この大会は2020/3/20 9:30(JST)~2020/3/30 9:30(JST)に開催されました。
今回もチームで参戦。結果は9993点の満点で661チーム中14位でした。
自分で解けた問題をWriteupとして書いておきます。
CORRUPTED_DISK (MISC)
$ foremost recovered_disk.img Processing: recovered_disk.img |foundat=_rels/.rels��MKA ���C��l+����"Bo"�������3i���A �P��Ǽy���m���N���AêiAq0Ѻ0jx�=/`�/�W>��J�\*�ބ�aI���L��41q��!fOR�<b"���qݶ��2��1��j�[���H�76z�$�&f^�\��8.Nyd�`�y�q�j4� x]h�{�8 ��S4G�A�y�Y8X���(�[Fw�i4o|˼�l�^��͢����P��#� *|
抽出された画像の中にフラグが書かれているものがあった。
gigem{wh3r3_w3r3_601n6_w3_d0n7_n33d_h34d3r5}
RSAPWN (MISC)
$ nc challenges.tamuctf.com 8573 We must train future hackers to break RSA quickly. Here is how this will work. I will multiply together two big primes (<= 10000000), give you the result, and you must reply to me in less than two seconds telling me what primes I multiplied. Press enter when you are ready. 99979240776043
ただ素因数分解するだけの問題。
import socket from sympy import * def recvuntil(s, tail): data = '' while True: if tail in data: return data data += s.recv(1) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('challenges.tamuctf.com', 8573)) data = recvuntil(s, 'ready.\n').rstrip() print data + '\n' s.sendall('\n') n = int(recvuntil(s, '\n').rstrip()) print n factor = factorint(n) ans = '' for p in factor.keys(): ans += str(p) ans += ' ' ans = ans[:-1] print ans s.sendall(ans + '\n') data = recvuntil(s, '\n').rstrip() print data data = recvuntil(s, '\n').rstrip() print data
実行結果は以下の通り。
We must train future hackers to break RSA quickly. Here is how this will work.
I will multiply together two big primes (<= 10000000), give you the result,
and you must reply to me in less than two seconds telling me what primes I
multiplied.
Press enter when you are ready.
99987400068571
9998797 9999943
Good job :)
gigem{g00d_job_yOu_h4aaxx0rrR}
gigem{g00d_job_yOu_h4aaxx0rrR}
INSTAGRAM (MISC)
バイナリエディタで見ると、中身はJPG。ただ何かがおかしく、画面を表示できない。他のJPGと比べると、"JFIF"の文字列がないことがわかる。0始まりで、6バイト目に"JFIF"を挿入することで修復でき、画像にフラグが書いてある。
gigem{cH4nG3_the_f0rMaTxD}
WOOF_WOOF (MISC)
JPGをバイナリエディタで見ると、以下のように3種類の単語が並んでいる部分がある。
woof woof bark ruff bark bark ruff woof woof bark ruff bark ruff woof woof ruff woof bark bark bark bark woof ruff woof bark bark ruff woof woof woof woof woof ruff woof woof bark ruff woof ruff bark woof woof bark woof bark ruff bark bark bark ruff woof ruff bark woof woof woof woof ruff woof bark woof bark ruff bark woof woof woof ruff woof woof woof woof woof ruff woof bark bark bark ruff woof bark bark bark bark woof
モールス信号と推測し、変換してデコードする。
woof -> _ bark -> . ruff -> スペース
morse = {'.-': 'A', '-...': 'B', '-.-.': 'C', '-..': 'D', '.': 'E',
'..-.': 'F', '--.': 'G', '....': 'H', '..': 'I', '.---': 'J', '-.-': 'K',
'.-..': 'L', '--': 'M', '-.': 'N', '---': 'O', '.--.': 'P', '--.-': 'Q',
'.-.': 'R', '...': 'S', '-': 'T', '..-': 'U', '...-': 'V', '.--': 'W',
'-..-':'X' , '-.--': 'Y', '--..': 'Z', '-----': '0', '.----': '1',
'..---': '2', '...--': '3', '....-': '4', '.....': '5', '-....': '6',
'--...': '7', '---..': '8', '----.': '9', '-....-': '-', '.--.-.': '@'
}
enc = 'woof woof bark ruff bark bark ruff woof woof bark ruff bark ruff woof woof ruff woof bark bark bark bark woof ruff woof bark bark ruff woof woof woof woof woof ruff woof woof bark ruff woof ruff bark woof woof bark woof bark ruff bark bark bark ruff woof ruff bark woof woof woof woof ruff woof bark woof bark ruff bark woof woof woof ruff woof woof woof woof woof ruff woof bark bark bark ruff woof bark bark bark bark woof'
enc = enc.split(' ')
code = ''
for e in enc:
if e == 'woof':
code += '-'
elif e == 'bark':
code += '.'
