Skip to content

Instantly share code, notes, and snippets.

@5unKn0wn

5unKn0wn/secuinside2017_r-box.md

Created July 3, 2017 06:40
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save 5unKn0wn/4de188c513a28fe8a1db7f61f95fbbf9 to your computer and use it in GitHub Desktop.
Save 5unKn0wn/4de188c513a28fe8a1db7f61f95fbbf9 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
secuinside2017_r-box.md

SECUINSIDE 2017 write-ups

Rank

R-BOX

description : can you break my R-BOX?

The main flow of r-box is :

  1. get user input (1byte)
  2. if user input == '\n' --> check correct
  3. calculating
  4. repeat

ida main

input(8bit) is convert to func_table index and args.

0b10101011 -->
(1 0 1) : index
(0 1 0) : arg1 (layer)
(1 1) : arg2 (cnt)

func_table has 6 functions.

ida main

each function does each calculation.

rotate

operations are all xor swap only.

It seems strange, and so complex.

I do not know if you've noticed, but this is the 5x5x5 Rubik's Cube implementation.

func_table's six functions are rotate each face.

Up, Down, Front, Back, Left, Right faces are rotated.

and rotation is composed to xor swap.

so function's first argument is layer, and second argument is count.

function then rotates the input layer by a count.

next, we will analyze the input check routine.

check

is_correct function checks what all cube face are solved.

so we should solve 5x5x5 cube.

maybe solving 5x5x5 cube is too hard.

But, if you have converted the initialized value to a 5x5x5 cube shape, you may not think so.

The initialized value of the 5x5x5 cube shape looks like this :

            2 2 2 2 2  
            2 3 3 3 3  
            2 3 0 0 0  
            2 3 0 2 2  
            2 3 0 2 3  

5 5 5 5 5   3 0 2 3 0   2 0 3 2 0   1 1 1 1 1  
4 4 4 4 5   3 0 2 3 3   0 0 3 2 0   1 5 5 5 5  
1 1 1 4 5   3 0 2 2 2   3 3 3 2 0   1 5 4 4 4  
5 5 1 4 5   3 0 0 0 0   2 2 2 2 0   1 5 4 1 1  
4 5 1 4 5   3 3 3 3 3   0 0 0 0 0   1 5 4 1 5  

            4 4 4 4 4  
            1 1 1 1 4  
            5 5 5 1 4  
            4 4 5 1 4  
            1 4 5 1 4

Do not you see a pattern of something?

if you make a image and search it, google said it is "cube in a cube pattern"

after some search, we can know 5x5x5 cube in a cube pattern formula is "U' L' U' F' R2 B' R F U B2 U B' L U' F U R F' u' l' u' f' r2 b' r f u b2 u b' l u' f u r f'"

and that's reverse formula is "f r' u' f' u l' b u' b2 u' f' r' b r2 f u l u F R' U' F' U L' B U' B2 U' F' R' B R2 F U L U"

Finally, we need to convert the cube formula to program input.

it is my python code.

def reverse_formula(formula):
	reverse = []

	for i in formula.split(' ')[::-1]:
		if "'" in i:
			reverse.append(i[:-1])
		elif "2" in i:
			reverse.append(i)
		else:
			reverse.append(i + "'")

	return ' '.join(reverse)

formula = "U' L' U' F' R2 B' R F U B2 U B' L U' F U R F' u' l' u' f' r2 b' r f u b2 u b' l u' f u r f'"
reverse = reverse_formula(formula)

# print reverse

ans = []

for i in reverse.split(' '):
	if i == "U":
		ans.append(chr(0b00100101))
	elif i == "U'":
		ans.append(chr(0b00100111))
	elif i == "U2":
		ans.append(chr(0b00100110))
	elif i == "u":
		ans.append(chr(0b00100101) + chr(0b00101001))
	elif i == "u'":
		ans.append(chr(0b00100111) + chr(0b00101011))
	elif i == "u2":
		ans.append(chr(0b00100110) + chr(0b00101010))
	elif i == "D":
		ans.append(chr(0b01000101))
	elif i == "D'":
		ans.append(chr(0b01000111))
	elif i == "D2":
		ans.append(chr(0b01000110))
	elif i == "d":
		ans.append(chr(0b01000101) + chr(0b01001001))
	elif i == "d'":
		ans.append(chr(0b01000111) + chr(0b01001011))
	elif i == "d2":
		ans.append(chr(0b01000110) + chr(0b01001010))
	elif i == "F":
		ans.append(chr(0b01100101))
	elif i == "F'":
		ans.append(chr(0b01100111))
	elif i == "F2":
		ans.append(chr(0b01100110))
	elif i == "f":
		ans.append(chr(0b01100101) + chr(0b01101001))
	elif i == "f'":
		ans.append(chr(0b01100111) + chr(0b01101011))
	elif i == "f2":
		ans.append(chr(0b01100110) + chr(0b01101010))
	elif i == "B":
		ans.append(chr(0b10000101))
	elif i == "B'":
		ans.append(chr(0b10000111))
	elif i == "B2":
		ans.append(chr(0b10000110))
	elif i == "b":
		ans.append(chr(0b10000101) + chr(0b10001001))
	elif i == "b'":
		ans.append(chr(0b10000111) + chr(0b10001011))
	elif i == "b2":
		ans.append(chr(0b10000110) + chr(0b10001010))
	elif i == "L":
		ans.append(chr(0b10100101))
	elif i == "L'":
		ans.append(chr(0b10100111))
	elif i == "L2":
		ans.append(chr(0b10100110))
	elif i == "l":
		ans.append(chr(0b10100101) + chr(0b10101001))
	elif i == "l'":
		ans.append(chr(0b10100111) + chr(0b10101011))
	elif i == "l2":
		ans.append(chr(0b10100110) + chr(0b10101010))
	elif i == "R":
		ans.append(chr(0b11000101))
	elif i == "R'":
		ans.append(chr(0b11000111))
	elif i == "R2":
		ans.append(chr(0b11000110))
	elif i == "r":
		ans.append(chr(0b11000101) + chr(0b11001001))
	elif i == "r'":
		ans.append(chr(0b11000111) + chr(0b11001011))
	elif i == "r2":
		ans.append(chr(0b11000110) + chr(0b11001010))


print ''.join(ans)

if we run above python code, it gives me the correct input.

success

and flag is SECU[s0_s0_c0ol_5x5x5_rub1k's_cub3_w1th_cub3_1n_4_cub3_p4tt3rn]

thanks for 217 and PLUS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment