Reverse Engineering
| Challenge | Link |
|---|---|
Paranoia (100 pts) | |
Grip (100 pts) | |
Sperm Rev (100 pts) | |
Risks (205 pts) | |
Packeta (460 pts) | |
Mips (477 pts) | |
Orgalorg (498 pts) |
Paranoia (100 pts)
Description
im baby
Author: miyako
nc 20.80.240.190 1234
Solution
Given ELF 64 bit file, open it using IDA.
int __fastcall main(int argc, const char **argv, const char **envp)
{
unsigned int v3; // eax
int v4; // ebx
int v5; // eax
unsigned __int64 i; // [rsp+8h] [rbp-18h]
v3 = time(0LL);
srand(v3);
for ( i = 0LL; i <= 0x11; ++i )
{
v4 = flag[i];
v5 = rand();
printf("%i ", v4 ^ ((unsigned __int8)(((unsigned int)(v5 >> 31) >> 24) + v5) - ((unsigned int)(v5 >> 31) >> 24)));
}
putchar(10);
return 0;Basically it just do xor with random value with seed current time (time(0)). To get the plaintext we can do the same process. To overcome delay issue, we can do little bruteforce from current time.
from ctypes import CDLL
import time
from pwn import *
libc = CDLL("libc.so.6")
current = int(time.time())
r = remote("20.80.240.190", 1234)
ct = list(map(int, r.recvline().strip().split(b" ")))
for i in range(current, current-10, -1):
libc.srand(i)
tmp_flag = b""
for v4 in ct:
v5 = libc.rand()
tmp_flag += bytes([v4 ^ (((((v5 >> 31) >> 24) + v5) - ((v5 >> 31) >> 24)) & 0xff)])
print(i, tmp_flag)
r.interactive()Flag: akasec{n0t_t00_m4ny_br41nc3lls_l3ft}
Grip (100 pts)
Description
its...its...Grippy
Author: miyako
Solution
Given ELF 64 bit, open it using IDA.
__int64 __fastcall main(int a1, char **a2, char **a3)
{
__int64 v3; // rbx
__int64 v4; // rbx
__int64 v5; // rbx
__int64 v6; // rbx
__int64 v7; // rbx
__int64 v8; // rbx
__int64 v9; // rbx
__int64 v10; // rbx
__int64 v11; // rbx
unsigned __int64 i; // [rsp+18h] [rbp-C8h]
_QWORD *v14; // [rsp+20h] [rbp-C0h]
__int64 v15; // [rsp+30h] [rbp-B0h]
__int64 v16; // [rsp+38h] [rbp-A8h]
__int64 v17; // [rsp+40h] [rbp-A0h]
__int64 v18; // [rsp+48h] [rbp-98h]
__int64 v19; // [rsp+50h] [rbp-90h]
__int64 v20; // [rsp+58h] [rbp-88h]
__int64 v21; // [rsp+60h] [rbp-80h]
__int64 v22; // [rsp+68h] [rbp-78h]
__int64 v23; // [rsp+70h] [rbp-70h]
__int64 v24; // [rsp+78h] [rbp-68h]
__int64 v25; // [rsp+80h] [rbp-60h]
__int64 v26; // [rsp+88h] [rbp-58h]
__int64 v27; // [rsp+90h] [rbp-50h]
__int64 v28; // [rsp+98h] [rbp-48h]
__int64 v29; // [rsp+A0h] [rbp-40h]
char v30[13]; // [rsp+A8h] [rbp-38h]
__int64 v31; // [rsp+B5h] [rbp-2Bh]
unsigned __int64 v32; // [rsp+C8h] [rbp-18h]
v32 = __readfsqword(0x28u);
v15 = 0xB21E71BA177BBAA7LL;
v16 = 0xF2F2DAD7F679BA96LL;
v17 = 0xBA32C30AB77BBAF2LL;
v18 = 0xCBD3D5C3D1DBD14ALL;
v19 = 0xC9C4C481D848BAC3LL;
v20 = 0xBA22B77BBA84C0EFLL;
v21 = 0xC0EFC94ABA2AA77BLL;
v22 = 0xEF48BAD483DBD384LL;
v23 = 0xBACDC9C284DE81D2LL;
v24 = 0x3516A77BBA2EB77BLL;
v25 = 0xEA19F2F2F2F23EB7LL;
v26 = 0x22F7B644FD3EB779LL;
v27 = 0x3EB779307BB00271LL;
v28 = 0xF33EB77122F7A67ALL;
v29 = 0xBA621084E93E8F71LL;
*(_QWORD *)v30 = 0xD7F6D9BA960AB779LL;
*(_QWORD *)&v30[5] = 0x86F2F2F2DAD7F6D9LL;
v31 = 0x313BF2F2F2F21AF7LL;
for ( i = 0LL; i <= 0x8C; ++i )
*((_BYTE *)&v15 + i) ^= 0xF2u;
v14 = mmap(0LL, 0x8DuLL, 6, 34, -1, 0LL);
v3 = v16;
*v14 = v15;
v14[1] = v3;
v4 = v18;
v14[2] = v17;
v14[3] = v4;
v5 = v20;
v14[4] = v19;
v14[5] = v5;
v6 = v22;
v14[6] = v21;
v14[7] = v6;
v7 = v24;
v14[8] = v23;
v14[9] = v7;
v8 = v26;
v14[10] = v25;
v14[11] = v8;
v9 = v28;
v14[12] = v27;
v14[13] = v9;
v10 = *(_QWORD *)v30;
v14[14] = v29;
v14[15] = v10;
v11 = v31;
*(_QWORD *)((char *)v14 + 125) = *(_QWORD *)&v30[5];
*(_QWORD *)((char *)v14 + 133) = v11;
((void (__fastcall *)(_QWORD))v14)(0LL);
puts(":3");
return 0LL;
}We can see that there is mmap function called then the address from mmap (v14) used to store value of static value xored with 0xf2. At the end, v14 called in the main function. From those information we can assume that value on address v14 contains valid assembly because it called in the end. So dump the bytecode then open it again using decompiler.
from Crypto.Util.number import *
ct = []
ct.append(0xB21E71BA177BBAA7)
ct.append(0xF2F2DAD7F679BA96)
ct.append(0xBA32C30AB77BBAF2)
ct.append(0xCBD3D5C3D1DBD14A)
ct.append(0xC9C4C481D848BAC3)
ct.append(0xBA22B77BBA84C0EF)
ct.append(0xC0EFC94ABA2AA77B)
ct.append(0xEF48BAD483DBD384)
ct.append(0xBACDC9C284DE81D2)
ct.append(0x3516A77BBA2EB77B)
ct.append(0xEA19F2F2F2F23EB7)
ct.append(0x22F7B644FD3EB779)
ct.append(0x3EB779307BB00271)
ct.append(0xF33EB77122F7A67A)
ct.append(0xBA621084E93E8F71)
ct.append(0xD7F6D9BA960AB779)
ct.append(0x86F2F2F2DAD7F6D9)
pt = []
for i in ct:
tmp = long_to_bytes(i)[::-1]
for j in tmp:
pt.append(j ^ 0xf2)
pt[-4] = 0xc3
out = open("dump.bin", "wb")
out.write(bytes(pt))3 null bytes at the end will cause error on decompile process, so put 0xc3 (ret) to overcome the issue.
unsigned __int64 sub_0()
{
unsigned int i; // [rsp+Ch] [rbp-34h]
__int64 v2; // [rsp+10h] [rbp-30h]
_DWORD v3[3]; // [rsp+18h] [rbp-28h]
__int64 v4; // [rsp+24h] [rbp-1Ch]
unsigned __int64 v5; // [rsp+38h] [rbp-8h]
v5 = __readfsqword(0x28u);
v2 = 0x3139212731232923i64;
v3[0] = 909538090;
*(_QWORD *)&v3[1] = 0x2671292176321D3Bi64;
v4 = 0x3F3B30762C73201Di64;
for ( i = 0; i <= 0x1B; ++i )
*((_BYTE *)&v3[-2] + i) ^= 0x42u;
return v5 - __readfsqword(0x2825042Bu);
}Now we have the code, then just convert it to python and get the flag.
from Crypto.Util.number import *
ct = []
ct.append(0x3139212731232923)
ct.append(0x3636732A)
ct.append(0x2671292176321D3B)
ct.append(0x3F3B30762C73201D)
flag = b""
for i in ct:
tmp = long_to_bytes(i)[::-1]
for j in tmp:
flag += bytes([j ^ 0x42])
print(flag)Flag: akasec{sh1tty_p4ck3d_b1n4ry}
Sperm Rev (100 pts)
Description
before baby rev, there was sperm rev <3
solve it fast to win another race in your life.
Author: Pengolian
Solution
Given ELF 64 bit, open it using IDA. Nothing useful in available function, check on strings.
Flag: AKASEC{strings_b35t_t00l_1n_r3v3r5e_eng1n33r1ng}
Risks (205 pts)
Description
theres this pretty cool isa called riscv it sounds awesome.
Author: miyako
Solution
Given ELF 64 bit RISCV file, open it using ghidra. Rename some known function to make it easily to understand.
undefined8 main(void)
{
char cVar1;
long lVar2;
undefined8 local_30;
long local_28;
long local_20;
long local_18;
local_28 = 0;
local_30 = 0;
printf_("whats the flag: ");
local_18 = getline_(&local_28,&local_30,_stdin);
*(local_18 + -1 + local_28) = 0;
local_20 = local_28;
FUN_00101ad4(local_28);
FUN_00101346(local_20);
FUN_00100c8c(local_20);
FUN_00100786(local_20);
lVar2 = strlen_(local_28);
if ((lVar2 == 0x20) && (cVar1 = compare_value(local_20), cVar1 == '\x01')) {
puts_("good job!");
return 0;
}
puts_("nuh uh");
return 0;
}So there are 5 custom functions in the program.