elif e == 'ruff':
code += ' '
print code
codes = code.split(' ')
dec = ''
for c in codes:
dec += morse[c]
print dec
実行結果は以下の通り。
--. .. --. . -- -....- -.. ----- --. - .--.-. ... - .---- -.-. .--- ----- -... -....- GIGEM-D0GT@ST1CJ0B-
GIGEM-D0GT@ST1CJ0B-
ALCAPONE (MISC)
Autopsyで開き、削除フォルダを抽出する。
vol2\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for flag5.zip
$ grep gigem{ -rl . ./flag18.txt $ cat flag18.txt | grep gigem{ oigigem{Ch4Nn3l_1Nn3R_3l10t_N3$$}khsutrghsiserg
gigem{Ch4Nn3l_1Nn3R_3l10t_N3$$}
VAULT (REVERSING)
$ ltrace ./vault malloc(26) = 0x55dd4dc57010 strlen("4428/L9~x:x{\037L\203T()\204\204x\205r/gv") = 26 malloc(27) = 0x55dd4dc57040 printf("%s", "Enter password: ") = 16 fgets(Enter password: abcd "abcd\n", 27, 0x7f04926058e0) = 0x55dd4dc57040 strcmp("gigem{p455w0rd_1n_m3m0ry1}", "abcd\n") = 6 puts("Sorry, that isn't the right pass"...Sorry, that isn't the right password. ) = 38 +++ exited (status 0) +++
gigem{p455w0rd_1n_m3m0ry1}
ETERNAL_GAME (CRYPTO)
$ nc challenges.tamuctf.com 8812 1. New Game 2. Claim Prize 3. Exit 1 Welcome the The Game. You are allowed to multiply the initial number (which is 1) by any number in the range 2-10. Make decisions wisely! You can only multiply by each number at most 5 times... so be careful. Also, at a random point during The Game, an asteroid will impact the Earth and The Game will be over. Feel free to get your proof of achievement and claim your prize at the main menu once you start reaching big numbers. Bet you can't beat my high score! 1. Multiply 2. Print current value 3. Get proof and quit 1 Multiplier: 2 1. Multiply 2. Print current value 3. Get proof and quit 1 Multiplier: 3 1. Multiply 2. Print current value 3. Get proof and quit 2 6 1. Multiply 2. Print current value 3. Get proof and quit 3 1ec356a3f23437e5350a1288a270bf221af33ec1c8b7d5147738e532534fb0b1ee5678e1cbba120b27b1d20c3ac5c2479be7b139b9181ead93fc841a50f8237b 1. New Game 2. Claim Prize 3. Exit 2 Input the number you reached: 1111111111111111111111111111111111111111111111111 Present the proof of your achievement: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Don't play games with me. I told you you couldn't beat my high score, so why are you even trying? 1. New Game 2. Claim Prize 3. Exit
サーバの処理の概要は以下の通り。
■1. New Game: new() ・x = 1 ・d = defaultdict(int) ・play_game() - game_running = True - 以下の繰り返し - 以下の選択 1. Multiply 2. Print current value 3. Get proof and quit - 1-20ランダム->10の場合、繰り返しから抜ける。 □1. Multiply: multiply() ※5回まで実施可能 ・m: 文字列入力(数値は2以上10以下) ・x: mを掛け算する。 □2. Print current value: print_value() ・xを表示 □3. Get proof and quit: get_proof() ・gen_hash(str(x)) - key(固定) + str(x) のsha512(hex) ■2. Claim Prize: prize() ・num: 文字列入力 ・proof: 文字列入力 ・num_hash = gen_hash(num) - key(固定) + num のsha512(hex) ・num = extract_int(num) - 文字列numの右から数字を取り出す。 (全部数字であれば、数値型になるだけ) ・proofとnum_hashが同じ場合は、以下を実行 ・num が high_socreより大きければ、フラグが表示される。 ・他、該当するメッセージが表示される。 ■3. Exit: exit()
Hash Length Extension Attackで攻略する。
