InCTF 2019 writeup's
- [+] (Rev - 100 pts) cliche_crackme
- [+] (Web - 856 pts) s3cur3-r3v
With points 4375 points
cliche_crackme (Rev)
By dissambling the exectuable; It is just encrypting our input Checking with data string
It is doing simply
data = b'\xd7\xcc\xdd\xcf\xe4\xbd\xd1\x9d\xdd\xdc\xc8\xd1\xce\x9a\x9a\xc8\xd5\x99\xdd\xc8\x99\xcf\xc8\xe0\x99\xdb\xd4\xc8\xe0\x9d\xdc\xc8\xd2\xdd\xa8\xe6\xd1\xe2\xd4\xe9\xc2\xd6\xa2\xe2\xe1\xcd\xd6\xd3\x9f\x9f\xcd\xda\x9e\xe2\xcd\x9e\xd4\xcd\xe5\x9e\xe0\xd9\xcd\xe5\xa2\xe1\xcd\xd7\xe2\xad\xeb\xd7\xc9\xde\xb7\xcb\x97\xd7\xd6\xc2\xcb\xc8\x94\x94\xc2\xcf\x93\xd7\xc2\x93\xc9\xc2\xda\x93\xd5\xce\xc2\xda\x97\xd6\xc2\xcc\xd7\xa2\xe0\xda\xef\xc8\xdc\xa8\xe8\xe7\xd3\xdc\xd9\xa5\xa5\xd3\xe0\xa4\xe8\xd3\xa4\xda\xd3\xeb\xa4\xe6\xdf\xd3\xeb\xa8\xe7\xd3\xdd\xe8\xb3\xf1\xe1\xba\xce\x9a\xda\xd9\xc5\xce\xcb\x97\x97\xc5\xd2\x96\xda\xc5\x96\xcc\xc5\xdd\x96\xd8\xd1\xc5\xdd\x9a\xd9\xc5\xcf\xda\xa5\xe3\xcf\xe3\xaf\xef\xee\xda\xe3\xe0\xac\xac\xda\xe7\xab\xef\xda\xab\xe1\xda\xf2\xab\xed\xe6\xda\xf2\xaf\xee\xda\xe4\xef\xba\xf8\xbc\x88\xc8\xc7\xb3\xbc\xb9\x85\x85\xb3\xc0\x84\xc8\xb3\x84\xba\xb3\xcb\x84\xc6\xbf\xb3\xcb\x88\xc7\xb3\xbd\xc8\x93\xd1\x9c\xdc\xdb\xc7\xd0\xcd\x99\x99\xc7\xd4\x98\xdc\xc7\x98\xce\xc7\xdf\x98\xda\xd3\xc7\xdf\x9c\xdb\xc7\xd1\xdc\xa7\xe5\xa8\xa7\x93\x9c\x99ee\x93\xa0d\xa8\x93d\x9a\x93\xabd\xa6\x9f\x93\xabh\xa7\x93\x9d\xa8s\xb1\xe7\xd3\xdc\xd9\xa5\xa5\xd3\xe0\xa4\xe8\xd3\xa4\xda\xd3\xeb\xa4\xe6\xdf\xd3\xeb\xa8\xe7\xd3\xdd\xe8\xb3\xf1\xd2\xdb\xd8\xa4\xa4\xd2\xdf\xa3\xe7\xd2\xa3\xd9\xd2\xea\xa3\xe5\xde\xd2\xea\xa7\xe6\xd2\xdc\xe7\xb2\xf0\xc7\xc4\x90\x90\xbe\xcb\x8f\xd3\xbe\x8f\xc5\xbe\xd6\x8f\xd1\xca\xbe\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\xcd\x99\x99\xc7\xd4\x98\xdc\xc7\x98\xce\xc7\xdf\x98\xda\xd3\xc7\xdf\x9c\xdb\xc7\xd1\xdc\xa7\xe5\x96\x96\xc4\xd1\x95\xd9\xc4\x95\xcb\xc4\xdc\x95\xd7\xd0\xc4\xdc\x99\xd8\xc4\xce\xd9\xa4\xe2b\x90\x9da\xa5\x90a\x97\x90\xa8a\xa3\x9c\x90\xa8e\xa4\x90\x9a\xa5p\xae\x90\x9da\xa5\x90a\x97\x90\xa8a\xa3\x9c\x90\xa8e\xa4\x90\x9a\xa5p\xae\xcb\x8f\xd3\xbe\x8f\xc5\xbe\xd6\x8f\xd1\xca\xbe\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\x9c\xe0\xcb\x9c\xd2\xcb\xe3\x9c\xde\xd7\xcb\xe3\xa0\xdf