cliche_crackme (Rev)

By dissambling the exectuable; It is just encrypting our input Checking with data string

It is doing simply

data = b'\xd7\xcc\xdd\xcf\xe4\xbd\xd1\x9d\xdd\xdc\xc8\xd1\xce\x9a\x9a\xc8\xd5\x99\xdd\xc8\x99\xcf\xc8\xe0\x99\xdb\xd4\xc8\xe0\x9d\xdc\xc8\xd2\xdd\xa8\xe6\xd1\xe2\xd4\xe9\xc2\xd6\xa2\xe2\xe1\xcd\xd6\xd3\x9f\x9f\xcd\xda\x9e\xe2\xcd\x9e\xd4\xcd\xe5\x9e\xe0\xd9\xcd\xe5\xa2\xe1\xcd\xd7\xe2\xad\xeb\xd7\xc9\xde\xb7\xcb\x97\xd7\xd6\xc2\xcb\xc8\x94\x94\xc2\xcf\x93\xd7\xc2\x93\xc9\xc2\xda\x93\xd5\xce\xc2\xda\x97\xd6\xc2\xcc\xd7\xa2\xe0\xda\xef\xc8\xdc\xa8\xe8\xe7\xd3\xdc\xd9\xa5\xa5\xd3\xe0\xa4\xe8\xd3\xa4\xda\xd3\xeb\xa4\xe6\xdf\xd3\xeb\xa8\xe7\xd3\xdd\xe8\xb3\xf1\xe1\xba\xce\x9a\xda\xd9\xc5\xce\xcb\x97\x97\xc5\xd2\x96\xda\xc5\x96\xcc\xc5\xdd\x96\xd8\xd1\xc5\xdd\x9a\xd9\xc5\xcf\xda\xa5\xe3\xcf\xe3\xaf\xef\xee\xda\xe3\xe0\xac\xac\xda\xe7\xab\xef\xda\xab\xe1\xda\xf2\xab\xed\xe6\xda\xf2\xaf\xee\xda\xe4\xef\xba\xf8\xbc\x88\xc8\xc7\xb3\xbc\xb9\x85\x85\xb3\xc0\x84\xc8\xb3\x84\xba\xb3\xcb\x84\xc6\xbf\xb3\xcb\x88\xc7\xb3\xbd\xc8\x93\xd1\x9c\xdc\xdb\xc7\xd0\xcd\x99\x99\xc7\xd4\x98\xdc\xc7\x98\xce\xc7\xdf\x98\xda\xd3\xc7\xdf\x9c\xdb\xc7\xd1\xdc\xa7\xe5\xa8\xa7\x93\x9c\x99ee\x93\xa0d\xa8\x93d\x9a\x93\xabd\xa6\x9f\x93\xabh\xa7\x93\x9d\xa8s\xb1\xe7\xd3\xdc\xd9\xa5\xa5\xd3\xe0\xa4\xe8\xd3\xa4\xda\xd3\xeb\xa4\xe6\xdf\xd3\xeb\xa8\xe7\xd3\xdd\xe8\xb3\xf1\xd2\xdb\xd8\xa4\xa4\xd2\xdf\xa3\xe7\xd2\xa3\xd9\xd2\xea\xa3\xe5\xde\xd2\xea\xa7\xe6\xd2\xdc\xe7\xb2\xf0\xc7\xc4\x90\x90\xbe\xcb\x8f\xd3\xbe\x8f\xc5\xbe\xd6\x8f\xd1\xca\xbe\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\xcd\x99\x99\xc7\xd4\x98\xdc\xc7\x98\xce\xc7\xdf\x98\xda\xd3\xc7\xdf\x9c\xdb\xc7\xd1\xdc\xa7\xe5\x96\x96\xc4\xd1\x95\xd9\xc4\x95\xcb\xc4\xdc\x95\xd7\xd0\xc4\xdc\x99\xd8\xc4\xce\xd9\xa4\xe2b\x90\x9da\xa5\x90a\x97\x90\xa8a\xa3\x9c\x90\xa8e\xa4\x90\x9a\xa5p\xae\x90\x9da\xa5\x90a\x97\x90\xa8a\xa3\x9c\x90\xa8e\xa4\x90\x9a\xa5p\xae\xcb\x8f\xd3\xbe\x8f\xc5\xbe\xd6\x8f\xd1\xca\xbe\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\x9c\xe0\xcb\x9c\xd2\xcb\xe3\x9c\xde\xd7\xcb\xe3\xa0\xdf\xcb\xd5\xe0\xab\xe9\xa4\x8f`\x96\x8f\xa7`\xa2\x9b\x8f\xa7d\xa3\x8f\x99\xa4o\xad\xd3\xa4\xda\xd3\xeb\xa4\xe6\xdf\xd3\xeb\xa8\xe7\xd3\xdd\xe8\xb3\xf1\x8f\xc5\xbe\xd6\x8f\xd1\xca\xbe\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\x96\x8f\xa7`\xa2\x9b\x8f\xa7d\xa3\x8f\x99\xa4o\xad\xc5\xdd\x96\xd8\xd1\xc5\xdd\x9a\xd9\xc5\xcf\xda\xa5\xe3\xd6\x8f\xd1\xca\xbe\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\xa7\xe9\xe2\xd6\xee\xab\xea\xd6\xe0\xeb\xb6\xf4\xa2\x9b\x8f\xa7d\xa3\x8f\x99\xa4o\xad\xdd\xd1\xe9\xa6\xe5\xd1\xdb\xe6\xb1\xef\xca\xe2\x9f\xde\xca\xd4\xdf\xaa\xe8\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\xab\xea\xd6\xe0\xeb\xb6\xf4\xa7\x93\x9d\xa8s\xb1\xd2\xdc\xe7\xb2\xf0\xc8\xd3\x9e\xdc\xdd\xa8\xe6\xb3\xf1\xbc'