import socket import hashpumpy def recvuntil(s, tail): data = '' while True: if tail in data: return data data += s.recv(1) new_high_score = '653086069891774904466108141306028536722619133808' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('challenges.tamuctf.com', 8812)) data = recvuntil(s, 'Exit\n').rstrip() print data print '1' s.sendall('1\n') data = recvuntil(s, 'quit\n').rstrip() print data print '1' s.sendall('1\n') data = recvuntil(s, ': \n').rstrip() print data print '2' s.sendall('2\n') data = recvuntil(s, 'quit\n').rstrip() print data print '2' s.sendall('2\n') data = recvuntil(s, 'quit\n').rstrip() print data print '3' s.sendall('3\n') data = recvuntil(s, '\n').rstrip() print data known_h = data.split('\n')[0] bad_msg = [ 'It sure is a good thing I wrote this in Python. Incredible!', 'This is becoming ridiculous... almost out of bounds on a 32 bit integer!', 'Into the millions!', 'Good start!', 'You can do better than that.', 'Don\'t play games with me. I told you you couldn\'t beat my high score, so why are you even trying?' ] for key_len in range(1, 33): print '[+] key length =', key_len h, d = hashpumpy.hashpump(known_h, '2', new_high_score, key_len) data = recvuntil(s, 'Exit\n').rstrip() print data print '2' s.sendall('2\n') data = recvuntil(s, ': \n').rstrip() print data print d s.sendall(d + '\n') data = recvuntil(s, ': \n').rstrip() print data print h s.sendall(h + '\n') data = recvuntil(s, '\n').rstrip() print data if data not in bad_msg: break
実行結果は以下の通り。
1. New Game
2. Claim Prize
3. Exit
1
Welcome the The Game. You are allowed to multiply the initial number (which is 1) by any
number in the range 2-10. Make decisions wisely! You can only multiply by each
number at most 5 times... so be careful. Also, at a random point during The Game, an asteroid
will impact the Earth and The Game will be over.
Feel free to get your proof of achievement and claim your prize at the main menu once
you start reaching big numbers. Bet you can't beat my high score!
1. Multiply
2. Print current value
3. Get proof and quit
1
Multiplier:
2
1. Multiply
2. Print current value
3. Get proof and quit
2
2
1. Multiply
2. Print current value
3. Get proof and quit
3
895ab034fb187bc945c4e1ade1ecaf4039ea6ac8f0f40446be67212fe70702f796727f6ff40b08ac7b9f3907108e0e680e42b2cfa2977a512cce659ff5c2a314
[+] key length = 1
1. New Game
2. Claim Prize
3. Exit
2
Input the number you reached:
2�653086069891774904466108141306028536722619133808
Present the proof of your achievement:
1789291a22fdf148cf6f29c1c3a532cd31736ac54b4ca6c86ed7729b2ba9cb7dfcbb1fad83773151d13f29973fcb1d219dbb1ef2ebacd204e3e9075d71ca0534
Don't play games with me. I told you you couldn't beat my high score, so why are you even trying?
[+] key length = 2
1. New Game
2. Claim Prize
3. Exit
2
Input the number you reached:
2�653086069891774904466108141306028536722619133808
Present the proof of your achievement:
1789291a22fdf148cf6f29c1c3a532cd31736ac54b4ca6c86ed7729b2ba9cb7dfcbb1fad83773151d13f29973fcb1d219dbb1ef2ebacd204e3e9075d71ca0534
Don't play games with me. I told you you couldn't beat my high score, so why are you even trying?
