pgy

KEYGENME writeup

This is a walk-through of how I solved the KEYGENME reverse engineering challenge at the Google CTF 2018 qualifier.

Challenge description

I bet you can't reverse this algorithm!

The challenge contained an executable binary called main and a server

pgy

0ctf2018 quals: UDP

The challenge binary spawned 4000 worker processes, each process listened on a separate udp port (hence the name) from localhost:6000 to localhost:9999. The parent process listened on localhost:5999. The processes used these ports to send direct messages to each other in synchronous manner.

Six message types were used among the processes. Message type 3, 4, and 5 were used to implement some kind of algorithm that computed something very inefficiently. The goal of the challenge was to find out what this algorithm

pgy

BabyFirstRev

tldr: who needs rev when you have tar

Prepare a tar archive like this:

$ mkdir a
$ cat reverse/shell/script > a/s

$ chmod +x a/s

pgy

0ctf2017 - EngineTest

run go.sh and check your flag...

According to the go.sh file the engineTest binary could be run with four arguments called cp, ip, /dev/stdin (dv for short), and op. The cp, ip and op files were provided, they contained some kind of binary data, probably a bunch of 64bit numbers based on their hexdump.

pgy

0ctf2017 - py

We permutate the opcode of python2.7, and use it to encrypt the flag.. Try to recover it!

The provided pyc file could be parsed with the marshal module, yielding a code object representing a python module. Examining its co_{name,argcount,...} attributes showed that it had 3 names ('rotor', 'encrypt', 'decrypt') and four