Binary file is encrypting string by using a function on each char that produces int (as seen in sub_80488E0, sub_804868B).
This encryption is not chained so we can pass every character to binary, get them encrypted and use them as reference to decode out file.
View bot.py
| #!/usr/bin/env python2 | |
| from pwn import * | |
| import os | |
| class Room: | |
| def __init__(self, data=None): | |
| self.dimX = None | |
| self.dimY = None | |
| self.player = None | |
| self.flag = None |
View _solve.cpp
| #include <cstdio> | |
| #include <cstring> | |
| #include <cstdlib> | |
| #include <vector> | |
| #include <string> | |
| #include <iostream> | |
| #include <iomanip> | |
| uint64_t arr0[] = { | |
| 0xFA730603, 0xF8084C29, 0xF4290A55, 0xF17A02CD, |
View exploit.py
| #!/usr/bin/env python | |
| import sys | |
| import struct | |
| from Crypto.PublicKey import RSA | |
| from Crypto.Cipher import PKCS1_OAEP | |
| from pwn import * | |
View client.py
| #!/usr/bin/env python | |
| import sys | |
| import struct | |
| from Crypto.PublicKey import RSA | |
| from Crypto.Cipher import PKCS1_OAEP | |
| from pwn import * | |
View babyre.md
View solve.py
| import sys | |
| import pprint | |
| import struct | |
| TABLE_SIZE = 4000 | |
| table = [[]] | |
| iterators = [] | |
| locks = set() | |
| def request(cur=0, path_diff=2**64): |
View solve.py
| #!/usr/bin/env python2 | |
| from pwn import * | |
| from heapq import * | |
| PRIMES = (2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, 233, 239, 241, 251) | |
| def gen_byte_generators(): | |
| res = {} |
View _writeup.md
The binary is reading format strings one by one from provided file and prints them in /dev/null.
This fprintf receives a lot of parameters, which actually are 16 bytes of memory, 16 bytes of flag, and pointers to said bytes. That are 64 parameters in total. Because of using %hhn specifiers, format strings can write to provided memory addresses, so we can perform additions with them easily.
Since given "virtual program" was pretty big, almost 3400 lines, I wrote a parser to make "virtual instructions" (format strings) more human-readable. For example, %2$*36$s%2$*41$s%4$hhn becomes mem[3] = mem[3] + mem[8].
After parsing int human-readable form patterns in code became more obvious, so the next thing I wrote were two "optimizing" passes that folded additions in multiplications and then multiplications into one big sum.
Next, after parsing we have pretty simple program already. It is clear that flag is checked using a linear system, so we can use z3 to solve it easily.
View description.md
Нам дан бинарный исполняемый файл PE под x86. Открываем его в IDA, переходим в main и видим такой код:
int __cdecl main(int argc, const char **argv, const char **envp)
{
int result; // eax@2
const char *v4; // ecx@3
printf("Welcome to Kaspersky CrackMe 2016!\n");
if ( argc == 3 )
{
View description.md
Your friend works in an antivirus company. He developed a new algorithm for generating a license key and asks you to test it.
Нам дан архив с исполняемым файлом ELF x86_64 "petrovavlic". Недолго думая, открываем его в IDA, и видим, что он запакован UPX 3.94. Сам UPX распаковать его не может, автор вырезал имена секций. Каким-нибудь образом его распаковываем, например, восстановлением названий, и продолжаем.
По строкам из распакованного файла сразу понятно, что он написан на Go. Из них же и узнаем об авторе задания.
00000fb0: 2800 0000 0400 0000 476f 0000 3766 6661 (.......Go..7ffa
00000fc0: 3865 6437 3736 6134 3236 3237 3165 3864 8ed776a426271e8d
00000fd0: 6664 3937 3062 3530 6330 3163 6637 3666 fd970b50c01cf76f
NewerOlder