FUN_00101ad4, FUN_00101346, FUN_00100c8c, and FUN_00100786 process our input with some operation such as xor and add.
compare_value validate our processed input with static value
From those informations we can get the valid input by utilizing z3. Below is my solution
from z3 import *
from Crypto.Util.number import *
inp = [BitVec("x{}".format(i), 64) for i in range(4)]
s = Solver()
param_1 = [0 for _ in range(4)]
# FUN_00101ad4
param_1[0] = inp[0] + 0x75978f47ac76cf;
param_1[1] = inp[1] + 0xff889b2d229768ef;
param_1[0] = param_1[0] ^ 0x76bf86ade5d5cc;
param_1[2] = inp[2] + 0x760f38b4bc69dc;
param_1[0] = param_1[0] ^ 0x559f46365cee21;
param_1[0] = param_1[0] + 0x5c6476bf0d4a19;
param_1[0] = param_1[0] ^ 0xed41cda9780;
param_1[2] = param_1[2] ^ 0x1e555c027a4e43;
param_1[3] = inp[3] + 0xfff29f96915a6e96;
param_1[0] = param_1[0] ^ 0x4c46c321e8dc3d;
param_1[2] = param_1[2] + 0x440d7b5dafb63c;
param_1[3] = param_1[3] ^ 0x39549dd6e1299b;
param_1[0] = param_1[0] + 0xff80a83276856f6b;
param_1[0] = param_1[0] + 0x3869018f758dd0;
param_1[0] = param_1[0] + 0xfff507f694ac1618;
param_1[0] = param_1[0] + 0xffaef9a6a60ac41c;
param_1[2] = param_1[2] ^ 0x4bb739ae97e2b2;
param_1[0] = param_1[0] ^ 0xb9c189c728744;
param_1[3] = param_1[3] ^ 0x63b60e480e2904;
param_1[1] = param_1[1] + 0x70ea19e458d1dd;
param_1[0] = param_1[0] ^ 0x1c380c9255dc4a;
param_1[0] = param_1[0] ^ 0x72195b264896c6;
param_1[0] = param_1[0] + 0xb58f5721006db;
param_1[1] = param_1[1] + 0xfff1a19d465554d0;
param_1[1] = param_1[1] + 0x45c8dee1a136cd;
param_1[1] = param_1[1] + 0xff95aa1bc2ad9c07;
param_1[3] = param_1[3] + 0xffed79b44c733cd6;
param_1[0] = param_1[0] + 0x27d894eb9caa9b;
param_1[3] = param_1[3] + 0xff9cb13f334ec53a;
param_1[3] = param_1[3] + 0x3c2a0d8d36145a;
param_1[1] = param_1[1] + 0x30a473f940b5dd;
param_1[2] = param_1[2] + 0x7239ea8aa2bc49;
param_1[1] = param_1[1] + 0x71e89e42b8b132;
param_1[1] = param_1[1] + 0xff887455a5eb36fd;
param_1[2] = param_1[2] + 0xffc07313a3962d72;
param_1[2] = param_1[2] + 0xffcf924d075d2a72;
param_1[1] = param_1[1] ^ 0x3707089012b521;
param_1[2] = param_1[2] + 0x12b99b0e57e3bb;
param_1[1] = param_1[1] + 0x3e897bb78bc162;
param_1[2] = param_1[2] + 0xffc244c1f804fc9b;
param_1[3] = param_1[3] ^ 0x21e211817f468b;
param_1[3] = param_1[3] + 0x44c0052fcca332;
param_1[1] = param_1[1] + 0x4f53af9faf8acf;
param_1[1] = param_1[1] + 0x2fda660863a649;
param_1[1] = param_1[1] + 0xffa9f06d0990b3ac;
param_1[2] = param_1[2] + 0x2e93addef2df4f;
param_1[3] = param_1[3] + 0x4531b2344b641b;
param_1[3] = param_1[3] + 0xfff8e89a72f8e26c;
param_1[1] = param_1[1] + 0x15c6da9bc36ed0;
param_1[2] = param_1[2] ^ 0x738278f8599e2d;
param_1[1] = param_1[1] ^ 0x44dd76d42e4513;
param_1[1] = param_1[1] + 0xffb57183e089ceb4;
param_1[2] = param_1[2] ^ 0x27972fbdfd287c;
param_1[0] = param_1[0] ^ 0x7eb9039a2b6bf0;
param_1[2] = param_1[2] + 0xffc75c67f5de1b31;
# FUN_00101346
param_1[0] = param_1[0] ^ 0x131e29f760409;
param_1[1] = param_1[1] + 0x23fe2dd7650a73;
param_1[1] = param_1[1] + 0xfff70308e97acf79;
param_1[2] = param_1[2] + 0xffb870f6f2950920;
param_1[0] = param_1[0] ^ 0x58bd244826ef43;
param_1[2] = param_1[2] + 0xffdc5874e8d03bbc;
param_1[1] = param_1[1] + 0xffb3ce0944bbfc19;
param_1[0] = param_1[0] ^ 0x38b3e1c4b3be14;
param_1[3] = param_1[3] ^ 0x6de4b0dccee1f8;
param_1[2] = param_1[2] + 0x48e99a2ccfbefa;
param_1[2] = param_1[2] + 0x2803831f197314;
param_1[2] = param_1[2] ^ 0x7fd3195c5e8bfb;
param_1[1] = param_1[1] + 0x2311f9e5515a6d;
param_1[3] = param_1[3] + 0x29e99994341bad;
param_1[2] = param_1[2] + 0xffa46f41e698229f;
param_1[0] = param_1[0] ^ 0x16097f9beb9df8;
param_1[2] = param_1[2] ^ 0x58f5f5f9e64f77;
param_1[2] = param_1[2] + 0xffce81bd3383de95;
param_1[0] = param_1[0] + 0x1437a45ffed077;
param_1[2] = param_1[2] + 0x4ec7609899b599;
param_1[3] = param_1[3] + 0x77832406a422ee;
param_1[0] = param_1[0] ^ 0xa299bfabd147f;
param_1[0] = param_1[0] + 0xff9731d63e0a4ce9;
param_1[0] = param_1[0] ^ 0x3ea0b669b87301;
param_1[0] = param_1[0] ^ 0x7bc3ff2762eeb0;
param_1[0] = param_1[0] + 0x2ff3559df23d95;
param_1[2] = param_1[2] + 0xffb0934ca254c450;
param_1[0] = param_1[0] + 0xff8b3b8d33d104e1;
param_1[3] = param_1[3] ^ 0x2f268e55029508;
param_1[2] = param_1[2] + 0xffe1c76d94c5b270;
param_1[3] = param_1[3] ^ 0x5575918734e1cd;
param_1[0] = param_1[0] + 0xffe368f50fe7ff81;
param_1[0] = param_1[0] ^ 0x22b615021c1680;
param_1[0] = param_1[0] + 0xff95c819c49f5170;
param_1[2] = param_1[2] + 0x485e655976a7ee;
param_1[0] = param_1[0] + 0x6f4847b022b253;
param_1[1] = param_1[1] ^ 0x392622311d6f3d;
param_1[1] = param_1[1] + 0xffb3096849dd7eb3;
param_1[3] = param_1[3] ^ 0x6e8b5de620fa;
param_1[3] = param_1[3] + 0x21d4322fefd286;
param_1[3] = param_1[3] + 0xffe14e96454625c5;
param_1[3] = param_1[3] ^ 0x4757d3b35495bb;
param_1[1] = param_1[1] + 0xffc4845886e53673;
param_1[0] = param_1[0] ^ 0x57617d2db4d1c4;
param_1[0] = param_1[0] ^ 0x69bd97ec881da;
param_1[2] = param_1[2] ^ 0x57ac6bbc11593;
param_1[2] = param_1[2] ^ 0x5c2cbf22512aa3;
param_1[2] = param_1[2] + 0x1860e298e3c0d5;
param_1[2] = param_1[2] + 0xffe6f1b24728fb11;
param_1[0] = param_1[0] + 0x4561b3931db109;
param_1[0] = param_1[0] ^ 0x1a70a95138d536;
param_1[2] = param_1[2] + 0x32ff8082367e19;
param_1[3] = param_1[3] + 0xff99a53e605869f2;
param_1[0] = param_1[0] + 0x1e359449108efb;
param_1[0] = param_1[0] + 0xff9338172cb899f9;
param_1[0] = param_1[0] + 0x33dbc3093cba9e;
param_1[1] = param_1[1] + 0x7d005d760e8a00;
param_1[0] = param_1[0] ^ 0x630abe094f2fcb;
param_1[2] = param_1[2] ^ 0x5c693ca6ad4098;
param_1[2] = param_1[2] ^ 0x1218c2c1fc6aab;
param_1[2] = param_1[2] ^ 0x78d35fbb138c9c;
param_1[3] = param_1[3] + 0x42dfb926a777d2;
param_1[3] = param_1[3] ^ 0x3f60fd507495c5;
param_1[1] = param_1[1] + 0x2cca6aa235fa04;
param_1[0] = param_1[0] + 0x5a8e68db17f162;
param_1[0] = param_1[0] + 0x1287bd45883bda;