def Encode(S):
    L = []
    for i in range(len(S)):
        for j in range(i+1,len(S)):
            L.append(ord(S[i])+ord(S[j]))
    return bytes(L)

if Encode(input("Enter flag : ")) == data:
    print("Congratz - You have earned it")
else:
    print("You\'ve got to do better")

Revesing the Encode function, We can get the flag from given data!

Using a Simple math

import math
data = b'\xd7\xcc\xdd\xcf\xe4\xbd\xd1\x9d\xdd\xdc\xc8\xd1\xce\x9a\x9a\xc8\xd5\x99\xdd\xc8\x99\xcf\xc8\xe0\x99\xdb\xd4\xc8\xe0\x9d\xdc\xc8\xd2\xdd\xa8\xe6\xd1\xe2\xd4\xe9\xc2\xd6\xa2\xe2\xe1\xcd\xd6\xd3\x9f\x9f\xcd\xda\x9e\xe2\xcd\x9e\xd4\xcd\xe5\x9e\xe0\xd9\xcd\xe5\xa2\xe1\xcd\xd7\xe2\xad\xeb\xd7\xc9\xde\xb7\xcb\x97\xd7\xd6\xc2\xcb\xc8\x94\x94\xc2\xcf\x93\xd7\xc2\x93\xc9\xc2\xda\x93\xd5\xce\xc2\xda\x97\xd6\xc2\xcc\xd7\xa2\xe0\xda\xef\xc8\xdc\xa8\xe8\xe7\xd3\xdc\xd9\xa5\xa5\xd3\xe0\xa4\xe8\xd3\xa4\xda\xd3\xeb\xa4\xe6\xdf\xd3\xeb\xa8\xe7\xd3\xdd\xe8\xb3\xf1\xe1\xba\xce\x9a\xda\xd9\xc5\xce\xcb\x97\x97\xc5\xd2\x96\xda\xc5\x96\xcc\xc5\xdd\x96\xd8\xd1\xc5\xdd\x9a\xd9\xc5\xcf\xda\xa5\xe3\xcf\xe3\xaf\xef\xee\xda\xe3\xe0\xac\xac\xda\xe7\xab\xef\xda\xab\xe1\xda\xf2\xab\xed\xe6\xda\xf2\xaf\xee\xda\xe4\xef\xba\xf8\xbc\x88\xc8\xc7\xb3\xbc\xb9\x85\x85\xb3\xc0\x84\xc8\xb3\x84\xba\xb3\xcb\x84\xc6\xbf\xb3\xcb\x88\xc7\xb3\xbd\xc8\x93\xd1\x9c\xdc\xdb\xc7\xd0\xcd\x99\x99\xc7\xd4\x98\xdc\xc7\x98\xce\xc7\xdf\x98\xda\xd3\xc7\xdf\x9c\xdb\xc7\xd1\xdc\xa7\xe5\xa8\xa7\x93\x9c\x99ee\x93\xa0d\xa8\x93d\x9a\x93\xabd\xa6\x9f\x93\xabh\xa7\x93\x9d\xa8s\xb1\xe7\xd3\xdc\xd9\xa5\xa5\xd3\xe0\xa4\xe8\xd3\xa4\xda\xd3\xeb\xa4\xe6\xdf\xd3\xeb\xa8\xe7\xd3\xdd\xe8\xb3\xf1\xd2\xdb\xd8\xa4\xa4\xd2\xdf\xa3\xe7\xd2\xa3\xd9\xd2\xea\xa3\xe5\xde\xd2\xea\xa7\xe6\xd2\xdc\xe7\xb2\xf0\xc7\xc4\x90\x90\xbe\xcb\x8f\xd3\xbe\x8f\xc5\xbe\xd6\x8f\xd1\xca\xbe\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\xcd\x99\x99\xc7\xd4\x98\xdc\xc7\x98\xce\xc7\xdf\x98\xda\xd3\xc7\xdf\x9c\xdb\xc7\xd1\xdc\xa7\xe5\x96\x96\xc4\xd1\x95\xd9\xc4\x95\xcb\xc4\xdc\x95\xd7\xd0\xc4\xdc\x99\xd8\xc4\xce\xd9\xa4\xe2b\x90\x9da\xa5\x90a\x97\x90\xa8a\xa3\x9c\x90\xa8e\xa4\x90\x9a\xa5p\xae\x90\x9da\xa5\x90a\x97\x90\xa8a\xa3\x9c\x90\xa8e\xa4\x90\x9a\xa5p\xae\xcb\x8f\xd3\xbe\x8f\xc5\xbe\xd6\x8f\xd1\xca\xbe\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\x9c\xe0\xcb\x9c\xd2\xcb\xe3\x9c\xde\xd7\xcb\xe3\xa0\xdf\xcb\xd5\xe0\xab\xe9\xa4\x8f`\x96\x8f\xa7`\xa2\x9b\x8f\xa7d\xa3\x8f\x99\xa4o\xad\xd3\xa4\xda\xd3\xeb\xa4\xe6\xdf\xd3\xeb\xa8\xe7\xd3\xdd\xe8\xb3\xf1\x8f\xc5\xbe\xd6\x8f\xd1\xca\xbe\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\x96\x8f\xa7`\xa2\x9b\x8f\xa7d\xa3\x8f\x99\xa4o\xad\xc5\xdd\x96\xd8\xd1\xc5\xdd\x9a\xd9\xc5\xcf\xda\xa5\xe3\xd6\x8f\xd1\xca\xbe\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\xa7\xe9\xe2\xd6\xee\xab\xea\xd6\xe0\xeb\xb6\xf4\xa2\x9b\x8f\xa7d\xa3\x8f\x99\xa4o\xad\xdd\xd1\xe9\xa6\xe5\xd1\xdb\xe6\xb1\xef\xca\xe2\x9f\xde\xca\xd4\xdf\xaa\xe8\xd6\x93\xd2\xbe\xc8\xd3\x9e\xdc\xab\xea\xd6\xe0\xeb\xb6\xf4\xa7\x93\x9d\xa8s\xb1\xd2\xdc\xe7\xb2\xf0\xc8\xd3\x9e\xdc\xdd\xa8\xe6\xb3\xf1\xbc'

