I made a simple webpage that checks whether the flag is correct... Wait, where are the flag-checking functions?
Solution
Given access to URL , take a look on the page source.
Looks like there are a bunch of whitespace and we see some readable code in the end of the HTML
We can see that there is eval(f) in the end, so my assumption is it will exec the javascript code. To get the executed code we can try to change eval to console.log then take a look on console browser.
Yet another crackme. To begin, download the attachment and install it on your android device.
Solution
Given APK file, decopmile it using JADX-GUI.
Through the out directory we found that there is CrackMe.dll, open it using dnspy.
In MainPage class there is function onCounterClicked that will call checkFlag function. If the return True it will shows correct flag, so lets take a look on checkFlag function.
For those who never tried even the simplest reverse, this is for you! Check the guide to experiment how simple reverse works!
For experience player, this is just a simple crackme, not worth your attention, maybe go to solve some 5-stars :)
Solution
Given ELF file, open it using IDA.
We can see that there is two validation. First validation is by using arithmetic operator (addition and multiplication) and the second validation is using logic operator (xor). The details of each validation are as follows
First validation
4 bytes validation, can be solved using z3 or bruteforce
Second validation
28 bytes validation (flag value after hkcert24{, we know it from the strstr function and haystack[i+9])
Can be solved by reversing the flow (just do the xor)
from z3 import *
import string
def all_smt(s, initial_terms):
def block_term(s, m, t):
s.add(t != m.eval(t, model_completion=True))
def fix_term(s, m, t):
s.add(t == m.eval(t, model_completion=True))
def all_smt_rec(terms):
if sat == s.check():
m = s.model()
yield m
for i in range(len(terms)):
s.push()
block_term(s, m, terms[i])
for j in range(i):
fix_term(s, m, terms[j])
yield from all_smt_rec(terms[i:])
s.pop()
yield from all_smt_rec(list(initial_terms))
a = bytes.fromhex("CE21DB64D150E01B0D3EFB0A522F949DAFB1586B8AEEC1F0FC190AE3E91ED04A62F247A8200BD36C1C1C565B9BB34D3DCE8380C0E67EE809BD14C447A1F62FD1315C1E10D12AE05345FE8558A6AD03CC104BD394FE62854E4A2735E2940F499186D780354C67C3AA3C67E83FE46723DE8E2D462536E1F3907D0FB9148CE7B6A61A9080798535FD518C10E93F32CC4BB542DEF55713C8099B4D1984915F9D773031C7288D1DF471E4D1A30C0759AA0DAD163540B9286AB54C245A8DA6A6C456DDC09BBFCCDE0C5BC175DD77BBF62B431D1303AD73A3AC4DEAA52FC23E4A1AF56572E54A10108CFB100A4D7971F6C7805464B002AAD87C3953ECADB44E2FEBE04700")
b = bytes.fromhex("BD10B650BD35BF787F0A98611F1CCBA9F0D96C05EEACB8989D773CBC812EA0793D8B77DD7F6FE3022B433868A8D7120AA1DCF5F38321DC67DA669B77D3A955E26E3A2E628E5E886236A1E72D91F23293677BBDF0CD10DA7F2C78568AA0382EE1B188B0471304F7C46314DB0CBB134BEFBB722414598390A40969CC7AE29E8C8F69A1ED4DE950A232FE248A547FFF14811DB6C139778A70F32C77B2CE37AD07036EBE18F84290418AE6FC62346ACE529A796A358A4D3581224328D296D49B2CEE9FFD8FBE817833F0068215CEC17472426433C31790DE12DBC370A1567E2D921545BA7A624FEFCF7E553E4A42A9B3E86551EF609BB71E5A6798CBC1204192DA6E00")
flag = b"hkcert24{"
for i in range(28):
flag += bytes([a[i] ^ b[i]])
haystack = [BitVec("x{}".format(i), 8) for i in range(5)]
s = Solver()
list_char = string.printable[:-6]
for i in haystack:
s.add(z3.Or(*[ord(j) == i for j in list_char]))
v6 = 5
s.add(haystack[v6 - 1] == ord('}'))
s.add(haystack[v6 - 2] == ord('1'))
s.add(haystack[v6 - 5] + haystack[v6 - 4] + haystack[v6 - 3] == 300)
s.add(2 * haystack[v6 - 5] + haystack[v6 - 4] + 2 * haystack[v6 - 3] == 496)
s.add(haystack[v6 - 5] + 3 * haystack[v6 - 4] + haystack[v6 - 3] == 508 )
for model in all_smt(s, haystack):
tmp_flag = b""
for i in haystack:
try:
tmp_flag += bytes([model[i].as_long()])
except Exception as e:
tmp_flag += b"?"
print(flag + tmp_flag)
There are so many valid solution but we still able to guess the actual one.