\xcb\xd5\xe0\xab\xe9\xa4\x8f`\x96\x8f\xa7`\xa2\x9b\x8f\xa7d\xa3\x8f\x99\xa4o\xad\xd3\xa4\xda\xd3\xeb\xa4\xe6\xdf\xd3\xeb\xa8\xe7\xd3\xdd\xe8\xb3\xf1\x8f\xc5\xbe\xd6\x8f\xd1\xca\xbe\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\x96\x8f\xa7`\xa2\x9b\x8f\xa7d\xa3\x8f\x99\xa4o\xad\xc5\xdd\x96\xd8\xd1\xc5\xdd\x9a\xd9\xc5\xcf\xda\xa5\xe3\xd6\x8f\xd1\xca\xbe\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\xa7\xe9\xe2\xd6\xee\xab\xea\xd6\xe0\xeb\xb6\xf4\xa2\x9b\x8f\xa7d\xa3\x8f\x99\xa4o\xad\xdd\xd1\xe9\xa6\xe5\xd1\xdb\xe6\xb1\xef\xca\xe2\x9f\xde\xca\xd4\xdf\xaa\xe8\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\xab\xea\xd6\xe0\xeb\xb6\xf4\xa7\x93\x9d\xa8s\xb1\xd2\xdc\xe7\xb2\xf0\xc8\xd3\x9e\xdc\xdd\xa8\xe6\xb3\xf1\xbc'
def Encode(S):
L = []
for i in range(len(S)):
for j in range(i+1,len(S)):
L.append(ord(S[i])+ord(S[j]))
return bytes(L)
if Encode(input("Enter flag : ")) == data:
print("Congratz - You have earned it")
else:
print("You\'ve got to do better")
Revesing the Encode function, We can get the flag from given data!
Using a Simple math
import math
data = b'\xd7\xcc\xdd\xcf\xe4\xbd\xd1\x9d\xdd\xdc\xc8\xd1\xce\x9a\x9a\xc8\xd5\x99\xdd\xc8\x99\xcf\xc8\xe0\x99\xdb\xd4\xc8\xe0\x9d\xdc\xc8\xd2\xdd\xa8\xe6\xd1\xe2\xd4\xe9\xc2\xd6\xa2\xe2\xe1\xcd\xd6\xd3\x9f\x9f\xcd\xda\x9e\xe2\xcd\x9e\xd4\xcd\xe5\x9e\xe0\xd9\xcd\xe5\xa2\xe1\xcd\xd7\xe2\xad\xeb\xd7\xc9\xde\xb7\xcb\x97\xd7\xd6\xc2\xcb\xc8\x94\x94\xc2\xcf\x93\xd7\xc2\x93\xc9\xc2\xda\x93\xd5\xce\xc2\xda\x97\xd6\xc2\xcc\xd7\xa2\xe0\xda\xef\xc8\xdc\xa8\xe8\xe7\xd3\xdc\xd9\xa5\xa5\xd3\xe0\xa4\xe8\xd3\xa4\xda\xd3\xeb\xa4\xe6\xdf\xd3\xeb\xa8\xe7\xd3\xdd\xe8\xb3\xf1\xe1\xba\xce\x9a\xda\xd9\xc5\xce\xcb\x97\x97\xc5\xd2\x96\xda\xc5\x96\xcc\xc5\xdd\x96\xd8\xd1\xc5\xdd\x9a\xd9\xc5\xcf\xda\xa5\xe3\xcf\xe3\xaf\xef\xee\xda\xe3\xe0\xac\xac\xda\xe7\xab\xef\xda\xab\xe1\xda\xf2\xab\xed\xe6\xda\xf2\xaf\xee\xda\xe4\xef\xba\xf8\xbc\x88\xc8\xc7\xb3\xbc\xb9\x85\x85\xb3\xc0\x84\xc8\xb3\x84\xba\xb3\xcb\x84\xc6\xbf\xb3\xcb\x88\xc7\xb3\xbd\xc8\x93\xd1\x9c\xdc\xdb\xc7\xd0\xcd\x99\x99\xc7\xd4\x98\xdc\xc7\x98\xce\xc7\xdf\x98\xda\xd3\xc7\xdf\x9c\xdb\xc7\xd1\xdc\xa7\xe5\xa8\xa7\x93\x9c\x99ee\x93\xa0d\xa8\x93d\x9a\x93\xabd\xa6\x9f\x93\xabh\xa7\x93\x9d\xa8s\xb1\xe7\xd3\xdc\xd9\xa5\xa5\xd3\xe0\xa4\xe8\xd3\xa4\xda\xd3\xeb\xa4\xe6\xdf\xd3\xeb\xa8\xe7\xd3\xdd\xe8\xb3\xf1\xd2\xdb\xd8\xa4\xa4\xd2\xdf\xa3\xe7\xd2\xa3\xd9\xd2\xea\xa3\xe5\xde\xd2\xea\xa7\xe6\xd2\xdc\xe7\xb2\xf0\xc7\xc4\x90\x90\xbe\xcb\x8f\xd3\xbe\x8f\xc5\xbe\xd6\x8f\xd1\xca\xbe\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\xcd\x99\x99\xc7\xd4\x98\xdc\xc7\x98\xce\xc7\xdf\x98\xda\xd3\xc7\xdf\x9c\xdb\xc7\xd1\xdc\xa7\xe5\x96\x96\xc4\xd1\x95\xd9\xc4\x95\xcb\xc4\xdc\x95\xd7\xd0\xc4\xdc\x99\xd8\xc4\xce\xd9\xa4\xe2b\x90\x9da\xa5\x90a\x97\x90\xa8a\xa3\x9c\x90\xa8e\xa4\x90\x9a\xa5p\xae\x90\x9da\xa5\x90a\x97\x90\xa8a\xa3\x9c\x90\xa8e\xa4\x90\x9a\xa5p\xae\xcb\x8f\xd3\xbe\x8f\xc5\xbe\xd6\x8f\xd1\xca\xbe\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\x9c\xe0\xcb\x9c\xd2\xcb\xe3\x9c\xde\xd7\xcb\xe3\xa0\xdf\xcb\xd5\xe0\xab\xe9\xa4\x8f`\x96\x8f\xa7`\xa2\x9b\x8f\xa7d\xa3\x8f\x99\xa4o\xad\xd3\xa4\xda\xd3\xeb\xa4\xe6\xdf\xd3\xeb\xa8\xe7\xd3\xdd\xe8\xb3\xf1\x8f\xc5\xbe\xd6\x8f\xd1\xca\xbe\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\x96\x8f\xa7`\xa2\x9b\x8f\xa7d\xa3\x8f\x99\xa4o\xad\xc5\xdd\x96\xd8\xd1\xc5\xdd\x9a\xd9\xc5\xcf\xda\xa5\xe3\xd6\x8f\xd1\xca\xbe\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\xa7\xe9\xe2\xd6\xee\xab\xea\xd6\xe0\xeb\xb6\xf4\xa2\x9b\x8f\xa7d\xa3\x8f\x99\xa4o\xad\xdd\xd1\xe9\xa6\xe5\xd1\xdb\xe6\xb1\xef\xca\xe2\x9f\xde\xca\xd4\xdf\xaa\xe8\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\xab\xea\xd6\xe0\xeb\xb6\xf4\xa7\x93\x9d\xa8s\xb1\xd2\xdc\xe7\xb2\xf0\xc8\xd3\x9e\xdc\xdd\xa8\xe6\xb3\xf1\xbc'
def Input_length(V):
a = 1 ; b = -1 ; c = -2*V
d = math.sqrt((b**2) - (4*a*c))
sol1 = (-b-d)/2
sol2 = (-b+d)/2
return int(max(sol2,sol1))
def Decode(L):
Len = Input_length(len(L))
f0 = L[0] ; f1 = L[1] ; f2 = L[Len-1]
Str = []
Str.append(int( (f0 + (f1-f2) ) /2) ) # First Char
for i in range(Len-1): # Then we can get other chars
Str.append(int( L[i]-Str[0] ))
return ''.join(map(chr,Str))
flag = Decode(data)
print("[+] flag is :",flag)
$ python3 rev.py
[+] flag is : inctf{Th4ts_he11_l0t_0f_w0rk_w4s_it?}
s3cur3-r3v (Web)
Given challenge .
Hello, can you reverse this object code for me ??? I would be thankfull to you.