param_1[0] = param_1[0] + 0xffe7b46bbeb822c6;
param_1[3] = param_1[3] + 0x5234b2a7901fd8;
param_1[3] = param_1[3] + 0xa856e4c03b946;
param_1[1] = param_1[1] ^ 0x6312ec05f527a4;
param_1[1] = param_1[1] + 0x46ce8a9c234e2f;
param_1[3] = param_1[3] + 0x171cfaebba97ed;
# FUN_00100c8c
param_1[2] = param_1[2] ^ 0x21552380a54ebd;
param_1[2] = param_1[2] ^ 0x217fe5a723014c;
param_1[2] = param_1[2] + 0xff929930c56e6594;
param_1[2] = param_1[2] ^ 0x7eb96f8929799a;
param_1[3] = param_1[3] + 0x67d0ff39897513;
param_1[3] = param_1[3] + 0x26a2f35c92df10;
param_1[2] = param_1[2] + 0xffd5d8a901dbebd6;
param_1[2] = param_1[2] + 0xad9fcf45aef6;
param_1[2] = param_1[2] + 0xffc53d1702ef8aa8;
param_1[0] = param_1[0] + 0x591ac5d1939c8b;
param_1[2] = param_1[2] ^ 0x33d94a84565532;
param_1[2] = param_1[2] ^ 0x308afb7e01e13e;
param_1[3] = param_1[3] + 0xffb48db7039082e1;
param_1[2] = param_1[2] ^ 0x55662e74858cf1;
param_1[3] = param_1[3] + 0xffa5b828a6179210;
param_1[1] = param_1[1] ^ 0x1638c6225c560d;
param_1[2] = param_1[2] ^ 0x40641fcdaf2a6d;
param_1[0] = param_1[0] + 0x1907586d8aaec6;
param_1[1] = param_1[1] ^ 0x2ac0e1d87fbfd3;
param_1[0] = param_1[0] + 0x4903ecf455fa05;
param_1[1] = param_1[1] + 0xff84efef75a89283;
param_1[2] = param_1[2] ^ 0x575e02c2ec2e98;
param_1[2] = param_1[2] ^ 0x5686c924044043;
param_1[0] = param_1[0] + 0xffa75728515de781;
param_1[0] = param_1[0] + 0x6c40d33a5de8b4;
param_1[0] = param_1[0] + 0xffae776809930118;
param_1[1] = param_1[1] + 0x77250c081305ce;
param_1[2] = param_1[2] + 0xffeff0d64a3fb770;
param_1[3] = param_1[3] + 0x1106386668917b;
param_1[2] = param_1[2] ^ 0x2a958285eaabc6;
param_1[1] = param_1[1] + 0x17e82fdc4bb7e6;
param_1[2] = param_1[2] + 0x6e5b6deacda2b3;
param_1[1] = param_1[1] + 0xffe4362cd469721d;
param_1[1] = param_1[1] ^ 0x46a8ddb8e7831e;
param_1[0] = param_1[0] + 0x5ef639bb0d96fc;
param_1[3] = param_1[3] ^ 0x540dd0d8537808;
param_1[3] = param_1[3] + 0xffd7468d44d84bfc;
param_1[2] = param_1[2] + 0xffb5048de8c6e26a;
param_1[0] = param_1[0] ^ 0x457b282105f5ff;
param_1[1] = param_1[1] ^ 0x2eff779ebf04ee;
param_1[1] = param_1[1] ^ 0x282c4c9602a8d1;
param_1[0] = param_1[0] ^ 0x5892a99ecd56db;
param_1[1] = param_1[1] + 0x7306fd8fb4ac48;
param_1[3] = param_1[3] + 0x4b3f6ca9126599;
param_1[3] = param_1[3] + 0xffed5514bbd0b395;
param_1[0] = param_1[0] + 0x19b2a80c1ebde0;
param_1[2] = param_1[2] ^ 0x34ab995333d7bc;
param_1[0] = param_1[0] ^ 0x4b803835540e77;
param_1[2] = param_1[2] ^ 0x4aaf3dd459117d;
param_1[3] = param_1[3] ^ 0x45b9bf142dd7b9;
param_1[0] = param_1[0] + 0xffdae06e2a1c7254;
param_1[1] = param_1[1] + 0xff805d1980ad21aa;
param_1[0] = param_1[0] + 0xff8aba0c42d40896;
param_1[0] = param_1[0] + 0x425422cc59e30;
param_1[0] = param_1[0] + 0x235f71339ac927;
param_1[2] = param_1[2] + 0xffb282c744cb6616;
param_1[2] = param_1[2] + 0xffa61489eb15d360;
param_1[0] = param_1[0] ^ 0x8db3daacc3ff9;
param_1[2] = param_1[2] ^ 0x97368bc6e7d41;
param_1[3] = param_1[3] ^ 0x86c96f6b4510f;
param_1[2] = param_1[2] ^ 0x1951f11deeb2fa;
param_1[1] = param_1[1] + 0x5dc2de99056b51;
param_1[2] = param_1[2] + 0xffb654da8cc4cb5f;
# FUN_00100786
param_1[3] = param_1[3] + 0xffdb0267f30481de;
param_1[0] = param_1[0] + 0xd349975ed71ce;
param_1[3] = param_1[3] + 0x396b3ec36373cc;
param_1[3] = param_1[3] ^ 0x2d2d96a9d4da30;
param_1[2] = param_1[2] ^ 0x656498272858da;
param_1[2] = param_1[2] + 0xffb3ad5ab10bc1f3;
param_1[0] = param_1[0] + 0x23b2f30be0e9ab;
param_1[0] = param_1[0] + 0xff99bef8c799559b;
param_1[0] = param_1[0] + 0xffe049bda2d90572;
param_1[2] = param_1[2] + 0xff9d4568f99d45eb;
param_1[2] = param_1[2] ^ 0x26ed48b4153eb0;
param_1[2] = param_1[2] ^ 0x1af75e7b5b8c5f;
param_1[2] = param_1[2] + 0xffe9fc2941b7bd92;
param_1[1] = param_1[1] ^ 0x4b4b690f995f73;
param_1[0] = param_1[0] + 0xffa3bcbff21dd191;
param_1[2] = param_1[2] ^ 0x6feb10d533c4b1;
param_1[1] = param_1[1] + 0xffb8a8e39fec3250;
param_1[2] = param_1[2] + 0xffdb2496d81b4293;
param_1[0] = param_1[0] + 0xffb778b645f31de9;
param_1[0] = param_1[0] ^ 0x531e0306cda7a9;
param_1[2] = param_1[2] ^ 0x3521f52cd98bf4;
param_1[1] = param_1[1] + 0xff880d1e8951a4a0;
param_1[2] = param_1[2] + 0x3858d7d314a793;
param_1[2] = param_1[2] + 0xffd7c92ed6f1e27a;
param_1[1] = param_1[1] + 0x37f1e8ac57fd21;
param_1[2] = param_1[2] + 0x794d667495ec53;
param_1[0] = param_1[0] + 0xf80ea376dfe9c;
param_1[2] = param_1[2] + 0x7077ef6357df45;
param_1[1] = param_1[1] + 0xfffe413b9b12d6da;
param_1[3] = param_1[3] + 0x562536f5f8bacf;
param_1[3] = param_1[3] + 0xff9f07032cf0845d;
param_1[0] = param_1[0] ^ 0x4ba91df7d06027;
param_1[0] = param_1[0] + 0xfff6ae6bcf2ebbbc;
param_1[3] = param_1[3] ^ 0x55cdaa7dfb2afc;
param_1[3] = param_1[3] + 0x318ce149b3a1fc;
param_1[3] = param_1[3] + 0xffd5d916adc11571;
param_1[0] = param_1[0] + 0xffc3560b3c7ef5e9;
param_1[1] = param_1[1] + 0xa8c0f5e148a9e;
param_1[2] = param_1[2] ^ 0x7b607330d80f26;
param_1[0] = param_1[0] ^ 0x3c139ff1892f4f;
param_1[1] = param_1[1] + 0x1f63d4725b825e;
param_1[3] = param_1[3] + 0x6be58b7a89dd9d;
param_1[1] = param_1[1] ^ 0x67b81b10716f5;
param_1[1] = param_1[1] + 0x70efa9f526c942;
param_1[3] = param_1[3] ^ 0x411eb7ecadc3cb;
param_1[3] = param_1[3] ^ 0x250c9395e3a054;
param_1[0] = param_1[0] + 0x78f186d15f1e3b;
# compare_function
s.add(param_1[0] == 0x3167deae217139c1)
s.add(param_1[1] == 0x6745aeaf0c9a62e5)
s.add(param_1[2] == 0x62664d91c2da0c7b)
s.add(param_1[3] == 0x7ee01bea8defde65)
print(s.check())
model = s.model()
flag_bytes = b""
for i in inp:
flag_bytes += long_to_bytes(model[i].as_long())[::-1]
print(flag_bytes)Flag: akasec{1n_my_b4g_0n3_s3c0nd_0n3}
Packeta (460 pts)
Description
Balança o ombrin', vai, vai Balança o ombrin', vai, vai
Balança o ombrin' Jogadinha do Packeta
Author: Pengolian
Solution
Given 2 ELF 64 bit files which are flag and packeta. First, open packeta using IDA. There are many function in the program, rename each function.
