel
  • Using Ghidra, I saw this:

  • 3 input for check_1, check_2, check_3. Receive true for each check.
  • Input must be "starwars" in order to set uVar2 = 1 = True

  • Reverse the input 2 must equal to "si siht egassem terces" -> "secret message this is"

  • For each  pvVar2[i * 4] = (input[i] + 2) ^ 0x14. Then,  pvVar2 = local_48.  local_48 = [z...!...!...b...6...~...w...n...&...`]
  • input 3 = l33t hax0r

Mr. Game and Watch
  • Use http://www.javadecompilers.com to decompile .class and get source.

  • Again, I had 3 input for crack_1, crack_2, crack_3.
  • Crack_1:
    • MD5(input) == d5c67e2fc5f5f155dff8da4bdc914f41
    • decrypt online = input = "masterchief"
  • Crack_2
    • SHA1(input) == decrypt(secret_2, key_2)
    • decrypt():
      • return += secret_2[i] ^ key_2
    • SHA1_decrypt(return) = input = "princesspeach"
  • Crack_3
    • encrypt(sha-256(input) , key_3) == sec_3
    • sha-256(inp) = de_encrypt(sec_3 , key_3)
    • encrypt():
      • return += input[i] ^ key_3
    • sha-256_decrypt(return) = input = "solidsnake"

Sora
  • Using Ghidra, I found the function encrypt()
  • __block is our input.
  • As you can see, we have the algorithms:
    • (input[i] * 8 + 0x13) % 0x3d + 0x41 == secret[i]
    • secret = "aQLpavpKQcCVpfcg"
  • It is simple now, just find all posible character can be computed into secret.



Don't Break Me
  • Open with IDA, I saw this:
  • It is a simple script that encrypt(input), save into s2, and compare with something from get_string(), save into s1.
  • Look into encrypt()
  • get_string()
    • Using shift + E to export data and get the given string.


  • For encrypt() function, like previous chall, if we send a character, we receive another character and compare with given string. But the algoritms is seem to be different from assembly code.
  • This challenge have 2 ways to solve.
  • First, send all possible character and find out the previous version of given string.


  • Second, finding character by re-compute the algorithm from assembly.


  • a_2 is second param (= 0x11), a_3 is third param (=0xC)
  • Note: This challenge have debugger_check() in order to prevent player. Wanna by pass, just set breakpoint at following address and set ecx = 1



Chestburster

  • This challenge did not have decriptions, just given an exe.
  • Open with IDA, I saw
  • sub_2E1120() had a long process that, in short, change a position of the input and compare with "welcome_to_the_jungle!"
  • For this chall, I just simple wrote down the algo and reverse the role of input and output.
  • Script
  • input = "lmo_ewce_j!eo_tulgneht"
  • When I write it into server, it led me to port 30009 and "question.php".
  • Unfortunately, I can not find the rest of this challenge.
  • You can read the rest of this challenge solution on this, from Archercreat. He is very great!
at
Labels: ,

No comments:

Post a Comment

Sending successfully

Subscribe to: Post Comments (Atom)

Flare-on 8

               List: 01 - credchecker 02 - known 03 - antioch 04 - myaquaticlife   01 - credchecker 01_credchecker.7z Đây là một bài ...

  • HSCTF 6_2020
    In this contest, I had solved 6 (1 unofficial) challenges. AP Lab English Language AP Lab Computer Science Principles dis...
  • auburn 4/2020
    I played this ctf at ZombieBot team and only solve 4,5/11 easy RE challenge Cracker Barrel Mr. Game and Watch Sora Don't Br...
  • b01lers 3/2020
    In this CTF, I had only solved first chall of rev. Chugga chugga This chall is too long for lazy guy like me to do. I have adm...