def Input_length(V):
    a = 1 ; b = -1 ; c = -2*V
    d = math.sqrt((b**2) - (4*a*c))
    sol1 = (-b-d)/2
    sol2 = (-b+d)/2
    return int(max(sol2,sol1))

def Decode(L):
    Len = Input_length(len(L))
    f0 = L[0] ; f1 = L[1] ; f2 = L[Len-1]
    Str = []
    Str.append(int( (f0 + (f1-f2) ) /2) ) # First Char
    for i in range(Len-1): # Then we can get other chars
        Str.append(int( L[i]-Str[0] ))
    return ''.join(map(chr,Str))

flag = Decode(data)
print("[+] flag is :",flag)

$ python3 rev.py 
[+] flag is : inctf{Th4ts_he11_l0t_0f_w0rk_w4s_it?}

s3cur3-r3v (Web)

Given challenge .


Hello, can you reverse this object code for me ??? I would be thankfull to you.

line     #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   2     0  E >   NOP                                                      
  51     1        FETCH_R                      global              $1      '_GET'
         2        FETCH_DIM_R                                      $2      $1, 'flag'
         3        ASSIGN                                                   !0, $2
  53     4        FETCH_IS                                         $4      '_GET'
         5        ISSET_ISEMPTY_DIM_OBJ                       33554432  ~5      $4, 'flag'
         6      > JMPZ                                                     ~5, ->10
  54     7    >   INIT_FCALL                                               'printflag'
         8        SEND_VAR                                                 !0
         9        DO_FCALL                                      0          
  58    10    > > RETURN                                                   1