packeta - main
__int64 __fastcall main(int a1, char **a2, char **a3)
{
__int64 v3; // rdi
__int64 v4; // rdx
__int64 v5; // r8
__int64 v6; // r9
__int64 v7; // rdx
__int64 v8; // r8
__int64 v9; // r9
__int64 v10; // rdx
__int64 v11; // r8
__int64 v12; // r9
int fd; // [rsp+1Ch] [rbp-54h]
__int64 v15; // [rsp+20h] [rbp-50h] BYREF
void *v16; // [rsp+28h] [rbp-48h]
size_t len; // [rsp+30h] [rbp-40h]
_BYTE *v18; // [rsp+38h] [rbp-38h]
void *v19; // [rsp+40h] [rbp-30h]
void *v20; // [rsp+48h] [rbp-28h]
unsigned __int64 v21; // [rsp+58h] [rbp-18h]
v21 = __readfsqword(0x28u);
v16 = 0LL;
if ( a1 <= 1 )
{
printf("Usage:\n$> %s your_elf_binary", *a2);
exit(1);
}
fd = open(a2[1], 0, a3);
if ( !fd )
exit(1);
len = lseek(fd, 0LL, 2);
if ( len == -1LL )
{
close(fd);
exit(1);
}
v16 = mmap(0LL, len, 3, 2, fd, 0LL);
if ( v16 == (void *)-1LL )
exit(1);
close(fd);
v18 = malloc(0x40uLL);
if ( !v18 )
exit(1);
if ( !sub_17CD(v16, v18) )
exit(1);
v19 = malloc(8LL * *((unsigned __int16 *)v18 + 30));
if ( !v19 )
exit(1);
v3 = 8LL * *((unsigned __int16 *)v18 + 28);
v20 = malloc(v3);
if ( !v20 )
exit(1);
call_memcpy_1(v3, (__int64)v18, v4, (__int64)v19, v5, v6, v15, (__int64)v16, len, (__int64)v18, (__int64)v19);
call_memcpy_2(
v3,
(__int64)v18,
v7,
(__int64)v19,
v8,
v9,
v15,
(__int64)v16,
len,
(__int64)v18,
(int)v19,
(__int64)v20);
generate_key();
call_rc4(v3, (__int64)v18, v10, (__int64)v19, v11, v12, v15, (__int64)v16, len, (__int64)v18, (__int64)v19);
write_to_file((__int64)&v15);
return 0LL;
}generate_key function
unsigned __int64 sub_1CE2()
{
int i; // [rsp+8h] [rbp-68h]
time_t timer; // [rsp+10h] [rbp-60h] BYREF
__int64 v3; // [rsp+18h] [rbp-58h]
char v4[72]; // [rsp+20h] [rbp-50h] BYREF
unsigned __int64 v5; // [rsp+68h] [rbp-8h]
v5 = __readfsqword(0x28u);
v3 = 4919LL;
time(&timer);
srand(v3 + timer % 500);
strcpy(v4, "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ");
for ( i = 0; i <= 15; ++i )
byte_5020[i] = v4[rand() % 62];
return v5 - __readfsqword(0x28u);
}So basically it generate key based on (current time % 500) + 4919. From that information we know that the possibility of the key only 500 (possible to brute).
call_rc4 function
unsigned __int64 __fastcall sub_1464(
__int64 a1,
__int64 a2,
__int64 a3,
__int64 a4,
__int64 a5,
__int64 a6,
int a7,
__int64 a8,
int a9,
__int64 a10,
__int64 a11)
{
unsigned __int64 result; // rax
unsigned __int64 i; // [rsp+0h] [rbp-10h]
void *ptr; // [rsp+8h] [rbp-8h]
for ( i = 0LL; ; ++i )
{
result = *(unsigned __int16 *)(a10 + 60);
if ( i >= result )
break;
ptr = sub_19C8(a8, *(_QWORD *)(a11 + 8LL * *(unsigned __int16 *)(a10 + 62)), **(_DWORD **)(8 * i + a11));
if ( (unsigned int)sub_13F8(ptr) )
rc4(a8 + *(_QWORD *)(*(_QWORD *)(8 * i + a11) + 24LL), *(_QWORD *)(*(_QWORD *)(8 * i + a11) + 32LL));
free(ptr);
}
return result;
}Lets take a look on rc4 function
unsigned __int64 __fastcall sub_1C66(__int64 a1, __int64 a2)
{
char v3[264]; // [rsp+10h] [rbp-110h] BYREF
unsigned __int64 v4; // [rsp+118h] [rbp-8h]
v4 = __readfsqword(0x28u);
sub_1A84(byte_5020, v3);
sub_1B5C(v3, a1, a2);
return v4 - __readfsqword(0x28u);
}From above code we can confirm that byte_5020 used as the key for rc4 function. To know the ciphertext values we can debug the executable using GDB.
pie b 0x1CC6gef➤ x/32bx 0x00007ffff7fb8060
0x7ffff7fb8060: 0x4d 0x75 0xac 0xea 0x75 0xab 0x78 0x07
0x7ffff7fb8068: 0x90 0x58 0x8e 0x25 0x07 0x84 0x3f 0x73
0x7ffff7fb8070: 0x2b 0xa2 0x70 0x40 0x78 0x62 0x4b 0xfd
0x7ffff7fb8078: 0x65 0xf0 0x9b 0x07 0x58 0x44 0x9d 0xcaThe ciphertext values start with 0x4d75. Check on flag binary to findout on which section those ciphertext.
From image above we can confirm that the ciphertext section is on .text section. To get the valid key we can do bruteforce and validate manually which plaintext consist of valid assembly instruciton because the first ciphertext is the start function. Below is my script
from Crypto.Cipher import ARC4
from ctypes import CDLL
from capstone import *
import string
md = Cs(CS_ARCH_X86, CS_MODE_64)
libc = CDLL("libc.so.6")
ct = [0x4d, 0x75, 0xac, 0xea, 0x75, 0xab, 0x78, 0x7, 0x90, 0x58, 0x8e, 0x25, 0x7, 0x84, 0x3f, 0x73, 0x2b, 0xa2, 0x70, 0x40, 0x78, 0x62, 0x4b, 0xfd, 0x65, 0xf0, 0x9b, 0x7, 0x58, 0x44, 0x9d, 0xca]
v4 = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
for i in range(500):
libc.srand(4919 + i)
key = ""
for j in range(16):
key += v4[libc.rand() % 62]
cipher = ARC4.new(key.encode())
asm = cipher.decrypt(bytes(ct))
for j in md.disasm(asm, 0x401000):
print(i, j)
print()For the comparison we can use the standard start function, such as from packeta file.
So i == 127 looks like the correct value because it result valid assembly like standard start function. To get the rest plaintext we can debug the program and set the value for the (current_time % 500).
pie b 0x1d49Continue the process then run the new generated ELF named new.
Flag: AKASEC{h4lf_p4ck_h4lf_7h3_fl46}
Mips (477 pts)
Description
check out my 16 star pb (note: you need ares to run the rom properly)
Author: miyako
nc 20.80.240.190 4321
Solution
Given Nintendo 64 ROM image. During the competition i found good reference about nintedo 64 reverse engineering. From the description we know that we can run the rom using ares. In this case i install the emulator on ubuntu. To load the rom we can click Load -> Nintendo -> Nintendo 64.
Setup the input mapping by click Settings -> Input.
Press some random button and it will reflected on screen, to submit the button we can press enter button (start).
Next, we need to decompile the rom. I use ghidra with N64LoaderWV plugin to do that.
Searching for "wrong" string then we will found the validation program.
void FUN_8000b4e0(void)
{
undefined uVar2;
longlong lVar1;
uint uVar3;
int iVar4;
int unaff_gp_lo;
undefined4 local_48;
int iStack_44;
undefined8 local_40;
undefined8 local_38;
undefined8 local_30;
FUN_80007340(&local_48);
if ((*(unaff_gp_lo + -0x7e6c) == '\0') && (uVar3 = (&DAT_ffff8195)[unaff_gp_lo], iStack_44 != 0))
{
if ((&DAT_ffff8195)[unaff_gp_lo] == 0) {
iVar4 = -0x7ffd0000;
_DAT_800280b0 = 0;
_PTR_DAT_800280b8 = 0;
_PTR_DAT_800280c0 = 0;
PTR_DAT_800280c8 = 0x0;
PTR_DAT_800280cc._0_2_ = 0;
uVar2 = FUN_8000b200(CONCAT44(local_48,iStack_44),local_40,local_38,local_30);
*(iVar4 + -0x7f50) = uVar2;
(&DAT_ffff8195)[unaff_gp_lo] = 1;
return;
}
uVar2 = FUN_8000b200(CONCAT44(local_48,iStack_44),local_40,local_38,local_30);
(&DAT_800280b0)[uVar3] = uVar2;
(&DAT_ffff8195)[unaff_gp_lo] = uVar3 + 1;
if ((uVar3 + 1 & 0xff) == 0x1e) {
lVar1 = FUN_80010ed8(0xffffffff800280b0,0xffffffff800270c8,0x1e);
if (lVar1 == 0) {
*(unaff_gp_lo + -0x7f5c) = s_correct!_80019be0;
*(unaff_gp_lo + -0x7e6c) = 1;
}
else {
*(unaff_gp_lo + -0x7f5c) = s_wrong_80019bf0;
(&DAT_ffff8195)[unaff_gp_lo] = 0;
}
}
}
return;
}From above code we got some information
Line 30: Our input mapped to some constant value
Line 33: Input length is 0x1e, we can also confirm through user interface by input more than 30 button then it will reset
Line 34: Our mapped input validated with constant value at (DAT_800270c8)
Now we need to get the valid input mapping, one of the way to do that is by debugging. Click Settings -> Debug then enable debugging with below options.
