g05u/venom_solver.py

## venom_solver.py
import struct, random

# TJCTF 2015 Venom reversing chall
# www.null-life.com
# @_g05u_

f = open('./venom', 'rb')
data = f.read()
f.close()
s = '1462132F222E292F'.decode('hex')

i = data.find(s)
data = data[i : i + (53 * 53)]
tmp = map(lambda x: ord(x) ^ 42, data)
bytes = [[tmp[r * 53 + c] for c in range(53)] for r in range(53)]
xxx = [0] * 30
for xxxx in range(256):
	output = [0] * 3348
	pwd = chr(xxxx) * 27

	ip = 0
	row = 0
	col = 0
	resta = 0
	index = 0
	inc = 0
	multi = 0
	col_inc = [11, -11, 0, 0]
	row_inc = [0, 0, 11, -11]

	fl_exit = False
	flfl = False
	while True:
		b = bytes[row][col]
		#print 'Opt: %s' % chr(b)
		while True:
			if b == 34:
				resta = 1 - resta
				break

			if resta:
				output[index] = b
				index += 1
				break

			if b == 62:
				inc = 0
				break

			if b == 60:
				inc = 1
				break

			if b == 118:
				inc = 2
				break

			if b == 94:
				inc = 3
				break

			if b == 106:
				multi += 1
				index = multi * 1116
				break

			if b >= 0x30 and b <= 0x39:
				output[index] = b - 0x30
				index += 1
				break

			if b == 103:
				v = index - 1
				v2 = output[v]
				v -= 1
				output[v] = output[1116 * output[v] + v2]
				index = v + 1
				break

			if b == 115:
				v = index - 1
				v2 = output[v]
				v -= 1
				v3 = output[v]
				index = v - 1
				output[1116 * output[index] + v3] = v2
				break

			if b == 112:
				index -= 1
				break

			if b == 109:
				output[index - 1] = output[index - 1]%256
				break

			if b == 110:
				v = index - 1
				v2 = output[v]
				v -= 1
				output[v] = (~(v2 | output[v])) & 0xFFFF
				index = v + 1
				break

			if b == 45:
				v = index - 1
				v2 = output[v]
				v -= 1
				output[v] = (output[v] - v2) & 0xFFFF
				index = v + 1
				break

			if b == 43:
				v = index - 1
				v2 = output[v]
				v -= 1
				output[v] = (output[v] + v2) & 0xFFFF
				index = v + 1
				break

			if b == 42:
				v = index - 1
				v2 = output[v]
				v -= 1
				output[v] = (output[v] * v2) & 0xFFFF
				index = v + 1
				break

			if b == 99:
				v = index - 1
				v2 = output[v]
				v -= 1

				if output[v] == v2:
					xxx[ip] = xxxx
					flfl = True
				output[v] = (output[v] ^ v2) & 0xFFFF
				index = v + 1
				break

			if b == 105:
				output[index] = ord(pwd[ip])
				index += 1
				ip += 1
				break

			if b == 124:
				v = index - 1
				v2 = output[v] & 0xFFFF
				index = v - 1
				if output[index] <= v2:
					if output[index] < v2:
						inc = 3
				else:
					inc = 2
				break

			if b == 95:
				v = index - 1
				v2 = output[v] & 0xFFFF
				index = v - 1
				if output[index] <= v2:
					if output[index] < v2:
						inc = 1
				else:
					inc = 0

				break

			if b == 114:
				fl_exit = True
				break

			if b == 63:
				inc = random.randint(0, 3)

			break

		#Fin While
		if fl_exit:
			break

		col = (col_inc[inc] + 53 + col) % 53
		row = (row_inc[inc] + 53 + row) % 53

	if flfl:
		print 'Flag: %s' % ''.join(map(chr, xxx))
'''
Flag: 1
Flag: 13
Flag: 413
Flag: 41355
Flag: 41_3_5_5
Flag: 41a_a3_5_5
Flag: b41a_ba3_5_5
Flag: b41ca_ba3_5_5
Flag: b41ca_ba3f_5_5
Flag: b41call_bal3fl_l5_l5
Flag: b41call_bal3fl_pl5_pl5
Flag: b4s1call_bal3fl_pl5_pl5
Flag: b4s1call_bal3ful_plu5_plu5
Flag: b4s1cally_bal3ful_plu5_plu5
'''
	import struct, random