line     #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   2     0  E >   RECV                                             !0      
   3     1        ASSIGN                                                   !1, 'Yaay+here+is+your+flag%3A+'
   4     2        ASSIGN                                                   !2, 'Naay+try+harder+%21%21%21'
   6     3        BIND_GLOBAL                                              !3, 'flag'
   8     4        ASSIGN                                                   !4, ''
  10     5        ASSIGN                                                   !5, 32
         6      > JMP                                                      ->13
  12     7    >   INIT_FCALL                                               'chr'
         8        SEND_VAR                                                 !5
         9        DO_ICALL                                         $16     
        10        ASSIGN_CONCAT                                 0          !4, $16
  10    11        POST_INC                                         ~18     !5
        12        FREE                                                     ~18
        13    >   IS_SMALLER                                       ~19     !5, 97
        14      > JMPNZ                                                    ~19, ->7
  15    15    >   STRLEN                                           ~20     !0
        16        MOD                                              ~21     ~20, 4
        17        IS_NOT_EQUAL                                     ~22     ~21, 0
        18      > JMPZ                                                     ~22, ->20
  17    19    > > EXIT                                                     'BAD+INPUT'
  20    20    >   STRLEN                                           ~24     !0
        21        MUL                                              ~25     ~24, 3
        22        DIV                                              ~26     ~25, 4
        23        INIT_FCALL                                               'strrpos'
        24        SEND_VAR                                                 !0
        25        SEND_VAL                                                 '%60'
        26        DO_ICALL                                         $27     
        27        IS_SMALLER                                       ~28     0, $27
        28      > JMPZ                                                     ~28, ->37
        29    >   STRLEN                                           ~29     !0
        30        INIT_FCALL                                               'strrpos'
        31        SEND_VAR                                                 !0
        32        SEND_VAL                                                 '%60'
        33        DO_ICALL                                         $30     
        34        SUB                                              ~31     ~29, $30
        35        QM_ASSIGN                                        ~32     ~31
        36      > JMP                                                      ->38
        37    >   QM_ASSIGN                                        ~32     0
        38    >   SUB                                              ~33     ~26, ~32
        39        ASSIGN_DIM                                               !6
        40        OP_DATA                                                  ~33
  21    41        INIT_FCALL                                               'str_split'
        42        SEND_VAR                                                 !0
        43        DO_ICALL                                         $34     
        44        ASSIGN                                                   !7, $34
  22    45        ASSIGN                                                   !8, 0
  23    46        ASSIGN                                                   !9, 
  24    47        ASSIGN                                                   !5, 0
        48      > JMP                                                      ->110
  25    49    >   INIT_FCALL                                               'strpos'
        50        SEND_VAR                                                 !4
        51        FETCH_DIM_R                                      $40     !7, !5
        52        SEND_VAR                                                 $40
        53        DO_ICALL                                         $41     
        54        ASSIGN_DIM                                               !9, 0
        55        OP_DATA                                                  $41
  26    56        INIT_FCALL                                               'strpos'
        57        SEND_VAR                                                 !4
        58        ADD                                              ~43     !5, 1
        59        FETCH_DIM_R                                      $44     !7, ~43
        60        SEND_VAR                                                 $44
        61        DO_ICALL                                         $45     
        62        ASSIGN_DIM                                               !9, 1
        63        OP_DATA                                                  $45
  27    64        INIT_FCALL                                               'strpos'
        65        SEND_VAR                                                 !4
        66        ADD                                              ~47     !5, 2
        67        FETCH_DIM_R                                      $48     !7, ~47
        68        SEND_VAR                                                 $48