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
2 0 E > NOP
51 1 FETCH_R global $1 '_GET'
2 FETCH_DIM_R $2 $1, 'flag'
3 ASSIGN !0, $2
53 4 FETCH_IS $4 '_GET'
5 ISSET_ISEMPTY_DIM_OBJ 33554432 ~5 $4, 'flag'
6 > JMPZ ~5, ->10
54 7 > INIT_FCALL 'printflag'
8 SEND_VAR !0
9 DO_FCALL 0
58 10 > > RETURN 1
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
2 0 E > RECV !0
3 1 ASSIGN !1, 'Yaay+here+is+your+flag%3A+'
4 2 ASSIGN !2, 'Naay+try+harder+%21%21%21'
6 3 BIND_GLOBAL !3, 'flag'
8 4 ASSIGN !4, ''
10 5 ASSIGN !5, 32
6 > JMP ->13
12 7 > INIT_FCALL 'chr'
8 SEND_VAR !5
9 DO_ICALL $16
10 ASSIGN_CONCAT 0 !4, $16
10 11 POST_INC ~18 !5
12 FREE ~18
13 > IS_SMALLER ~19 !5, 97
14 > JMPNZ ~19, ->7
15 15 > STRLEN ~20 !0
16 MOD ~21 ~20, 4
17 IS_NOT_EQUAL ~22 ~21, 0
18 > JMPZ ~22, ->20
17 19 > > EXIT 'BAD+INPUT'
20 20 > STRLEN ~24 !0
21 MUL ~25 ~24, 3
22 DIV ~26 ~25, 4
23 INIT_FCALL 'strrpos'
24 SEND_VAR !0
25 SEND_VAL '%60'
26 DO_ICALL $27
27 IS_SMALLER ~28 0, $27
28 > JMPZ ~28, ->37
29 > STRLEN ~29 !0
30 INIT_FCALL 'strrpos'
31 SEND_VAR !0
32 SEND_VAL '%60'
33 DO_ICALL $30
34 SUB ~31 ~29, $30
35 QM_ASSIGN ~32 ~31
36 > JMP ->38
37 > QM_ASSIGN ~32 0
38 > SUB ~33 ~26, ~32
39 ASSIGN_DIM !6
40 OP_DATA ~33
21 41 INIT_FCALL 'str_split'
42 SEND_VAR !0
43 DO_ICALL $34
44 ASSIGN !7, $34
22 45 ASSIGN !8, 0
23 46 ASSIGN !9,
24 47 ASSIGN !5, 0
48 > JMP ->110
25 49 > INIT_FCALL 'strpos'
50 SEND_VAR !4
51 FETCH_DIM_R $40 !7, !5
52 SEND_VAR $40
53 DO_ICALL $41
54 ASSIGN_DIM !9, 0
55 OP_DATA $41
26 56 INIT_FCALL 'strpos'
57 SEND_VAR !4
58 ADD ~43 !5, 1
59 FETCH_DIM_R $44 !7, ~43
60 SEND_VAR $44
61 DO_ICALL $45
62 ASSIGN_DIM !9, 1
63 OP_DATA $45
27 64 INIT_FCALL 'strpos'
65 SEND_VAR !4
66 ADD ~47 !5, 2
67 FETCH_DIM_R $48 !7, ~47
68 SEND_VAR $48
69 DO_ICALL $49
70 ASSIGN_DIM !9, 2
71 OP_DATA $49
28 72 INIT_FCALL 'strpos'
73 SEND_VAR !4
74 ADD ~51 !5, 3
75 FETCH_DIM_R $52 !7, ~51
76 SEND_VAR $52
77 DO_ICALL $53
78 ASSIGN_DIM !9, 3
79 OP_DATA $53
29 80 POST_INC ~54 !8
81 FETCH_DIM_R $56 !9, 0
82 SL ~57 $56, 2
83 FETCH_DIM_R $58 !9, 1
84 SR ~59 $58, 4
85 BW_OR ~60 ~57, ~59
86 ASSIGN_DIM !6, ~54
87 OP_DATA ~60
30 88 FETCH_DIM_R $61 !9, 2
89 IS_SMALLER ~62 $61, 64
90 > JMPZ ~62, ->109
31 91 > POST_INC ~63 !8
92 FETCH_DIM_R $65 !9, 1
93 SL ~66 $65, 4
94 FETCH_DIM_R $67 !9, 2
95 SR ~68 $67, 2
96 BW_OR ~69 ~66, ~68
97 ASSIGN_DIM !6, ~63
98 OP_DATA ~69
32 99 FETCH_DIM_R $70 !9, 3
100 IS_SMALLER ~71 $70, 64
101 > JMPZ ~71, ->109
33 102 > POST_INC ~72 !8
103 FETCH_DIM_R $74 !9, 2
104 SL ~75 $74, 6
105 FETCH_DIM_R $76 !9, 3
106 BW_OR ~77 ~75, $76