Flag: hkcert24{s1m4le_cr4ckM3_4_h4ndByhan6_cha1}
Cyp.ress (200 pts)
Description
You will get sser.pyc when you reverse the title. Now reverse it back for me.
Solution
Solution
Given pyc file, tried to decompile using pycdc but it failed. Lets use pycdas instead
The algorithm is not complex, so we can easility understand it. The program tried to send nonce to the server then the nonce will be used as the base value for generating key and iv same as in client side. The generated key and iv will be used to do encryption with AES MODE_CFB and in the end the ciphertext will be validated with the value from server. So the easy way we can hook the data in request function and AES function.
First, modify code in requests library to printout the ciphertext (flag)
python3.12/site-packages/requests/api.py
def post(url, data=None, json=None, **kwargs):
r"""Sends a POST request.
:param url: URL for the new :class:`Request` object.
:param data: (optional) Dictionary, list of tuples, bytes, or file-like
object to send in the body of the :class:`Request`.
:param json: (optional) A JSON serializable Python object to send in the body of the :class:`Request`.
:param \*\*kwargs: Optional arguments that ``request`` takes.
:return: :class:`Response <Response>` object
:rtype: requests.Response
"""
res = request("post", url, data=data, json=json, **kwargs)
print(res.text)
return res
Wonton noodles are called 'small minced', rice is called 'handsome', so what was the flag called? Don't worry, I've written a program to help you check if it's right.
Solution
Given ELF file, open it using IDA.
Another flag checker, the algorithm should be in sub_1392.
The important function is on sub_12EF, because it will process our input then the return value will be processed by modulo then comparation. Lets take a look on sub_12EF
It looks like multiplication function, we can validate it by changing the argument during debugging.
Now we know the logic, the next step just recreate the algorithm then brute it. Because it is only 4 bytes so it will not take long times to do bruteforce.
If you haven't tried our last year's ISA challenges, they are back this year with some changes here and there!
This is a challenge to help you get along with the web interface debug environment, which combines as an debugger, an interpreter and challenge connections!
Check out the ISH fullchain series after this!
Solution
Given custom asm file, open it using text editor. We can use the playground to debug the program
The objective of this challenge is executing flag binary. From the syscall table, we know which one the instruction that receive our input.
Set breakpoint on 87 (after syscall input), then analyze until XOR instruction that processed our input.
From the debugger we can see that our input (stored at R6) will be xored with R7. R7 values originated from R5, lets take a look on value on R5
We can also see those values in push instruction on the assembly.
So our input will be xored with those static keys and then will be executed as a command. To generate valid command we just need to do the xor with those static keys, below is our script to generate the valid commands.