After that, use gdb-multiarch to connect to gdb server.
target remote localhost:9123
ctrl+c
set endian big
x/20i 0x8000b4e0Then breakpoint at 0x8000b53c.
break *0x8000b53c
cPress up button (for example), then the breakpoint will be hitten. Look at v0 register to know the mapped value for up button.
Do the same thing until got all mapped input then create script to get the reflected input on screen.
dict = {}
dict[2] = 'U'
dict[5] = 'L'
dict[9] = 'R'
dict[1] = 'D'
dict[0xa] = 'CU'
dict[0x14] = 'CL'
dict[0xf] = 'CD'
dict[0x19] = 'CR'
dict[0x7] = 'B'
dict[0x4] = 'A'
dict[0xb] = 'LR'
dict[0xc] = 'RR'
dict[0x3] = 'Z'
target_button = [0x03,0x0C,0x0A,0x0A,0x0A,0x0A,0x14,0x01,0x01,0x0A,0x04,0x07,0x19,0x09,0x01,0x0A,0x02,0x05,0x09,0x07,0x02,0x0C,0x09,0x07,0x0A,0x0C,0x0A,0x03,0x09,0x03]
button = ""
for i in target_button:
button += dict[i]
print(button)Flag: akasec{m1ps_1s_c00l_l0l}
Orgalorg (498 pts)
Description
Did you know that Gunter is literally Orgalorg, a primordial cosmic entity, feared as the Breaker of Worlds, disguised as a penguin on earth...
nc 20.80.240.190 1235
Author: pengolian
Solution
Given ELF 64 bit file, open it using IDA.
__int64 __fastcall main(int a1, const char **a2, char **a3, int a4, int a5, int a6)
{
const char *v6; // rbp
size_t v7; // rax
size_t v8; // rbx
__int64 *v10; // rdi
size_t v11; // [rsp+8h] [rbp-60h] BYREF
__int64 v12[2]; // [rsp+10h] [rbp-58h] BYREF
__int64 v13[9]; // [rsp+20h] [rbp-48h] BYREF
v13[3] = __readfsqword(0x28u);
func_1(a1, a2, a3, a4, a5, a6);
if ( dword_17240 )
{
func_2();
return 0LL;
}
v6 = *a2;
v12[0] = v13;
if ( !v6 )
std::__throw_logic_error("basic_string: construction from null is not valid");
v7 = strlen(v6);
v11 = v7;
v8 = v7;
if ( v7 > 0xF )
{
v12[0] = std::string::_M_create(v12, &v11, 0LL);
v10 = v12[0];
v13[0] = v11;
goto LABEL_12;
}
if ( v7 != 1 )
{
if ( !v7 )
goto LABEL_6;
v10 = v13;
LABEL_12:
memcpy(v10, v6, v8);
goto LABEL_6;
}
LOBYTE(v13[0]) = *v6;
LABEL_6:
v12[1] = v11;
*(v12[0] + v11) = 0;
sub_5950(v12);
std::string::_M_dispose(v12);
return 0LL;
}So in main function there are two user defined function which are func_1 and sub_5950. Lets take a look on func_1. At the time of competition i've renamed some function while debugging.
unsigned __int64 __fastcall sub_5150()
{
__m128i *v0; // rax
__m128i v1; // xmm2
__m128i v2; // xmm3
char *LOGNAME; // rbx
__int32 *v4; // rax
__int32 v5; // r9d
char *OGP; // r14
size_t v7; // rax
size_t v8; // rax
__m128i *v10; // rax
__m128i v11; // xmm7
void *v12[2]; // [rsp+0h] [rbp-98h] BYREF
__int32 *v13; // [rsp+10h] [rbp-88h]
__m128i si128; // [rsp+20h] [rbp-78h] BYREF
__int64 v15; // [rsp+30h] [rbp-68h]
__int64 v16; // [rsp+38h] [rbp-60h]
char *name[2]; // [rsp+40h] [rbp-58h] BYREF
__int64 v18[3]; // [rsp+50h] [rbp-48h] BYREF
unsigned __int64 v19; // [rsp+68h] [rbp-30h]
v19 = __readfsqword(0x28u);
if ( anti_debug_1() )
goto LABEL_22;
LODWORD(v16) = -1073741632;
v15 = 0xC00000C1400000C0LL;
v13 = 0LL;
si128 = _mm_load_si128(&xmmword_F130);
*v12 = 0LL;
v0 = operator new(0x1CuLL);
v12[0] = v0;
v1 = _mm_load_si128(&si128);
v2 = _mm_loadu_si128(&si128.m128i_i8[12]);
v13 = &v0[1].m128i_i32[3];
*v0 = v1;
*(v0 + 12) = v2;
v12[1] = &v0[1].m128i_u64[1] + 4;
get_string(name, v12);
LOGNAME = getenv(name[0]); // getenv("LOGNAME")
if ( name[0] != v18 )
operator delete(name[0], v18[0] + 1);
if ( v12[0] )
operator delete(v12[0], v13 - v12[0]);
si128.m128i_i32[2] = 1610612930;
v13 = 0LL;
si128.m128i_i64[0] = 0x800000C0800000C1LL;
*v12 = 0LL;
v4 = operator new(0xCuLL);
v12[0] = v4;
v5 = si128.m128i_i32[2];
v13 = v4 + 3;
*v4 = si128.m128i_i64[0];
v4[2] = v5;
v12[1] = v4 + 3;
get_string(name, v12);
OGP = getenv(name[0]); // getenv("OGP")
if ( name[0] != v18 )
operator delete(name[0], v18[0] + 1);
if ( v12[0] )
operator delete(v12[0], v13 - v12[0]);
if ( LOGNAME )
{
v7 = strlen(LOGNAME);
std::string::_M_replace(&LOGNAME_1, 0LL, LOGNAME_LENGTH, LOGNAME, v7);
}
if ( OGP )
{
v8 = strlen(OGP);
std::string::_M_replace(&OGP_1, 0LL, OGP_LENGTH, OGP, v8);
}
if ( OGP_LENGTH )
{
if ( sub_BBC0(&OGP_1) ) // check length OGP and digits
{
dword_171E0 = sub_4730();
LODWORD(v15) = 0x600000C6;
v13 = 0LL;
si128 = _mm_load_si128(&xmmword_F140);
*v12 = 0LL;
v10 = operator new(0x14uLL);
v11 = _mm_load_si128(&si128);
v12[0] = v10;
v10[1].m128i_i32[0] = v15;
*v10 = v11;
v13 = &v10[1].m128i_i32[1];
v12[1] = v10[1].m128i_i64 + 4;
get_string(name, v12);
prctl(15, name[0], 0LL, 0LL, 0LL); // prctl(PR_SET_NAME,"sleep")
if ( name[0] != v18 )
operator delete(name[0], v18[0] + 1);
if ( v12[0] )
operator delete(v12[0], v13 - v12[0]);
dword_17240 = 1;
return v19 - __readfsqword(0x28u);
}
LABEL_22:
exit(1);
}
return v19 - __readfsqword(0x28u);
}anti_debug_1
anti debug function, will exit the process if debugging detected
will open /proc/self/status to check debugging status
We can easily bypass the the anti debug by changing the return value
get_string
kind of string obfuscation, the function will return "plaintext" of obfuscated/encrypted string
sub_bbc0
check length of OGP and ensure that it constructed only from digits
prctl
set the process name to sleep
dword_17240
There will be set of dword_17240 variable to 1 if there is valid OGP and debugging not detected
Back to main function, after calling of func_1 there will be validation of dword_17240. If dword_17240 not zero it will call func_2. So lets take a look on func_2.
__int64 sub_45F0()
{
__pid_t v0; // eax
__pid_t v1; // eax
int v2; // eax
int v3; // ebx
int v4; // eax
int v5; // edi
int v6; // edi
int v7; // edi
int v8; // edi
int v9; // edi
int v11; // edi
int v13; // edi
v0 = fork();
if ( v0 < 0 )
goto LABEL_24;
if ( v0 )
goto LABEL_23;
if ( setsid() < 0 || (v1 = fork(), v1 < 0) )
LABEL_24:
exit(1);
if ( v1 )
LABEL_23:
exit(0);
umask(0);
v2 = sysconf(4);
v3 = v2;
if ( v2 >= 0 )
{
v4 = (v2 + 1) & 7;
if ( !v4 )
goto LABEL_27;
if ( v4 != 1 )
{
if ( v4 != 2 )
{
if ( v4 != 3 )
{
if ( v4 != 4 )
{
if ( v4 != 5 )
{
if ( v4 != 6 )
{
v13 = v3--;
close(v13);
}
v5 = v3--;
close(v5);
}
v6 = v3--;
close(v6);
}
v7 = v3--;
close(v7);
}
v8 = v3--;
close(v8);
}
v9 = v3--;
close(v9);
}
close(v3);
if ( v3-- != 0 )
{
LABEL_27:
do
{
close(v3);
close(v3 - 1);
close(v3 - 2);
close(v3 - 3);
close(v3 - 4);
close(v3 - 5);
close(v3 - 6);
v11 = v3 - 7;
v3 -= 8;
close(v11);
}
while ( v3 != -1 );
}
}
return func_3();
}fork
There is call of fork, so after calling fork the rest flow will be processed by the child process
Set follow fork mode to child on GDB to debug the child process
Next, take a look on func_3
// positive sp value has been detected, the output may be wrong!