107 ASSIGN_DIM !6, ~72
108 OP_DATA ~77
24 109 > ASSIGN_ADD 0 !5, 4
110 > INIT_FCALL 'count'
111 SEND_VAR !7
112 DO_ICALL $79
113 IS_SMALLER ~80 !5, $79
114 > JMPNZ ~80, ->49
37 115 > ASSIGN !10, ''
38 116 ASSIGN !5, 0
117 > JMP ->125
40 118 > INIT_FCALL 'chr'
119 FETCH_DIM_R $83 !6, !5
120 SEND_VAR $83
121 DO_ICALL $84
122 ASSIGN_CONCAT 0 !10, $84
38 123 POST_INC ~86 !5
124 FREE ~86
125 > INIT_FCALL 'count'
126 SEND_VAR !6
127 DO_ICALL $87
128 IS_SMALLER ~88 !5, $87
129 > JMPNZ ~88, ->118
42 130 > ASSIGN !11, 'YtPEU%10E%24%19%5DV%11UE%92E%04%D8%5De%99%5D5RQ%25SAU%98YuVU%16%10e%85%D1I%96%13Y%96%17M%85%D6E%85%D6Q%04V'
43 131 IS_IDENTICAL ~90 !10, !11
132 > JMPZ ~90, ->136
44 133 > CONCAT ~91 !1, !3
134 ECHO ~91
135 > JMP ->137
47 136 > ECHO !2
49 137 > > RETURN null
Given PHP Object code. we can create our php object code using https://3v4l.org
By analyzing the given OP_CODE, It is nothing but a Base64 implementation with different chars chr(32) to chr(96)
This php code is taking $_GET['flag'] and passing it printflag function
There the $_GET['flag'] is decoded and Checked equality with 'YtPEU%10E%24%19%5DV%11UE%92E%04%D8%5De%99%5D5RQ%25SAU%98YuVU%16%10e%85%D1I%96%13Y%96%17M%85%D6E%85%D6Q%04V'
The task performed there is simply
def Decode(S):
L = []
S = [Chars.find(x) for x in S]
for i in range(0,len(S),4):
L.append( (S[i]<<2 | S[i+1]>>4)%256 )
L.append( (S[i+1]<<4 | S[i+2]>>2)%256 )
L.append( (S[i+2]<<6 | S[i+3])%256 )
return bytes(L)
Final = b'YtPEU\x10E$\x19]V\x11UE\x92E\x04\xd8]e\x99]5RQ%SAU\x98YuVU\x16\x10e\x85\xd1I\x96\x13Y\x96\x17M\x85\xd6E\x85\xd6Q\x04V'
flag = intput("Enter flag : ")
if Decode(flag) == Final:
print("printing real flag")
else:
print("Not equal")
Chars = bytes( list(range(32,97)) )
Our Task is to Encode the Final and send it to php
def Encode(S):
L = []
for i in range(0,len(S),3):
L1 = S[i]>>2
L2 = ((S[i] % 4)<<4) | (S[i+1]>>4)
L3 = ((S[i+1] % 16)<<2) | (S[i+2]>>6)
L4 = S[i+2] % 64
L.append( Chars[L1] ); L.append( Chars[L2] ); L.append( Chars[L3] ); L.append( Chars[L4] )
return bytes(L)
Final = b'YtPEU\x10E$\x19]V\x11UE\x92E\x04\xd8]e\x99]5RQ%SAU\x98YuVU\x16\x10e\x85\xd1I\x96\x13Y\x96\x17M\x85\xd6E\x85\xd6Q\x04V'
print(Encode(Final))
$ python3 rev.py
b'671015401209758154621038766973524253056867565180987129836987387618764016'
Using that flag to get the real flag!
$ curl http://3.15.186.35/?flag=671015401209758154621038766973524253056867565180987129836987387618764016 | grep flag:
Yaay here is your flag: inctf{d1d_y0u_n0t_f1nd_th3_b453_64_3ncrypt10n_s000000_3asy}
Comments
Post a Comment