	# TJCTF 2015 Venom reversing chall
	# www.null-life.com
	# @_g05u_

	f = open('./venom', 'rb')
	data = f.read()
	f.close()
	s = '1462132F222E292F'.decode('hex')

	i = data.find(s)
	data = data[i : i + (53 * 53)]
	tmp = map(lambda x: ord(x) ^ 42, data)
	bytes = [[tmp[r * 53 + c] for c in range(53)] for r in range(53)]
	xxx = [0] * 30
	for xxxx in range(256):
	output = [0] * 3348
	pwd = chr(xxxx) * 27

	ip = 0
	row = 0
	col = 0
	resta = 0
	index = 0
	inc = 0
	multi = 0
	col_inc = [11, -11, 0, 0]
	row_inc = [0, 0, 11, -11]

	fl_exit = False
	flfl = False
	while True:
	b = bytes[row][col]
	#print 'Opt: %s' % chr(b)
	while True:
	if b == 34:
	resta = 1 - resta
	break

	if resta:
	output[index] = b
	index += 1
	break

	if b == 62:
	inc = 0
	break

	if b == 60:
	inc = 1
	break

	if b == 118:
	inc = 2
	break

	if b == 94:
	inc = 3
	break

	if b == 106:
	multi += 1
	index = multi * 1116
	break

	if b >= 0x30 and b <= 0x39:
	output[index] = b - 0x30
	index += 1
	break

	if b == 103:
	v = index - 1
	v2 = output[v]
	v -= 1
	output[v] = output[1116 * output[v] + v2]
	index = v + 1
	break

	if b == 115:
	v = index - 1
	v2 = output[v]
	v -= 1
	v3 = output[v]
	index = v - 1
	output[1116 * output[index] + v3] = v2
	break

	if b == 112:
	index -= 1
	break

	if b == 109:
	output[index - 1] = output[index - 1]%256
	break

	if b == 110:
	v = index - 1
	v2 = output[v]
	v -= 1
	output[v] = (~(v2 \| output[v])) & 0xFFFF
	index = v + 1
	break

	if b == 45:
	v = index - 1
	v2 = output[v]
	v -= 1
	output[v] = (output[v] - v2) & 0xFFFF
	index = v + 1
	break

	if b == 43:
	v = index - 1
	v2 = output[v]
	v -= 1
	output[v] = (output[v] + v2) & 0xFFFF
	index = v + 1
	break

	if b == 42:
	v = index - 1
	v2 = output[v]
	v -= 1
	output[v] = (output[v] * v2) & 0xFFFF
	index = v + 1
	break

	if b == 99:
	v = index - 1
	v2 = output[v]
	v -= 1

	if output[v] == v2:
	xxx[ip] = xxxx
	flfl = True
	output[v] = (output[v] ^ v2) & 0xFFFF
	index = v + 1
	break

	if b == 105:
	output[index] = ord(pwd[ip])
	index += 1
	ip += 1
	break

	if b == 124:
	v = index - 1
	v2 = output[v] & 0xFFFF
	index = v - 1
	if output[index] <= v2:
	if output[index] < v2:
	inc = 3
	else:
	inc = 2
	break

	if b == 95:
	v = index - 1
	v2 = output[v] & 0xFFFF
	index = v - 1
	if output[index] <= v2:
	if output[index] < v2:
	inc = 1
	else:
	inc = 0

	break

	if b == 114:
	fl_exit = True
	break

	if b == 63:
	inc = random.randint(0, 3)

	break

	#Fin While
	if fl_exit:
	break

	col = (col_inc[inc] + 53 + col) % 53
	row = (row_inc[inc] + 53 + row) % 53

	if flfl:
	print 'Flag: %s' % ''.join(map(chr, xxx))
	'''
	Flag: 1
	Flag: 13
	Flag: 413
	Flag: 41355
	Flag: 41_3_5_5
	Flag: 41a_a3_5_5
	Flag: b41a_ba3_5_5
	Flag: b41ca_ba3_5_5
	Flag: b41ca_ba3f_5_5
	Flag: b41call_bal3fl_l5_l5
	Flag: b41call_bal3fl_pl5_pl5
	Flag: b4s1call_bal3fl_pl5_pl5
	Flag: b4s1call_bal3ful_plu5_plu5
	Flag: b4s1cally_bal3ful_plu5_plu5
	'''