__int64 sub_BDB0()
{
int v0; // esi
int v1; // edx
int v2; // ecx
int v3; // r8d
int v4; // r9d
char *v5; // rax
_BYTE *v6; // r15
size_t v7; // rax
size_t v8; // rbp
void *v9; // rsi
_QWORD *v10; // rdi
nfds_t v11; // r12
struct pollfd *v12; // rax
int v13; // ebp
__int64 v14; // rax
__int64 v15; // r13
int v16; // r14d
_QWORD *v17; // rdi
__int64 v18; // rax
int i; // r14d
_QWORD *v20; // r12
int v21; // eax
int v23; // [rsp-118h] [rbp-80148h]
void *v24; // [rsp-110h] [rbp-80140h] BYREF
char *v25; // [rsp-108h] [rbp-80138h] BYREF
char *v26; // [rsp-100h] [rbp-80130h]
char *v27; // [rsp-F8h] [rbp-80128h]
void *v28; // [rsp-F0h] [rbp-80120h]
void *v29[2]; // [rsp-E8h] [rbp-80118h] BYREF
__int64 v30; // [rsp-D8h] [rbp-80108h] BYREF
void *v31[2]; // [rsp-C8h] [rbp-800F8h] BYREF
_QWORD v32[2]; // [rsp-B8h] [rbp-800E8h] BYREF
_BYTE v33[168]; // [rsp-A8h] [rbp-800D8h] BYREF
char v34; // [rsp+0h] [rbp-80030h] BYREF
__int64 v35; // [rsp+1000h] [rbp-7F030h] BYREF
unsigned __int64 v36; // [rsp+7FFF0h] [rbp-40h]
while ( &v34 != (&v35 - 0x10000) )
;
v0 = dword_171E0;
v36 = __readfsqword(0x28u);
(sub_6750)(v33, dword_171E0);
if ( anti_debug_1(v33, v0, v1, v2, v3, v4, v23, v24, v25, v26, v27, v28, v29[0], v29[1]) )
exit(1);
if ( (call_socket)(v33) )
{
if ( !(call_setsockopt)(v33) || !(call_fcntl)(v33) || !call_bind(v33) || !(call_listen)(v33) )
(call_exit_1)(v33, 1LL);
(call_memset)(v33);
v5 = operator new(0x10uLL);
v25 = v5;
v27 = v5 + 16;
*v5 = _mm_load_si128(&xmmword_14700);
v26 = v5 + 16;
get_string(v29, &v25);
v6 = v29[0];
v31[0] = v32;
if ( !v29[0] )
std::__throw_logic_error("basic_string: construction from null is not valid");
v7 = strlen(v29[0]); // p455
v24 = v7;
v8 = v7;
v9 = v7;
if ( v7 > 0xF )
{
v31[0] = std::string::_M_create(v31, &v24, 0LL);
v17 = v31[0];
v32[0] = v24;
}
else
{
if ( v7 == 1 )
{
LOBYTE(v32[0]) = *v6;
LABEL_12:
v10 = v32;
goto LABEL_13;
}
if ( !v7 )
goto LABEL_12;
v17 = v32;
}
memcpy(v17, v6, v8);
v9 = v24;
v10 = v31[0];
LABEL_13:
v31[1] = v9;
*(v9 + v10) = 0;
(call_string_assign)(v33, v31);
if ( v31[0] != v32 )
operator delete(v31[0], v32[0] + 1LL);
if ( v29[0] != &v30 )
operator delete(v29[0], v30 + 1);
if ( v25 )
operator delete(v25, v27 - v25);
signal(17, handler);
LABEL_20:
v11 = (get_arr_1)(v33);
v12 = (call_a1_plus_4)(v33);
if ( !poll(v12, v11, 172800000) )
(call_exit_1)(v33, 1LL);
v13 = 0;
while ( 1 )
{
while ( 1 )
{
if ( v13 >= (get_arr_1)(v33) )
goto LABEL_20;
v15 = 8LL * v13;
if ( *((call_a1_plus_4)(v33) + v15 + 6) )
break;
LABEL_23:
++v13;
}
v16 = *((call_a1_plus_4)(v33) + 8LL * v13);
if ( v16 == (get_arr_3)(v33) )
{
if ( !send_banner(v33) )
(call_exit_1)(v33, 1LL);
goto LABEL_23;
}
v14 = (call_a1_plus_4)(v33);
if ( (process_recv)(v33, *(v14 + 8LL * v13)) )
goto LABEL_23;
v18 = (call_a1_plus_4)(v33);
(call_close_2)(v33, *(v18 + 8LL * v13));
for ( i = v13; i < (get_arr_1)(v33); ++i )
{
v20 = ((call_a1_plus_4)(v33) + v15 + 8);
*((call_a1_plus_4)(v33) + v15) = *v20;
v15 += 8LL;
}
v21 = (get_arr_1)(v33);
(get_arr_2)(v33, (v21 - 1));
}
}
(call_close_1)(v33);
return 1LL;
}Line 50: initialize socket listening, bind to port 50009
Line 121: sending banner (during the initial connection)
Line 126: process our input
Next lets take a look on process_recv.
__int64 __fastcall process_recv(__int64 a1, int a2)
{
_DWORD *v3; // r14
size_t v4; // rax
__int64 v5; // rdx
__int64 v6; // r15
ssize_t v7; // rax
int input_length; // eax
char *v9; // r15
__int64 *v11; // r8
char *v12; // r12
__int64 v13; // r10
__int64 v14; // r12
unsigned int v15; // r8d
unsigned int v16; // r9d
__int64 v17; // r15
__int64 v18; // rcx
__int64 v19; // r9
__int64 v20; // r11
__int64 v21; // r15
__int64 v22; // rcx
__int64 v23; // r11
__int64 v24; // r15
__int64 v25; // rcx
__int64 v26; // rdi
__int64 v27; // rdx
__int64 v28; // rsi
__int64 v29; // r9
__int64 v30; // r11
__int64 v31; // r10
__int64 v32; // r15
__int64 v33; // rdi
__int64 v34; // rcx
__int64 v35; // rdx
__int64 v36; // rsi
size_t actual_input_length; // rdx
unsigned __int64 last_of; // rax
size_t v39; // r12
__int64 *v40; // r11
__int64 *v41; // rdx
__int64 *v42; // rax
__m128i v43; // xmm1
__int64 v44; // rax
__int64 *v45; // rdi
__m128i v46; // xmm0
__int64 v47; // r11
__int64 v48; // rcx
__int8 v49; // dl
__int64 v50; // r10
unsigned __int64 v51; // r11
signed __int64 v52; // rax
__int8 *v53; // rdi
unsigned int v54; // edx
unsigned int v55; // r9d
unsigned int v56; // esi
__int64 v57; // r10
__int64 v58; // rcx
__int64 v59; // rax
__int64 v60; // r10
__int64 v61; // r12
__int64 v62; // rsi
__int64 v63; // r10
__int64 v64; // rcx
__int64 v65; // rsi
__int64 v67; // [rsp+18h] [rbp-2B0h] BYREF
void *input_user_2; // [rsp+20h] [rbp-2A8h] BYREF
__m128i n; // [rsp+28h] [rbp-2A0h] BYREF
void *v70; // [rsp+40h] [rbp-288h]
__int64 v71; // [rsp+48h] [rbp-280h]
char s[8]; // [rsp+50h] [rbp-278h] BYREF
__int64 v73; // [rsp+58h] [rbp-270h]
void *v74; // [rsp+60h] [rbp-268h] BYREF
__m128i v75; // [rsp+68h] [rbp-260h] BYREF
__int64 v76; // [rsp+78h] [rbp-250h]
char user_input[520]; // [rsp+80h] [rbp-248h] BYREF
unsigned __int64 v78; // [rsp+288h] [rbp-40h]
v78 = __readfsqword(0x28u);
n.m128i_i32[0] = 1610612940;
input_user_2 = 0xA00000CFA00000CFLL;
v70 = s;
v3 = operator new(0xCuLL);
*v3 = 0xA00000CFA00000CFLL;
v3[2] = 1610612940;
v71 = 3LL;
strcpy(s, ">> ");
v74 = &v75.m128i_u64[1];
v4 = strlen(s);
if ( v4 != 1 )
{
if ( !v4 )
goto LABEL_3;
v11 = &v75.m128i_i64[1];
v12 = s;
if ( v4 >= 8 )
{
v14 = 8LL;
v15 = v4 & 0xFFFFFFF8;
v75.m128i_i64[1] = *s;
v16 = (((v4 & 0xFFFFFFF8) - 1) >> 3) & 7;
if ( (v4 & 0xFFFFFFF8) > 8 )
{
if ( !v16 )
goto LABEL_104;
if ( v16 != 1 )
{
if ( v16 != 2 )
{
if ( v16 != 3 )
{
if ( v16 != 4 )
{
if ( v16 != 5 )
{
if ( v16 != 6 )
{
v76 = v73;
LODWORD(v14) = 16;
}
v17 = v14;
LODWORD(v14) = v14 + 8;
*(&v75.m128i_i64[1] + v17) = *&s[v17];
}
v18 = v14;
LODWORD(v14) = v14 + 8;
*(&v75.m128i_i64[1] + v18) = *&s[v18];
}
v19 = v14;
LODWORD(v14) = v14 + 8;
*(&v75.m128i_i64[1] + v19) = *&s[v19];
}
v20 = v14;
LODWORD(v14) = v14 + 8;
*(&v75.m128i_i64[1] + v20) = *&s[v20];
}
v21 = v14;
LODWORD(v14) = v14 + 8;
*(&v75.m128i_i64[1] + v21) = *&s[v21];
}
v22 = v14;
