vient

#!/usr/bin/env python2
from pwn import *
import os

class Room:
    def __init__(self, data=None):
        self.dimX = None
        self.dimY = None
        self.player = None
        self.flag = None

vient

#include <cstdio>
#include <cstring>
#include <cstdlib>
#include <vector>
#include <string>
#include <iostream>
#include <iomanip>

uint64_t arr0[] = {
    0xFA730603, 0xF8084C29, 0xF4290A55, 0xF17A02CD,

vient

#!/usr/bin/env python

import sys
import struct

from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
from pwn import *

vient

#!/usr/bin/env python

import sys
import struct

from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
from pwn import *

vient

Binary file is encrypting string by using a function on each char that produces int (as seen in sub_80488E0, sub_804868B). This encryption is not chained so we can pass every character to binary, get them encrypted and use them as reference to decode out file.

vient

import sys
import pprint
import struct

TABLE_SIZE = 4000
table = [[]]
iterators = []
locks = set()

def request(cur=0, path_diff=2**64):

vient

#!/usr/bin/env python2

from pwn import *
from heapq import *


PRIMES = (2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, 233, 239, 241, 251)

def gen_byte_generators():
    res = {}

vient

The binary is reading format strings one by one from provided file and prints them in /dev/null.

This fprintf receives a lot of parameters, which actually are 16 bytes of memory, 16 bytes of flag, and pointers to said bytes. That are 64 parameters in total. Because of using %hhn specifiers, format strings can write to provided memory addresses, so we can perform additions with them easily.

Since given "virtual program" was pretty big, almost 3400 lines, I wrote a parser to make "virtual instructions" (format strings) more human-readable. For example, %2$*36$s%2$*41$s%4$hhn becomes mem[3] = mem[3] + mem[8].

After parsing int human-readable form patterns in code became more obvious, so the next thing I wrote were two "optimizing" passes that folded additions in multiplications and then multiplications into one big sum.

Next, after parsing we have pretty simple program already. It is clear that flag is checked using a linear system, so we can use z3 to solve it easily.

vient

Нам дан бинарный исполняемый файл PE под x86. Открываем его в IDA, переходим в main и видим такой код:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int result; // eax@2
  const char *v4; // ecx@3

  printf("Welcome to Kaspersky CrackMe 2016!\n");
  if ( argc == 3 )
  {

vient

Your friend works in an antivirus company. He developed a new algorithm for generating a license key and asks you to test it.

Нам дан архив с исполняемым файлом ELF x86_64 "petrovavlic". Недолго думая, открываем его в IDA, и видим, что он запакован UPX 3.94. Сам UPX распаковать его не может, автор вырезал имена секций. Каким-нибудь образом его распаковываем, например, восстановлением названий, и продолжаем.

По строкам из распакованного файла сразу понятно, что он написан на Go. Из них же и узнаем об авторе задания.

00000fb0: 2800 0000 0400 0000 476f 0000 3766 6661  (.......Go..7ffa
00000fc0: 3865 6437 3736 6134 3236 3237 3165 3864  8ed776a426271e8d
00000fd0: 6664 3937 3062 3530 6330 3163 6637 3666  fd970b50c01cf76f