[+] key length = 3
1. New Game
2. Claim Prize
3. Exit
2
Input the number you reached:
2� 653086069891774904466108141306028536722619133808
Present the proof of your achievement:
1789291a22fdf148cf6f29c1c3a532cd31736ac54b4ca6c86ed7729b2ba9cb7dfcbb1fad83773151d13f29973fcb1d219dbb1ef2ebacd204e3e9075d71ca0534
Don't play games with me. I told you you couldn't beat my high score, so why are you even trying?
[+] key length = 4
1. New Game
2. Claim Prize
3. Exit
2
Input the number you reached:
2�(653086069891774904466108141306028536722619133808
Present the proof of your achievement:
1789291a22fdf148cf6f29c1c3a532cd31736ac54b4ca6c86ed7729b2ba9cb7dfcbb1fad83773151d13f29973fcb1d219dbb1ef2ebacd204e3e9075d71ca0534
Don't play games with me. I told you you couldn't beat my high score, so why are you even trying?
[+] key length = 5
1. New Game
2. Claim Prize
3. Exit
2
Input the number you reached:
2�0653086069891774904466108141306028536722619133808
Present the proof of your achievement:
1789291a22fdf148cf6f29c1c3a532cd31736ac54b4ca6c86ed7729b2ba9cb7dfcbb1fad83773151d13f29973fcb1d219dbb1ef2ebacd204e3e9075d71ca0534
Don't play games with me. I told you you couldn't beat my high score, so why are you even trying?
[+] key length = 6
1. New Game
2. Claim Prize
3. Exit
2
Input the number you reached:
2�8653086069891774904466108141306028536722619133808
Present the proof of your achievement:
1789291a22fdf148cf6f29c1c3a532cd31736ac54b4ca6c86ed7729b2ba9cb7dfcbb1fad83773151d13f29973fcb1d219dbb1ef2ebacd204e3e9075d71ca0534
Don't play games with me. I told you you couldn't beat my high score, so why are you even trying?
[+] key length = 7
1. New Game
2. Claim Prize
3. Exit
2
Input the number you reached:
2�@653086069891774904466108141306028536722619133808
Present the proof of your achievement:
1789291a22fdf148cf6f29c1c3a532cd31736ac54b4ca6c86ed7729b2ba9cb7dfcbb1fad83773151d13f29973fcb1d219dbb1ef2ebacd204e3e9075d71ca0534
Don't play games with me. I told you you couldn't beat my high score, so why are you even trying?
[+] key length = 8
1. New Game
2. Claim Prize
3. Exit
2
Input the number you reached:
2�H653086069891774904466108141306028536722619133808
Present the proof of your achievement:
1789291a22fdf148cf6f29c1c3a532cd31736ac54b4ca6c86ed7729b2ba9cb7dfcbb1fad83773151d13f29973fcb1d219dbb1ef2ebacd204e3e9075d71ca0534
Don't play games with me. I told you you couldn't beat my high score, so why are you even trying?
[+] key length = 9
1. New Game
2. Claim Prize
3. Exit
2
Input the number you reached:
2�P653086069891774904466108141306028536722619133808
Present the proof of your achievement:
1789291a22fdf148cf6f29c1c3a532cd31736ac54b4ca6c86ed7729b2ba9cb7dfcbb1fad83773151d13f29973fcb1d219dbb1ef2ebacd204e3e9075d71ca0534
Don't play games with me. I told you you couldn't beat my high score, so why are you even trying?