from Crypto.Util.number import *
from pwn import xor
a = [0xb146f66e,0x2fd8b7c1,0x95e11585,0xcf39fb28,0xb3accf4c,0xdb22a8cb,0xe21f60cd,0xb660d0fe,0x8be89ec9,0x241bd185,0x161d7e99,0xbf3a7f64,0xea7454ee,0x2e04ce47,0x18b25e16,0x2295643e,0x49f8d91f,0x3f541ea6,0x113d8a6f,0x38726ccc,0x2e27be68,0xd4e398ea,0x7fcba040,0xeec775f5,0x478ff266,0x718a3507,0x536edeba,0xf0efb119,0x9efdd1c2,0x977b4203,0x2ceeda0d,0xfdc086ff,0x2303c15a,0x3c9d30a1,0x193f231b,0x1a06a63f,0x5c829f5,0x49c872b8,0x92bcbdad,0xa9a5a84e,0xb16969c,0xb58b3659,0x642069c9,0x9c37ba69,0x623277a4,0x17b6f65c,0xa6a21506,0x15881c76,0x96ed9c50,0x21226b56,0xd8890218,0xca6eddde,0x9a18e395,0x936f6277,0xaf23d230,0x88d9666a,0xff591d2f,0xce454872,0xf3391e9f,0x4ddd147f,0x404bcc99,0x5becacfd,0x1d9f2f1,0xc833a241]
a = a[::-1]
key = b""
for i in a:
key += long_to_bytes(i)[::-1]
command = b"ls\x00\x00"
print(xor(command, key[:len(command)]).hex())
from Crypto.Util.number import *
from pwn import xor
a = [0xb146f66e,0x2fd8b7c1,0x95e11585,0xcf39fb28,0xb3accf4c,0xdb22a8cb,0xe21f60cd,0xb660d0fe,0x8be89ec9,0x241bd185,0x161d7e99,0xbf3a7f64,0xea7454ee,0x2e04ce47,0x18b25e16,0x2295643e,0x49f8d91f,0x3f541ea6,0x113d8a6f,0x38726ccc,0x2e27be68,0xd4e398ea,0x7fcba040,0xeec775f5,0x478ff266,0x718a3507,0x536edeba,0xf0efb119,0x9efdd1c2,0x977b4203,0x2ceeda0d,0xfdc086ff,0x2303c15a,0x3c9d30a1,0x193f231b,0x1a06a63f,0x5c829f5,0x49c872b8,0x92bcbdad,0xa9a5a84e,0xb16969c,0xb58b3659,0x642069c9,0x9c37ba69,0x623277a4,0x17b6f65c,0xa6a21506,0x15881c76,0x96ed9c50,0x21226b56,0xd8890218,0xca6eddde,0x9a18e395,0x936f6277,0xaf23d230,0x88d9666a,0xff591d2f,0xce454872,0xf3391e9f,0x4ddd147f,0x404bcc99,0x5becacfd,0x1d9f2f1,0xc833a241]
a = a[::-1]
key = b""
for i in a:
key += long_to_bytes(i)[::-1]
command = b"exec printflag_19876bc2\x00"
print(xor(command, key[:len(command)]).hex())
Flag: hkcert24{x0r_1n_isa_r04d_t0_fullch41n!!!}
Morph (300 pts)
Description
Binary sometimes mixed together, just like fried rice or bibimbap.
Solution
Given ELF file, open it using IDA.
From code above we can see that there is decompress function and verify_* function. Lets take a look on decompress function
Then take a look on verify_0 function
So decompress function will do xor with key and size based on the argument. After the function has been decompressed it will be called to verify our input. Lets try to apply decryption to verify_0 to take a look on the logic of input validation.
from idaapi import *
import idc
def patch(addr, length, key):
for i in range(length):
val = get_bytes(addr+i, 1)
new_val = val[0] ^ key
patch_byte(addr+i, new_val)
ida_bytes.del_items(addr, 0, length)
create_insn(addr)
add_func(addr, addr + length)
def get_val(prev_addr):
print(prev_addr)
insn = insn_t()
k = ""
size = ""
verif_addr = ""
for addr in prev_addr[::-1]:
tmp = idc.print_operand(addr, 0)
if tmp == "edx":
k = int(idc.print_operand(addr, 1).replace("h", ""),16)
break
elif tmp == "esi":
size = int(idc.print_operand(addr, 1).replace("h", ""),16)
elif tmp == "rax":
verif_addr = get_name_ea(0, idc.print_operand(addr, 1))
return verif_addr, size, k
dict = {}
addr = 0x25B07B
insn = insn_t()
prev_addr = []
final_arr = []
while addr < 0x000000000025BC4B:
prev_addr.append(addr)
size = decode_insn(insn, addr)
tmp = idc.print_operand(addr, 0)
if "_Z10decompressPcic" == tmp:
print("nice", addr)
verif_addr, length, k = get_val(prev_addr)
patch(verif_addr, length, k)
addr += size
print(final_arr)
The verify function validate several index of our input and looks like there is a pattern that we can use to dump all the constraints. Below is the flow to dump all constraints
Decrypt the function
Find constraints format (index and correct value)
from idaapi import *
import idc
def patch(addr, length, key):
for i in range(length):
val = get_bytes(addr+i, 1)
new_val = val[0] ^ key