v14 = (v14 + 8);
*(&v75.m128i_i64[1] + v22) = *&s[v22];
if ( v14 < v15 )
{
LABEL_104:
do
{
v23 = (v14 + 8);
v24 = (v14 + 16);
v25 = (v14 + 24);
v26 = *&s[v23];
v27 = *&s[v24];
v28 = *&s[v25];
*(&v75.m128i_i64[1] + v14) = *&s[v14];
v29 = (v14 + 32);
*(&v75.m128i_i64[1] + v23) = v26;
v30 = (v14 + 40);
v31 = *&s[v29];
*(&v75.m128i_i64[1] + v24) = v27;
v32 = (v14 + 48);
v33 = *&s[v30];
*(&v75.m128i_i64[1] + v25) = v28;
v34 = (v14 + 56);
v35 = *&s[v32];
v14 = (v14 + 64);
v36 = *&s[v34];
*(&v75.m128i_i64[1] + v29) = v31;
*(&v75.m128i_i64[1] + v30) = v33;
*(&v75.m128i_i64[1] + v32) = v35;
*(&v75.m128i_i64[1] + v34) = v36;
}
while ( v14 < v15 );
}
}
v11 = (&v75.m128i_i64[1] + v14);
v12 = &s[v14];
}
v13 = 0LL;
if ( (v4 & 4) != 0 )
{
v13 = 4LL;
*v11 = *v12;
if ( (v4 & 2) == 0 )
{
LABEL_24:
if ( (v4 & 1) == 0 )
goto LABEL_3;
LABEL_25:
*(v11 + v13) = v12[v13];
goto LABEL_3;
}
}
else if ( (v4 & 2) == 0 )
{
goto LABEL_24;
}
*(v11 + v13) = *&v12[v13];
v13 += 2LL;
if ( (v4 & 1) == 0 )
goto LABEL_3;
goto LABEL_25;
}
v75.m128i_i8[8] = 62;
LABEL_3:
v75.m128i_i64[0] = v4;
v75.m128i_i8[v4 + 8] = 0;
v5 = v75.m128i_i64[0];
if ( v75.m128i_i64[0] )
{
v6 = 0LL;
do
{
v7 = send(a2, v74 + v6, v5 - v6, 0);
if ( v7 == -1 )
break;
v5 = v75.m128i_i64[0];
v6 += v7;
}
while ( v75.m128i_i64[0] != v6 );
}
if ( v74 != &v75.m128i_u64[1] )
operator delete(v74, v75.m128i_i64[1] + 1);
if ( v70 != s )
operator delete(v70, *s + 1LL);
operator delete(v3, 0xCuLL);
memset(user_input, 0, 0x200uLL);
input_user_2 = &n.m128i_u64[1];
n.m128i_i64[0] = 0LL;
n.m128i_i8[8] = 0;
v70 = s;
v71 = 0LL;
s[0] = 0;
while ( 1 )
{
input_length = recv(a2, user_input, 0x1FEuLL, 0);
if ( input_length != -1 )
break;
if ( *__errno_location() != 11 )
{
LODWORD(v9) = 0;
goto LABEL_15;
}
}
LODWORD(v9) = 0;
if ( input_length )
{
user_input[input_length] = 0;
actual_input_length = strlen(user_input);
if ( 0x3FFFFFFFFFFFFFFFLL - n.m128i_i64[0] < actual_input_length )
std::__throw_length_error("basic_string::append");
std::string::_M_append(&input_user_2, user_input, actual_input_length);
if ( std::string::find_first_of(&input_user_2, "\r\n", 0LL, 2LL) == -1 )
{
LODWORD(v9) = 1;
goto LABEL_15;
}
last_of = std::string::find_last_of(&input_user_2, "\r\n", -1LL, 2LL);
v74 = &v75.m128i_u64[1];
v39 = last_of;
v9 = input_user_2;
if ( last_of > n.m128i_i64[0] )
v39 = n.m128i_i64[0];
v67 = v39;
if ( v39 > 0xF )
{
v74 = std::string::_M_create(&v74, &v67, 0LL);
v45 = v74;
v75.m128i_i64[1] = v67;
}
else
{
if ( v39 == 1 )
{
v75.m128i_i8[8] = *input_user_2;
goto LABEL_55;
}
if ( !v39 )
{
LABEL_55:
v40 = &v75.m128i_i64[1];
goto LABEL_56;
}
v45 = &v75.m128i_i64[1];
}
memcpy(v45, v9, v39);
v39 = v67;
v40 = v74;
LABEL_56:
v75.m128i_i64[0] = v39;
*(v40 + v39) = 0;
v41 = input_user_2;
v42 = input_user_2;
if ( input_user_2 == &n.m128i_u64[1] )
{
if ( v74 != &v75.m128i_u64[1] )
{
v46 = _mm_loadu_si128(&v75);
input_user_2 = v74;
n = v46;
goto LABEL_69;
}
}
else if ( v74 != &v75.m128i_u64[1] )
{
v43 = _mm_loadu_si128(&v75);
v44 = n.m128i_i64[1];
input_user_2 = v74;
n = v43;
if ( v41 )
{
v74 = v41;
v75.m128i_i64[1] = v44;
LABEL_60:
v75.m128i_i64[0] = 0LL;
*v41 = 0;
if ( v74 != &v75.m128i_u64[1] )
operator delete(v74, v75.m128i_i64[1] + 1);
LOBYTE(v9) = sus_func_1(a1, a2, &input_user_2) != 0;
goto LABEL_15;
}
LABEL_69:
v74 = &v75.m128i_u64[1];
v41 = &v75.m128i_i64[1];
goto LABEL_60;
}
v47 = v75.m128i_i64[0];
v48 = v75.m128i_i64[0];
if ( !v75.m128i_i64[0] )
{
LABEL_78:
n.m128i_i64[0] = v47;
*(v41 + v47) = 0;
v41 = v74;
goto LABEL_60;
}
if ( v75.m128i_i64[0] == 1 )
{
*input_user_2 = v75.m128i_i8[8];
v47 = v75.m128i_i64[0];
v41 = input_user_2;
goto LABEL_78;
}
v49 = v75.m128i_i8[0];
if ( v75.m128i_i32[0] >= 8u )
{
v50 = v75.m128i_u32[0];
v51 = (input_user_2 + 8) & 0xFFFFFFFFFFFFFFF8LL;
*input_user_2 = v75.m128i_i64[1];
*(v42 + v50 - 8) = *(v75.m128i_i64 + v50);
v52 = v42 - v51;
v53 = &v75.m128i_i8[-v52 + 8];
if ( ((v48 + v52) & 0xFFFFFFF8) >= 8 )
{
v54 = (v48 + v52) & 0xFFFFFFF8;
v55 = 8;
v9 = *v53;
*v51 = *v53;
v56 = ((v54 - 1) >> 3) & 7;
if ( v54 > 8 )
{
if ( !v56 )
goto LABEL_105;
if ( v56 != 1 )
{
if ( v56 != 2 )
{
if ( v56 != 3 )
{
if ( v56 != 4 )
{
if ( v56 != 5 )
{
if ( v56 != 6 )
{
*(v51 + 8) = *(v53 + 1);
v55 = 16;
}
v57 = v55;
v55 += 8;
*(v51 + v57) = *&v53[v57];
}
v58 = v55;
v55 += 8;
*(v51 + v58) = *&v53[v58];
}
v59 = v55;
v55 += 8;
v9 = *&v53[v59];
*(v51 + v59) = v9;
}
v60 = v55;
v55 += 8;
*(v51 + v60) = *&v53[v60];
}
v61 = v55;
v55 += 8;
*(v51 + v61) = *&v53[v61];
}
v62 = v55;
v55 += 8;
*(v51 + v62) = *&v53[v62];
if ( v55 < v54 )
{
LABEL_105:
do
{
*(v51 + v55) = *&v53[v55];
v63 = v55 + 32;
*(v51 + v55 + 8) = *&v53[v55 + 8];
*(v51 + v55 + 16) = *&v53[v55 + 16];
v64 = v55 + 40;
v65 = v55 + 48;
*(v51 + v55 + 24) = *&v53[v55 + 24];
v9 = (v55 + 56);
v55 += 64;
*(v51 + v63) = *&v53[v63];
*(v51 + v64) = *&v53[v64];
*(v51 + v65) = *&v53[v65];
*&v9[v51] = *&v9[v53];
}
while ( v55 < v54 );
}
}
}
}
else
{
if ( (v75.m128i_i8[0] & 4) != 0 )
{
*input_user_2 = v75.m128i_i32[2];
*(v42 + v47 - 4) = *(&v75.m128i_i32[1] + v47);
v48 = v75.m128i_i64[0];
v42 = input_user_2;
goto LABEL_77;
}
if ( !v75.m128i_i32[0] )
{
LABEL_77:
v47 = v48;
v41 = v42;
goto LABEL_78;
}
LODWORD(v9) = v75.m128i_u8[8];
*input_user_2 = v75.m128i_i8[8];
if ( (v49 & 2) != 0 )
{
*(v42 + v47 - 2) = *(&v75.m128i_i16[3] + v47);
v48 = v75.m128i_i64[0];
v42 = input_user_2;
goto LABEL_77;
}
}
v48 = v75.m128i_i64[0];
v42 = input_user_2;
goto LABEL_77;
}
LABEL_15:
if ( v70 != s )
operator delete(v70, *s + 1LL);
if ( input_user_2 != &n.m128i_u64[1] )
operator delete(input_user_2, n.m128i_i64[1] + 1);
return v9;
}Line 235: receive user input
Line 318: process received user input
Take a look on sus_func_1
__int64 __fastcall sus_func_1(__int64 a1, int a2, char *input_user)
{
char *v4; // r12
char *splitted_input; // rbx
char *v6; // r13
__int8 *v7; // r15
__m128i *v8; // rsi
void *v9; // rdx
__m128i *v10; // r15
unsigned int v11; // r13d
char *v12; // rbp
__int64 v13; // r15
char *v14; // rdi
char *v15; // r14
char *v16; // rdi
char *v17; // rdi
__m128i *v19; // rdi
char *v20; // r14
void *v21; // r13
__pid_t v22; // eax
__m128i *v23; // rdi
const char *v24; // r13