[+] key length = 10
1. New Game
2. Claim Prize
3. Exit
2
Input the number you reached:
2�X653086069891774904466108141306028536722619133808
Present the proof of your achievement:
1789291a22fdf148cf6f29c1c3a532cd31736ac54b4ca6c86ed7729b2ba9cb7dfcbb1fad83773151d13f29973fcb1d219dbb1ef2ebacd204e3e9075d71ca0534
gigem{a11_uR_h4sH_rR_be10nG_to_m3Ee3}
gigem{a11_uR_h4sH_rR_be10nG_to_m3Ee3}
UNCRACKABLE (CRYPTO)
問題はただの16進数の文字列。
e3f8e5110e29e6fde31a0861f0a4dd13530db5ffdd17113be6c2dd1c022f
XOR暗号と推測し、フラグがgigem{から始まることを前提に復号する。
enc = 'e3f8e5110e29e6fde31a0861f0a4dd13530db5ffdd17113be6c2dd1c022f'.decode('hex') flag_head = 'gigem{' key = [] for i in range(len(flag_head)): code = ord(flag_head[i]) ^ ord(enc[i]) key.append(code) flag = '' for i in range(len(enc)): code = ord(enc[i]) ^ key[i%len(key)] flag += chr(code) print flag
gigem{blank3t5_g0_1n_cribS_ha}
LEANING_TOWER (CRYPTO)
Ghidraでデコンパイルする。
int * __fastcall FUN_00402340(int *param_1) { undefined8 uVar1; byte bVar2; uint uVar3; int *this; uint *puVar4; int iVar5; int iVar6; int iVar7; int iVar8; int **in_FS_OFFSET; bool bVar9; __int64 _Var10; uint uStack60; undefined8 local_2c; uint local_20; undefined4 local_1c; int *local_18; uint *local_14; int *local_10; undefined *puStack12; undefined4 local_8; local_8 = 0xffffffff; puStack12 = &LAB_00405490; local_10 = *in_FS_OFFSET; uStack60 = DAT_00408000 ^ (uint)&stack0xfffffffc; local_14 = &uStack60; *(int ***)in_FS_OFFSET = &local_10; iVar6 = 0; local_1c = 0; iVar5 = *(int *)(*param_1 + 4); iVar8 = *(int *)(iVar5 + 0x24 + (int)param_1); uVar3 = *(uint *)(iVar5 + 0x20 + (int)param_1); if ((iVar8 < 0) || ((iVar8 < 1 && (((uVar3 == 0 || (iVar8 < 0)) || ((iVar8 < 1 && (uVar3 < 0x29)))))))) { uVar1 = movlpd(local_2c,ZEXT816(0)); local_2c._4_4_ = (int)((ulonglong)uVar1 >> 0x20); local_2c._0_4_ = (int *)(int)uVar1; iVar7 = (int)(int *)local_2c; iVar8 = local_2c._4_4_; } else { iVar7 = uVar3 - 0x28; iVar8 = iVar8 - (uint)(uVar3 < 0x28); } this = *(int **)(iVar5 + 0x38 + (int)param_1); local_2c = CONCAT44(local_2c._4_4_,param_1); local_18 = param_1; puVar4 = &uStack60; if (this != (int *)0x0) { local_18 = param_1; (**(code **)(*this + 4))(); puVar4 = local_14; } local_14 = puVar4; local_8 = 0; if (((*(int *)(*(int *)(*local_18 + 4) + 0xc + (int)local_18) == 0) && (this = *(int **)(*(int *)(*local_18 + 4) + 0x3c + (int)local_18), this != (int *)0x0)) && (this != local_18)) { flush((basic_ostream<char,struct_std::char_traits<char>_> *)this); } bVar9 = *(int *)(*(int *)(*local_18 + 4) + 0xc + (int)local_18) == 0; local_2c._0_5_ = CONCAT14(bVar9,(int *)local_2c); local_2c = local_2c & 0xffffff0000000000 | (ulonglong)(uint5)local_2c; if (!bVar9) { iVar6 = 4; goto LAB_004024ff; } local_8 = 2; if ((*(uint *)(*(int *)(*local_18 + 4) + 0x14 + (int)local_18) & 0x1c0) == 0x40) { LAB_00402455: _Var10 = sputn(*(basic_streambuf<char,struct_std::char_traits<char>_> **) (*(int *)(*local_18 + 4) + 0x38 + (int)local_18), "Winner! You should know the flag by now.",0x28);★ここの処理までくればよいが。。。 