patch_byte(addr+i, new_val)
ida_bytes.del_items(addr, 0, length)
create_insn(addr)
add_func(addr, addr + length)
def get_constraints(addr, length):
arr = []
start_address = addr
while start_address < (addr + length):
print(hex(start_address))
create_insn(start_address)
insn = insn_t()
size = decode_insn(insn, start_address)
inst = idc.print_insn_mnem(start_address)
if inst == "mov":
tmp = idc.print_operand(start_address, 0)
if tmp == "esi":
val = idc.print_operand(start_address, 1)
val = int(val.replace("h", ""),16)
arr.append(val)
elif inst == "cmp":
val = idc.print_operand(start_address, 1)
val = int(val.replace("h", ""),16)
arr.append(val)
break
start_address += size
return arr
def get_val(prev_addr):
print(prev_addr)
insn = insn_t()
k = ""
size = ""
verif_addr = ""
for addr in prev_addr[::-1]:
tmp = idc.print_operand(addr, 0)
if tmp == "edx":
k = int(idc.print_operand(addr, 1).replace("h", ""),16)
break
elif tmp == "esi":
size = int(idc.print_operand(addr, 1).replace("h", ""),16)
elif tmp == "rax":
verif_addr = get_name_ea(0, idc.print_operand(addr, 1))
return verif_addr, size, k
dict = {}
addr = 0x25B07B
insn = insn_t()
prev_addr = []
final_arr = []
while addr < 0x000000000025BC4B:
prev_addr.append(addr)
size = decode_insn(insn, addr)
tmp = idc.print_operand(addr, 0)
if "_Z10decompressPcic" == tmp:
print("nice", addr)
verif_addr, length, k = get_val(prev_addr)
patch(verif_addr, length, k)
final_arr.append(get_constraints(verif_addr, length))
prev_addr = []
addr += size
print(final_arr)
After that put the output to z3 format
from z3 import *
import string
list_char = string.printable[:-6]
inp = [BitVec("x{}".format(i), 8) for i in range(55)]
data = [[48, 49, 88], [14, 15, 93], [11, 12, 10], [51, 52, 70], [42, 43, 100], [12, 13, 57], [37, 38, 54], [21, 22, 9], [26, 27, 87], [1, 2, 8], [7, 8, 79], [22, 23, 56], [49, 50, 27], [45, 46, 30], [40, 41, 49], [29, 30, 28], [44, 45, 30], [19, 20, 72], [53, 54, 78], [39, 40, 106], [10, 11, 95], [46, 47, 50], [6, 7, 6], [38, 39, 92], [3, 4, 23], [23, 24, 60], [35, 36, 4], [13, 14, 50], [8, 9, 8], [41, 42, 94], [2, 3, 6], [20, 21, 95], [18, 19, 31], [47, 48, 89], [52, 53, 65], [5, 6, 70], [25, 26, 84], [50, 51, 67], [15, 16, 84], [30, 31, 88], [17, 18, 87], [28, 29, 43], [4, 5, 6], [0, 1, 3], [9, 10, 64], [31, 32, 111], [33, 34, 28], [27, 28, 108], [43, 44, 11], [24, 25, 83], [36, 37, 106], [32, 33, 43], [16, 17, 85], [34, 35, 89]]
s = Solver()
for i in data:
s.add(inp[i[0]] ^ inp[i[1]] == i[2])
for i in inp:
s.add(z3.Or(*[ord(j) == i for j in list_char]))
known = b"hkcert24{"
for i in range(len(known)):
s.add(known[i] == inp[i])
s.add(inp[54] == ord('}'))
print(s.check())
model = s.model()
flag = b""
for i in inp:
try:
flag += bytes([model[i].as_long()])
except Exception as e:
flag += b"?"
print(flag)
It seems university students often plays Black Magic. It should be the first time tuning (meaning: guessing, telepath, shamanism, mind-reading) for many people.
Many language contains some black magic within. To those python expert: do you really know Python deep within? Time to tune what Python is thinking!
Solution
Given pyc file with the environment (docker). At first i tried to decompile using pycdc and it failed.
Next, i tried to do disasm using pycdas and it works!
We can see that it has around 10k lines of code and it would be painful if we just do it statically. During the competition i've an idea to do dump information from several opcode that will be executed. During the competition i did several modification until i found the opcode that give much information.
We can see that there is STORE_DEREF and BINARY_SUBSCR, STORE_DEREF basically storing value to variable and BINARY_SUBSCR is getting i-th value from a variable. I decided to dump the pyobject on those opcodes.