void *v26[2]; // [rsp+28h] [rbp-168h] BYREF
__int64 v27; // [rsp+38h] [rbp-158h]
void *v28[4]; // [rsp+48h] [rbp-148h] BYREF
void *v29[2]; // [rsp+68h] [rbp-128h] BYREF
__int64 v30; // [rsp+78h] [rbp-118h]
char *path[4]; // [rsp+88h] [rbp-108h] BYREF
char *s[4]; // [rsp+A8h] [rbp-E8h] BYREF
__m128i v33; // [rsp+C8h] [rbp-C8h] BYREF
__m128i v34; // [rsp+D8h] [rbp-B8h] BYREF
int v35; // [rsp+E8h] [rbp-A8h]
void *s2[2]; // [rsp+F8h] [rbp-98h] BYREF
__m128i si128; // [rsp+108h] [rbp-88h] BYREF
__m128i v38; // [rsp+118h] [rbp-78h]
__m128i v39; // [rsp+128h] [rbp-68h]
__int64 v40; // [rsp+138h] [rbp-58h]
int v41; // [rsp+140h] [rbp-50h]
unsigned __int64 v42; // [rsp+150h] [rbp-40h]
v42 = __readfsqword(0x28u);
*v26 = 0LL;
v27 = 0LL;
split_string(a1, input_user, ' ', v26); // split by ' '
v4 = v26[1];
splitted_input = v26[0];
if ( v26[0] == v26[1] )
{
v11 = 1;
if ( !v26[0] )
return v11;
goto LABEL_31;
}
v6 = *(a1 + 524416);
v7 = *(a1 + 524408);
s2[0] = &si128;
v29[0] = v6;
if ( v6 > 0xF )
{
s2[0] = std::string::_M_create(s2, v29, 0LL);
v19 = s2[0];
si128.m128i_i64[0] = v29[0];
goto LABEL_34;
}
if ( v6 != &dword_0 + 1 )
{
if ( !v6 )
goto LABEL_5;
v19 = &si128;
LABEL_34:
memcpy(v19, v7, v6);
v6 = v29[0];
v8 = s2[0];
goto LABEL_6;
}
si128.m128i_i8[0] = *v7;
LABEL_5:
v8 = &si128;
LABEL_6:
s2[1] = v6;
v6[v8] = 0;
v9 = *(splitted_input + 1); // first value
v10 = s2[0];
if ( v9 == s2[1] && (!v9 || !memcmp(*splitted_input, s2[0], v9)) )// compare length and values (p455)
{
if ( v10 != &si128 )
operator delete(v10, si128.m128i_i64[0] + 1);
v11 = 1;
if ( *(splitted_input + 5) != 0x1ELL ) // second value
goto LABEL_10;
if ( compare_string(a1, splitted_input + 4)
&& compare_and_md5(a1, splitted_input + 4)
&& compare_string_2(a1, splitted_input + 4)
&& compare_and_md5_2(a1, splitted_input + 4) )
{
v41 = 0x200000C9;
*s2 = _mm_load_si128(&xmmword_14680);
v40 = 0x9FFFFF3C7FFFFF3ALL;
si128 = _mm_load_si128(&xmmword_14690);
v38 = _mm_load_si128(&xmmword_146A0);
v39 = _mm_load_si128(&xmmword_146B0);
sub_5DA0(v29, s2, 19LL);
get_string(s, v29); // string enjoy
v20 = s[0];
v33.m128i_i64[0] = &v34;
if ( !s[0] )
std::__throw_logic_error("basic_string: construction from null is not valid");
v28[0] = strlen(s[0]);
v21 = v28[0];
if ( v28[0] > &byte_9[6] )
{
v33.m128i_i64[0] = std::string::_M_create(&v33, v28, 0LL);
v23 = v33.m128i_i64[0];
v34.m128i_i64[0] = v28[0];
}
else
{
if ( v28[0] == &dword_0 + 1 )
{
v34.m128i_i8[0] = *v20;
LABEL_50:
v33.m128i_i64[1] = v28[0];
*(v28[0] + v33.m128i_i64[0]) = 0;
sub_61D0(a2);
std::string::_M_dispose(&v33);
std::string::_M_dispose(s);
if ( v29[0] )
operator delete(v29[0], v30 - v29[0]);
v22 = fork();
if ( !v22 )
{
close(*a1);
dup2(a2, 0);
dup2(a2, 1);
dup2(a2, 2);
v38.m128i_i32[0] = 1610612933;
*s2 = _mm_load_si128(&xmmword_146C0);
si128 = _mm_load_si128(&xmmword_146D0);
sub_5DA0(v29, s2, 9LL);
get_string(s, v29);
v35 = 1610612933;
v24 = s[0];
v33 = _mm_load_si128(&xmmword_146C0);
v34 = _mm_load_si128(&xmmword_146D0);
sub_5DA0(v28, &v33, 9LL);
get_string(path, v28);
execl(path[0], v24, 0LL);
std::string::_M_dispose(path);
if ( v28[0] )
operator delete(v28[0], v28[2] - v28[0]);
std::string::_M_dispose(s);
if ( v29[0] )
operator delete(v29[0], v30 - v29[0]);
exit(0);
}
v11 = 0;
if ( v22 < 0 )
exit(1);
goto LABEL_10;
}
if ( !v28[0] )
goto LABEL_50;
v23 = &v34;
}
memcpy(v23, v20, v21);
goto LABEL_50;
}
}
else if ( v10 != &si128 )
{
operator delete(v10, si128.m128i_i64[0] + 1);
}
v11 = 1;
LABEL_10:
v12 = splitted_input;
v13 = (((v4 - splitted_input - 32) >> 5) + 1) & 3;
if ( ((((v4 - splitted_input - 32) >> 5) + 1) & 3) == 0 )
goto LABEL_69;
if ( v13 != 1 )
{
if ( v13 != 2 )
{
if ( *splitted_input != splitted_input + 16 )
operator delete(*splitted_input, *(splitted_input + 2) + 1LL);
v12 = splitted_input + 32;
}
if ( *v12 != v12 + 16 )
operator delete(*v12, *(v12 + 2) + 1LL);
v12 += 32;
}
if ( *v12 != v12 + 16 )
operator delete(*v12, *(v12 + 2) + 1LL);
v12 += 32;
if ( v4 != v12 )
{
LABEL_69:
do
{
if ( *v12 != v12 + 16 )
operator delete(*v12, *(v12 + 2) + 1LL);
v14 = *(v12 + 4);
v15 = v12 + 32;
if ( v14 != v12 + 48 )
operator delete(v14, *(v12 + 6) + 1LL);
v16 = *(v12 + 8);
if ( v16 != v12 + 80 )
operator delete(v16, *(v12 + 10) + 1LL);
v17 = *(v12 + 12);
if ( v17 != v12 + 112 )
operator delete(v17, *(v12 + 14) + 1LL);
v12 += 128;
}
while ( v4 != v15 + 96 );
}
LABEL_31:
operator delete(splitted_input, v27 - splitted_input);
return v11;
}Line 84: compare "p455" with first value on splitted input
Line 91-94: compare second value on splitted input with some character and hash
all the hash are available on online database because it only a few character
sub_DEB0 == md5
So basically we can find all the valid values by set breakpoint on all cmp instruction. For example
pie b 0x6CE8
pie b 0x6E45
pie b 0x75B7
...During the competition i create gdb script to automate the repetitive task.
#!/usr/bin/python3
class SolverEquation(gdb.Command):
def __init__ (self):
super (SolverEquation, self).__init__ ("solve-equation",gdb.COMMAND_OBSCURE)
def invoke (self, arg, from_tty):
gdb.execute("pie del")
gdb.execute("set environment OGP=123456")
gdb.execute("pie b 0x41f1")
gdb.execute("pie b 0x5175") # anti debug 1
# gdb.execute("pie b 0x531C") # compare OGP LENGTH
gdb.execute("pie b 0x41FC") # check success run func_1
gdb.execute("pie b 0x45f5") # call fork
gdb.execute("pie b 0x46F3") # call func_3
gdb.execute("pie b 0xBE09") # anti debug 1
gdb.execute("pie b 0xBED5") # strlen
gdb.execute("pie run")
gdb.execute("c")
gdb.execute("set $al=0x0") # bypass anti debug 1
gdb.execute("c")
gdb.execute("c")
gdb.execute("set follow-fork-mode child")
gdb.execute("c")
def addr2num(addr):
try:
return int(addr) # Python 3
except:
return long(addr) # Python 2
SolverEquation()After get the valid input, just send it to the server and got the shell
from pwn import *
# context.log_level = 'debug'
# r = remote("127.0.0.1", 50009)
r = remote("20.80.240.190", 1235)
r.recvuntil(b">> ")
payload = b"p455 eO23410239a3adefing3k0mn00q666\n"
r.send(payload)
r.interactive()Flag: AKASEC{Orgalor6_1n_d1sgu1s3_as_d4em0n_p3ngu1n}
Last updated