if (_Var10 == 0x28) { while( true ) { if ((iVar8 < 0) || ((iVar8 < 1 && (iVar7 == 0)))) goto LAB_004024c1; iVar5 = (int)local_18 + *(int *)(*local_18 + 4); bVar2 = *(byte *)(iVar5 + 0x40); local_20 = local_20 & 0xffffff00 | (uint)bVar2; iVar5 = sputc(*(basic_streambuf<char,struct_std::char_traits<char>_> **)(iVar5 + 0x38),bVar2 ); if (iVar5 == -1) break; bVar9 = iVar7 != 0; iVar7 = iVar7 + -1; iVar8 = iVar8 + -1 + (uint)bVar9; } iVar6 = 4; } else { iVar6 = 4; } } else { while( true ) { if ((iVar8 < 0) || ((iVar8 < 1 && (iVar7 == 0)))) goto LAB_00402451; bVar2 = *(byte *)(*(int *)(*local_18 + 4) + 0x40 + (int)local_18); local_20 = local_20 & 0xffffff00 | (uint)bVar2; iVar5 = sputc(*(basic_streambuf<char,struct_std::char_traits<char>_> **) (*(int *)(*local_18 + 4) + 0x38 + (int)local_18),bVar2); if (iVar5 == -1) break; bVar9 = iVar7 != 0; iVar7 = iVar7 + -1; iVar8 = iVar8 + -1 + (uint)bVar9; } iVar6 = 4; local_1c = 4; LAB_00402451: if (iVar6 == 0) goto LAB_00402455; } LAB_004024c1: iVar5 = *(int *)(*local_18 + 4); *(undefined4 *)(iVar5 + 0x20 + (int)local_18) = 0; *(undefined4 *)(iVar5 + 0x24 + (int)local_18) = 0; LAB_004024ff: local_8 = 1; setstate((basic_ios<char,struct_std::char_traits<char>_> *) (*(int *)(*local_18 + 4) + (int)local_18),iVar6,false); local_8 = 0xffffffff; bVar9 = uncaught_exception(); if (bVar9 == false) { _Osfx((basic_ostream<char,struct_std::char_traits<char>_> *)(int *)local_2c); } this = *(int **)(*(int *)(*(int *)local_2c + 4) + 0x38 + (int)(int *)local_2c); if (this != (int *)0x0) { (**(code **)(*this + 8))(); } *in_FS_OFFSET = local_10; return local_18; } void FUN_00401420(void) { char cVar1; uint uVar2; HMODULE hModule; FARPROC pFVar3; HANDLE hMem; int iVar4; BOOL BVar5; int **ppiVar6; undefined4 ****ppppuVar7; void **_Src; byte **ppbVar8; int *this; int **ppiVar9; undefined4 extraout_ECX; undefined4 extraout_ECX_00; undefined4 extraout_ECX_01; undefined4 extraout_ECX_02; byte **ppbVar10; int **in_FS_OFFSET; undefined4 uVar11; undefined4 uVar12; undefined4 uVar13; code *pcVar14; undefined auStack556 [4]; int local_228; void *local_224 [4]; undefined4 local_214; uint local_210; void *local_20c [4]; byte *local_1fc; void *local_1f8; int local_1f4; undefined4 ****local_1f0 [4]; uint local_1e0; uint local_1dc; undefined4 local_1d8; undefined4 local_1d4; undefined4 local_1d0; undefined4 local_1cc; undefined4 local_1c8; void *local_1c4 [4]; undefined4 local_1b4; uint local_1b0; undefined8 local_1a8; void *local_1a0 [5]; uint local_18c; undefined local_188; undefined4 local_178; undefined4 local_174; undefined local_170 [16]; undefined4 local_160; undefined4 local_15c; undefined local_158 [16]; undefined4 local_148; undefined4 local_144; undefined