        69        DO_ICALL                                         $49     
        70        ASSIGN_DIM                                               !9, 2
        71        OP_DATA                                                  $49
  28    72        INIT_FCALL                                               'strpos'
        73        SEND_VAR                                                 !4
        74        ADD                                              ~51     !5, 3
        75        FETCH_DIM_R                                      $52     !7, ~51
        76        SEND_VAR                                                 $52
        77        DO_ICALL                                         $53     
        78        ASSIGN_DIM                                               !9, 3
        79        OP_DATA                                                  $53
  29    80        POST_INC                                         ~54     !8
        81        FETCH_DIM_R                                      $56     !9, 0
        82        SL                                               ~57     $56, 2
        83        FETCH_DIM_R                                      $58     !9, 1
        84        SR                                               ~59     $58, 4
        85        BW_OR                                            ~60     ~57, ~59
        86        ASSIGN_DIM                                               !6, ~54
        87        OP_DATA                                                  ~60
  30    88        FETCH_DIM_R                                      $61     !9, 2
        89        IS_SMALLER                                       ~62     $61, 64
        90      > JMPZ                                                     ~62, ->109
  31    91    >   POST_INC                                         ~63     !8
        92        FETCH_DIM_R                                      $65     !9, 1
        93        SL                                               ~66     $65, 4
        94        FETCH_DIM_R                                      $67     !9, 2
        95        SR                                               ~68     $67, 2
        96        BW_OR                                            ~69     ~66, ~68
        97        ASSIGN_DIM                                               !6, ~63
        98        OP_DATA                                                  ~69
  32    99        FETCH_DIM_R                                      $70     !9, 3
       100        IS_SMALLER                                       ~71     $70, 64
       101      > JMPZ                                                     ~71, ->109
  33   102    >   POST_INC                                         ~72     !8
       103        FETCH_DIM_R                                      $74     !9, 2
       104        SL                                               ~75     $74, 6
       105        FETCH_DIM_R                                      $76     !9, 3
       106        BW_OR                                            ~77     ~75, $76
       107        ASSIGN_DIM                                               !6, ~72
       108        OP_DATA                                                  ~77
  24   109    >   ASSIGN_ADD                                    0          !5, 4
       110    >   INIT_FCALL                                               'count'
       111        SEND_VAR                                                 !7
       112        DO_ICALL                                         $79     
       113        IS_SMALLER                                       ~80     !5, $79
       114      > JMPNZ                                                    ~80, ->49
  37   115    >   ASSIGN                                                   !10, ''
  38   116        ASSIGN                                                   !5, 0
       117      > JMP                                                      ->125
  40   118    >   INIT_FCALL                                               'chr'
       119        FETCH_DIM_R                                      $83     !6, !5
       120        SEND_VAR                                                 $83
       121        DO_ICALL                                         $84     
       122        ASSIGN_CONCAT                                 0          !10, $84
  38   123        POST_INC                                         ~86     !5
       124        FREE                                                     ~86
       125    >   INIT_FCALL                                               'count'
       126        SEND_VAR                                                 !6
       127        DO_ICALL                                         $87     
       128        IS_SMALLER                                       ~88     !5, $87
       129      > JMPNZ                                                    ~88, ->118
  42   130    >   ASSIGN                                                   !11, 'YtPEU%10E%24%19%5DV%11UE%92E%04%D8%5De%99%5D5RQ%25SAU%98YuVU%16%10e%85%D1I%96%13Y%96%17M%85%D6E%85%D6Q%04V'
  43   131        IS_IDENTICAL                                     ~90     !10, !11
       132      > JMPZ                                                     ~90, ->136
  44   133    >   CONCAT                                           ~91     !1, !3
       134        ECHO                                                     ~91
       135      > JMP                                                      ->137
  47   136    >   ECHO                                                     !2
  49   137    > > RETURN                                                   null