The first BINARY_SUBSCR result is 'i' and there are 5 operations before the BINARY_SUBSCR. 4 operations shift left and one operation addition. So we can conclude that 3 is shiftleft and 0 is addition. Now lets examine how value 1 generated.
Above opcode create value 1 and we can reconstruct it like below code in python
>>> -~(len(()))
1
And then for each operation we know that it will process value on top of stack, so basically for the first generated index we can reconstruct like below
>>> (((((1<<1)<<1)<<1)+1)<<1)
18
Now we can parse the opcode with this information, but there are another two problem left as below
my locals() return slightly different value
we can use the docker to printout the same locals() like the flag server
I tried to parse based on BINARY_OP, FORMAT_VALUE, and COMPARE_OP instruction the there are several different pattern
there is pattern to generate value 0 like below
So i put identifier/new line as BINARY_OP (??) in the dumped opcode
there is pattern to generate value 1 like below
So i put identifier/new line as BINARY_OP (?) in the dumped opcode
Not all values derived from locals()
Some of the opcode contains UNARY_NOT instruction before FORMAT_VALUE which means that the value will be derived from "True"
If there is no UNARY_NOT so the value will be derived from "False"
Lets solve the first issue which is printout the locals, change the run.sh in the src directory to below code
#!/bin/sh
python /app/src/lol.py
Create lol.py and put below code (somehow the first
input()
print(locals())
Now we have the locals(), change the __file__ value to /app/src/a.pyc and change SourceFileLoader to SourcelessFileLoader. Then create a parser and got the flag
def conv(arr):
init = 1
for j in arr:
if j == "<<":
init <<= 1
elif j == "+":
init += 1
elif j == "?":
init += 0
elif j == "??":
init -= 1
return init
f = open("dump2.asm", "r").read().split("\n")
LOAD_LOCALS = "{'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <_frozen_importlib_external.SourcelessFileLoader object at 0x7fffff0ff650>, '__spec__': None, '__annotations__': {}, '__builtins__': <module 'builtins' (built-in)>, '__file__': '/app/src/a.pyc', '__cached__': None}"
UNARY_NOT = "True"
UNARY_NOT_NEG = "False"
# print(len(LOAD_LOCALS))
tmp_opr = []
arr_const = []
var_arr = []
comp_index = []
for i in range(len(f)):
if "BINARY_OP" in f[i]:
tmp_opr.append(f[i].split(" ")[-1][1:-1])
elif "STORE_DEREF" in f[i]:
if tmp_opr == []:
continue
# print(tmp_opr, conv(tmp_opr))
arr_const.append(conv(tmp_opr))
tmp_opr = []
elif "FORMAT_VALUE" in f[i]:
var_check = (f[i-1].split(" ")[-1])
if var_check == "UNARY_NOT":
# print(var_check)
if "UNARY_NEGATIVE" in f[i-2]:
var_arr.append("UNARY_NOT_NEG")
else:
var_arr.append(var_check)
else:
var_arr.append(var_check)
elif "COMPARE_OP" in f[i]:
comp_index.append(conv(tmp_opr))
tmp_opr = []
for i in range(len(var_arr)):
# print(var_arr[i], arr_const[i])
if var_arr[i] == "LOAD_LOCALS":
print(i+1, LOAD_LOCALS[arr_const[i]], var_arr[i] , arr_const[i])
elif var_arr[i] == "UNARY_NOT":
print(i+1, UNARY_NOT[arr_const[i]], var_arr[i], arr_const[i])
elif var_arr[i] == "UNARY_NOT_NEG":
print(i+1, UNARY_NOT_NEG[arr_const[i]], var_arr[i], arr_const[i])
else:
# print("UNKNOWN", arr_const[i])
print(i+1, arr_const[i], var_arr[i])
# exit()
1 i LOAD_LOCALS 18
2 n LOAD_LOCALS 4
3 p LOAD_LOCALS 45
4 u UNARY_NOT 2
5 t LOAD_LOCALS 91
6 h LOAD_LOCALS 278
7 k LOAD_LOCALS 48
8 c LOAD_LOCALS 30
9 e UNARY_NOT 3
10 r UNARY_NOT 1
11 t LOAD_LOCALS 91
12 2 (<<)
13 4 (<<)
14 { LOAD_LOCALS 0
15 u UNARY_NOT 2
16 _ LOAD_LOCALS 2
17 r UNARY_NOT 1
18 _ LOAD_LOCALS 2
19 r UNARY_NOT 1
20 3 (+)
21 4 (<<)
22 l UNARY_NOT_NEG 2
23 _ LOAD_LOCALS 2
24 p LOAD_LOCALS 45
25 y LOAD_LOCALS 267
26 7 (+)
27 h LOAD_LOCALS 278
28 0 (??)