local_140 [16]; undefined4 local_130; undefined4 local_12c; undefined local_128 [16]; undefined4 local_118; undefined4 local_114; undefined local_110 [16]; undefined4 local_100; undefined4 local_fc; undefined local_f8 [16]; undefined4 local_e8; undefined4 local_e4; undefined local_e0 [16]; undefined4 local_d0; undefined4 local_cc; undefined local_c8 [16]; undefined4 local_b8; undefined4 local_b4; undefined local_b0 [16]; undefined4 local_a0; undefined4 local_9c; undefined local_98 [16]; undefined4 local_88; undefined4 local_84; undefined local_80 [16]; undefined4 local_70; undefined4 local_6c; undefined local_68 [16]; undefined4 local_58; undefined4 local_54; undefined local_50 [16]; undefined4 local_40; undefined4 local_3c; undefined local_38 [16]; undefined4 local_28; undefined4 local_24; uint local_1c; int *local_14; undefined *puStack16; undefined4 local_c; local_c = 0xffffffff; puStack16 = &LAB_00405429; local_14 = *in_FS_OFFSET; local_1c = DAT_00408000 ^ (uint)auStack556; uVar2 = DAT_00408000 ^ (uint)&stack0xfffffdc8; *(int ***)in_FS_OFFSET = &local_14; local_1f4 = 0; hModule = LoadLibraryW(L"ntdll.dll"); if ((hModule != (HMODULE)0x0) && (pFVar3 = GetProcAddress(hModule,"NtQueryInformationProcess"), pFVar3 != (FARPROC)0x0)) { uVar13 = 0; uVar12 = 4; this = &local_1f4; uVar11 = 7; hMem = GetCurrentProcess(); iVar4 = (*pFVar3)(hMem,uVar11,this,uVar12,uVar13,uVar2); if ((iVar4 == 0) && (local_1f4 != 0)) goto LAB_004014a7; } local_1dc = 0xf; local_1e0 = 0; local_1f0[0] = (undefined4 ****)((uint)local_1f0[0] & 0xffffff00); local_c = 0; BVar5 = OpenClipboard((HWND)0x0); if (BVar5 != 0) { hMem = GetClipboardData(1); ★クリップボード入力? ppiVar6 = (int **)GlobalLock(hMem); if (*(char *)ppiVar6 == 0) { ppiVar9 = (int **)0x0; } else { ppiVar9 = ppiVar6; do { cVar1 = *(char *)ppiVar9; ppiVar9 = (int **)((int)ppiVar9 + 1); } while (cVar1 != 0); ppiVar9 = (int **)((int)ppiVar9 - ((int)ppiVar6 + 1)); } FUN_00401ea0(local_1f0,ppiVar6,(int *)ppiVar9); GlobalUnlock(hMem); CloseClipboard(); } local_1f8 = (void *)0xf; local_1fc = (byte *)0x0; local_20c[0] = (void *)((uint)local_20c[0] & 0xffffff00); FUN_00401ea0(local_20c,(int **)"da39a3ee5e6b4b0d3255bfef95601890afd80709",(int *)0x28); local_1b0 = 0xf; local_1b4 = 0; local_1c4[0] = (void *)((uint)local_1c4[0] & 0xffffff00); local_c._0_1_ = 2; local_1d8 = 0x67452301; local_1d4 = 0xefcdab89; local_1d0 = 0x98badcfe; local_1cc = 0x10325476; local_1c8 = 0xc3d2e1f0; FUN_00401ea0(local_1c4,(int **)&PTR_004065d4,(int *)0x0); local_1a8 = movlpd(local_1a8,ZEXT816(0)); local_c._0_1_ = 3; local_174 = 0xf; local_178 = 0; local_188 = 0; FUN_00401ea0(&local_188,(int **)"9033bacfd0636139084ea80aa654113f3240f7fc",(int *)0x28); local_c._0_1_ = 4; local_15c = 0xf; local_160 = 0; local_170[0] = 0; FUN_00401ea0(local_170,(int **)"97f0f871be356f464bca862487e365d92fc507bb",(int *)0x28); local_c._0_1_ = 