Given PHP Object code. we can create our php object code using https://3v4l.org

By analyzing the given OP_CODE, It is nothing but a Base64 implementation with different chars chr(32) to chr(96)

This php code is taking $_GET['flag'] and passing it printflag function

There the $_GET['flag'] is decoded and Checked equality with 'YtPEU%10E%24%19%5DV%11UE%92E%04%D8%5De%99%5D5RQ%25SAU%98YuVU%16%10e%85%D1I%96%13Y%96%17M%85%D6E%85%D6Q%04V'

The task performed there is simply

def Decode(S):
    L = []
    S = [Chars.find(x) for x in S]
    for i in range(0,len(S),4):
        L.append( (S[i]<<2 | S[i+1]>>4)%256 )
        L.append( (S[i+1]<<4 | S[i+2]>>2)%256 )
        L.append( (S[i+2]<<6 | S[i+3])%256 )
    return bytes(L)
Final = b'YtPEU\x10E$\x19]V\x11UE\x92E\x04\xd8]e\x99]5RQ%SAU\x98YuVU\x16\x10e\x85\xd1I\x96\x13Y\x96\x17M\x85\xd6E\x85\xd6Q\x04V'

flag = intput("Enter flag : ")
if Decode(flag) == Final:
    print("printing real flag")
else:
    print("Not equal")
Chars = bytes( list(range(32,97)) )

Our Task is to Encode the Final and send it to php

def Encode(S):
    L = []
    for i in range(0,len(S),3):
        L1 = S[i]>>2
        L2 = ((S[i] % 4)<<4) | (S[i+1]>>4)
        L3 = ((S[i+1] % 16)<<2) | (S[i+2]>>6)
        L4 = S[i+2] % 64
        L.append( Chars[L1] ); L.append( Chars[L2] ); L.append( Chars[L3] ); L.append( Chars[L4] )
    return bytes(L)

Final = b'YtPEU\x10E$\x19]V\x11UE\x92E\x04\xd8]e\x99]5RQ%SAU\x98YuVU\x16\x10e\x85\xd1I\x96\x13Y\x96\x17M\x85\xd6E\x85\xd6Q\x04V'
print(Encode(Final))

$ python3 rev.py 
b'671015401209758154621038766973524253056867565180987129836987387618764016'

Using that flag to get the real flag!

$ curl http://3.15.186.35/?flag=671015401209758154621038766973524253056867565180987129836987387618764016  | grep flag:
Yaay here is your flag: inctf{d1d_y0u_n0t_f1nd_th3_b453_64_3ncrypt10n_s000000_3asy}

Search This Blog

Ajay Shankar #D1r3Wolf 's blog

InCTF 2019 writeup's

cliche_crackme (Rev)

s3cur3-r3v (Web)

Comments

Post a Comment

Popular posts from this blog

Square CTF 2019 Writeup's

K3RN3L CTF 2021 Rev - `Recurso & Rasm ` writeups

Confidence CTF 2020 `Cat web` challenge writeup