29 n LOAD_LOCALS 4
30 1 (?)
31 c LOAD_LOCALS 30
32 _ LOAD_LOCALS 2
33 b LOAD_LOCALS 94
34 y LOAD_LOCALS 267
35 4 (<<)
36 3 (+)
37 c LOAD_LOCALS 30
38 0 (??)
39 d LOAD_LOCALS 28
40 3 (+)
41 _ LOAD_LOCALS 2
42 m LOAD_LOCALS 6
43 4 (<<)
44 s UNARY_NOT_NEG 3
45 t LOAD_LOCALS 91
46 3 (+)
47 r UNARY_NOT 1
48 } LOAD_LOCALS 191
49 y LOAD_LOCALS 267
50 o LOAD_LOCALS 29
51 u UNARY_NOT 2
52 LOAD_LOCALS 12
53 p LOAD_LOCALS 45
54 a UNARY_NOT_NEG 1
55 s UNARY_NOT_NEG 3
56 s UNARY_NOT_NEG 3
57 e UNARY_NOT 3
58 d LOAD_LOCALS 28
Last, just construct the flag
Flag: hkcert24{u_r_r34l_py7h0n1c_by43c0d3_m4st3r}
Bashed! (500 pts)
Description
The program has only one meaningful function, and the function is less than 500 bytes long. What's hard understanding it?
Solution
Given .sh file, it is obfuscated and use some emojy as the identifier.
"Gd" and "ut" is on the same index, which is 47,48. Through analysis by trying to send the first valid comparation, i also found that if the input is correct it will use fifth emoji and if it is wrong it will use the sixth emoji as the downloaded file. For example
The code downloaded from valid input and invalid input is different, so we need to download the valid file (valid input). To make the program always return a valid code i patch the .sh file to always download the correct file.
if ! [[ "$FLAG" =~ ^[0-9A-Za-z_{}]{87}$ ]]; then echo 💔; exit 0; fi
function 🌚() { echo $(printf "%d" "'$1"); }
function 🌝() { echo $(printf "%x" "$1"); }
function 🍋() {
u=$(echo -n ${FLAG:$(($(🌚 $1)-$(🌚 👂))):$(($(🌚 $2)-$(🌚 👂)))} | sha1sum);
if [[ ${u:1:1} == $(🌝 $(($(🌚 $3)-$(🌚 👂)))) ]];
then wget https://c22-bashed.hkcert24.pwnable.hk/$4.sh -O $(basename $0) >/dev/null 2>&1; GALF=$((GALF*$(🌚 $6)));
else wget https://c22-bashed.hkcert24.pwnable.hk/$4.sh -O $(basename $0) >/dev/null 2>&1; GALF=$((GALF*$(🌚 $6)));
fi;exit;
}
Modify line 8 to get the file same as the correct comparation
add exit, because we know the process is self replace so we need to do a modification to make the program run continously when we do a patch on each validation process
Now our solver will be looks like below
patch the program so it will download the correct code
if the comparation contain more than 1 byte value it will always false, so skip the patch process
run for 3 different input and create a last script to parse the debug information generated
from pwn import *
import os
context.log_level = 'error'
def write_true_exit(prev_data, check_var):
f = open("tmp.sh", "r").read()
start = f.index("fi;")
out_data = f[:start+3] + "exit\n" + f[start+4:]
target = "wget https://c22-bashed.hkcert24.pwnable.hk/$5.sh -O $(basename $0) >/dev/null 2>&1; GALF=$((GALF*$(🌚 $7)));"
assert "${u:1:1}" in out_data
assert target in out_data
print(f"{check_var=}")
if check_var:
out_data = out_data.replace(target, "wget https://c22-bashed.hkcert24.pwnable.hk/$4.sh -O $(basename $0) >/dev/null 2>&1; GALF=$((GALF*$(🌚 $6)));")
if prev_data != "":
tmp_data = out_data.split("\n")
index_val = ""
for i in range(103, len(out_data)):
# print(prev_data)
if prev_data[:15] in tmp_data[i]:
length = len(prev_data)
length += 1
index_val = i + (length // 16)
print(length, index_val)
break
new_data = '\n'.join(tmp_data[:103])
new_data += "\n"
new_data += '\n'.join(tmp_data[index_val:])
out_data = new_data
outf = open("tmp.sh", "w")
outf.write(out_data)
outf.close()
def check_cmp(prev_data):
f = open("tmp.sh", "r").read()
start = f.index("fi;")
out_data = f[:start+3] + "exit\n" + f[start+4:]
out_data = out_data.replace("$(basename $0)", "$(basename $0)x")
if prev_data != "":
tmp_data = out_data.split("\n")
index_val = ""
for i in range(103, len(out_data)):
# print(prev_data)
if prev_data[:15] in tmp_data[i]:
length = len(prev_data)
length += 1
index_val = i + (length // 16)
print(length, index_val)
break
new_data = '\n'.join(tmp_data[:103])
new_data += "\n"
new_data += '\n'.join(tmp_data[index_val:])
out_data = new_data
outf = open("tmp.shx", "w")
outf.write(out_data)
outf.close()
def count_cmp(data):
tmp = data.split(" == ")
a1 = tmp[0].split("[ ")[-1]
a2 = tmp[1].split(" ]")[0]
print("count_cmp",a1, a2)
if len(a2) > 1:
return False
return True
def get_prev(data):
tmp_data = data.split("\n")
for j in range(len(tmp_data)):
if "GALF=" in tmp_data[j]:
return tmp_data[j+2][2:]
# inp = "hkcert24{0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZQWERTYUIOPASDFG}"
# inp = "}GFDSAPOIUYTREWQZYXWVUTSRQPONMLKJIHGFEDCBAzyxwvutsrqponmlkjihgfedcba9876543210{42treckh"
inp = "C5NnSxm32TPznxXOtS185Pr5sue2VKvNSMEdw{RO7eWYO{nGdHEmE5Klpg81G9IAZVuQkPh3njceH{MrnJryu{w"
debug_data = open("dump", "a")
prev_data = ""
target = 214
for _ in range(target):
print(_, prev_data)
check_cmp(prev_data)
r = process(["bash", "-x", "tmp.shx", inp])
tmp_debug = r.recvall().decode()
r.close()
check_var = count_cmp(tmp_debug)
write_true_exit(prev_data, check_var)
r = process(["bash", "-x", "tmp.sh", inp])
tmp_debug = r.recvall().decode()
r.close()
prev_data = get_prev(tmp_debug)
debug_data.write(tmp_debug)
print()
debug_data.close()
For the last script, it does the following flow
Parse the data to get the actual index and value compared
Brute to get the list of possible value (too much possibility)
Reduce the possibility by check it recursively with the value next to it
import hashlib
from itertools import product
import string
def parse_index_cmp(f, inp):
cmp_val = []
inp_val = []
for i in range(len(f)):
if "echo -n" in f[i]:
inp_val.append(f[i].split(" ")[-1].replace("'", ""))
elif "==" in f[i]:
cmp_val.append(f[i].split("==")[-1].split(" ")[1])
list_index = []
for i in inp_val:
index_val = inp.index(i)
length = len(i)
list_index.append([index_val, length])
return list_index, cmp_val
def find_all(target, data):
arr_index = []
for i in range(len(data)):
if target == data[i:i+len(target)]:
arr_index.append(i)
return arr_index
def find_intersection(arr1, arr2, arr3):
set1 = set(arr1)
set2 = set(arr2)
set3 = set(arr3)
result = list(set1.intersection(set2, set3))
return result
def brute_char(tmp_found, length, check_val):
arr_found = []
if tmp_found == []:
for i in product(string.printable[:-6], repeat=length):
p = ''.join(i).encode()
tmp_val = hashlib.sha1(p).hexdigest()
if tmp_val[1] == check_val:
arr_found.append(p)
else:
for p in tmp_found:
tmp_val = hashlib.sha1(p[:length]).hexdigest()
if tmp_val[1] == check_val:
arr_found.append(p)
return arr_found
def get_flag(arr, target_range):
for i in range(target_range):
tmp1 = arr[i]
tmp2 = arr[i+1]
new_arr = []
new_arr_2 = []
if len(tmp1[0]) != 1:
for j in tmp1:
for k in tmp2:
if check_char(k.decode()):
if len(tmp1[0]) == 2:
if j[1] == k[0]:
if k not in new_arr:
new_arr.append(k)
if j not in new_arr_2:
new_arr_2.append(j)
elif len(tmp1[0]) == 3:
if len(tmp2[0]) == 1:
if j[1] == k[0]:
if k not in new_arr:
new_arr.append(k)
if j not in new_arr_2:
new_arr_2.append(j)
else:
if j[1:3] == k[:2]:
if k not in new_arr:
new_arr.append(k)
if j not in new_arr_2:
new_arr_2.append(j)
arr[i+1] = new_arr
arr[i] = new_arr_2
return arr
def check_char(target):
list_char = string.ascii_uppercase + string.digits + string.ascii_lowercase + "_{}"
return all(c in list_char for c in target)
f = open("dump4", "r").read().split("\n")
inp = "hkcert24{0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZQWERTYUIOPASDFG}"
f2 = open("dump5", "r").read().split("\n")
inp2 = inp[::-1]
f3 = open("dump6", "r").read().split("\n")
inp3 = "C5NnSxm32TPznxXOtS185Pr5sue2VKvNSMEdw{RO7eWYO{nGdHEmE5Klpg81G9IAZVuQkPh3njceH{MrnJryu{w"
list_index_1, cmp_val_1 = parse_index_cmp(f, inp)
list_index_2, cmp_val_2 = parse_index_cmp(f2, inp2)
list_index_3, cmp_val_3 = parse_index_cmp(f3, inp3)
assert cmp_val_1 == cmp_val_2
assert cmp_val_1 == cmp_val_3
fix_list_index = []
for i in range(len(list_index_1)):
if (list_index_1[i] != list_index_2[i]) or (list_index_2[i] != list_index_3[i]) or (list_index_3[i] != list_index_1[i]):
val = inp[list_index_1[i][0]:list_index_1[i][0] + list_index_1[i][1]]
arr_index_1 = find_all(val, inp)
val = inp2[list_index_2[i][0]:list_index_2[i][0] + list_index_2[i][1]]
arr_index_2 = find_all(val, inp2)
val = inp3[list_index_3[i][0]:list_index_3[i][0] + list_index_3[i][1]]
arr_index_3 = find_all(val, inp3)
inter = find_intersection(arr_index_1, arr_index_2, arr_index_3)
if len(inter) != 1:
print(arr_index_1)
print(arr_index_2)
print(arr_index_3)
exit()
fix_list_index.append([inter[0], list_index_1[i][1]])
else:
fix_list_index.append(list_index_1[i])
d = {}
for i in range(len(fix_list_index)):
if fix_list_index[i][0] not in d:
d[fix_list_index[i][0]] = [[fix_list_index[i][1], i]]
else:
d[fix_list_index[i][0]].append([fix_list_index[i][1], i])
sorted_d = dict(sorted(d.items()))
all_found = []
for i in range(87):
tmp_found = []
for tmp_val in sorted_d[i]:
if tmp_val[0] == 3:
if len(cmp_val_1[tmp_val[1]]) == 1:
tmp_found = brute_char(tmp_found, 3, cmp_val_1[tmp_val[1]])
for tmp_val in sorted_d[i]:
if tmp_val[0] == 2:
if len(cmp_val_1[tmp_val[1]]) == 1:
tmp_found = brute_char(tmp_found, 2, cmp_val_1[tmp_val[1]])
for tmp_val in sorted_d[i]:
if tmp_val[0] == 1:
if len(cmp_val_1[tmp_val[1]]) == 1:
tmp_found = brute_char(tmp_found, 1, cmp_val_1[tmp_val[1]])
all_found.append(tmp_found)
target_range = 86
for _ in range(10):
all_found = get_flag(all_found, target_range)
for i in all_found:
print(i)
dump4, dump5, and dump6 is the output from debug file from previous script
Looking at the directory structure we found "xamarin", so i assume that it use xamarin as the tech stack. In directory resources from JADX-GUI export, i found that there is assemblies directory that we can utilize to get the Xamarin DLL. Tool that i used to do the unpack is .
Check the to see how to use the frontend and explanation of what this really is! You will try out one of the hardcore reversing method: dealing with assembly and understand them directly!