5; local_144 = 0xf; local_148 = 0; local_158[0] = 0; FUN_00401ea0(local_158,(int **)"11071c464490c8baaa979bf83e098f3318b36003",(int *)0x28); local_c._0_1_ = 6; local_12c = 0xf; local_130 = 0; local_140[0] = 0; FUN_00401ea0(local_140,(int **)"45fa0b57640f797ad28709cf7f3b495d61514418",(int *)0x28); local_c._0_1_ = 7; local_114 = 0xf; local_118 = 0; local_128[0] = 0; FUN_00401ea0(local_128,(int **)"2540407ace41adaaa279c9a9f8d900bd87a8aa5d",(int *)0x28); local_c._0_1_ = 8; local_fc = 0xf; local_100 = 0; local_110[0] = 0; FUN_00401ea0(local_110,(int **)"f4c50cd4475f6a1833180506817b4bbd45dc17f7",(int *)0x28); local_c._0_1_ = 9; local_e4 = 0xf; local_e8 = 0; local_f8[0] = 0; FUN_00401ea0(local_f8,(int **)"f0e8c88568fcb989f60f09f52b1aad1b7d2454b5",(int *)0x28); local_c._0_1_ = 10; local_cc = 0xf; local_d0 = 0; local_e0[0] = 0; FUN_00401ea0(local_e0,(int **)"744dde01735bc3d2b047d7d9fbc5662b97628f01",(int *)0x28); local_c._0_1_ = 0xb; local_b4 = 0xf; local_b8 = 0; local_c8[0] = 0; FUN_00401ea0(local_c8,(int **)"2cab6da567fa23426f81d54326ca537e5bd89d7e",(int *)0x28); local_c._0_1_ = 0xc; local_9c = 0xf; local_a0 = 0; local_b0[0] = 0; FUN_00401ea0(local_b0,(int **)"7f0bc15fb2695af18fd1e6c8df386f824cf67af9",(int *)0x28); local_c._0_1_ = 0xd; local_84 = 0xf; local_88 = 0; local_98[0] = 0; FUN_00401ea0(local_98,(int **)"2326181b6f80ba790e6f164190dfdda8106a31ff",(int *)0x28); local_c._0_1_ = 0xe; local_6c = 0xf; local_70 = 0; local_80[0] = 0; FUN_00401ea0(local_80,(int **)"59a7b725369a7d6af671b7ae79e2129e0517b289",(int *)0x28); local_c._0_1_ = 0xf; local_54 = 0xf; local_58 = 0; local_68[0] = 0; FUN_00401ea0(local_68,(int **)"b070a87bd15350073f989853d4f5aa234c563d11",(int *)0x28); local_c._0_1_ = 0x10; local_3c = 0xf; local_40 = 0; local_50[0] = 0; FUN_00401ea0(local_50,(int **)"72c77719d0ae83311c01914cdedcff2ebf06667b",(int *)0x28); local_c._0_1_ = 0x11; local_24 = 0xf; local_28 = 0; local_38[0] = 0; FUN_00401ea0(local_38,(int **)"5b8e4855bdc9d3bea82500fea95d4306d304dccb",(int *)0x28); local_228 = 0; ppbVar10 = &local_188; while( true ) { local_210 = 0xf; ppppuVar7 = local_1f0; if (0xf < local_1dc) { ppppuVar7 = local_1f0[0]; } local_214 = 1; local_224[0] = (void *)((uint)local_224[0] & 0xffff0000 | (uint)*(byte *)((int)ppppuVar7 + local_228)); local_c._0_1_ = 0x13; FUN_004036b0(&local_1d8,local_224); local_c._0_1_ = 0x12; if (0xf < local_210) { operator_delete(local_224[0]); } FUN_004038b0(&local_1d8,local_1a0); local_c = CONCAT31(local_c._1_3_,0x14); _Src = (void **)FUN_004012b0(local_224,local_1a0,local_20c); uVar11 = extraout_ECX; if (local_20c != _Src) { uVar11 = extraout_ECX; if ((void *)0xf < local_1f8) { operator_delete(local_20c[0]); uVar11 = extraout_ECX_00; } local_1f8 = (void *)0xf; local_1fc = (byte *)0x0; local_20c[0] = (void *)((uint)local_20c[0] & 0xffffff00); if (_Src[5] < (void *)0x10) { if ((int)_Src[4] + 1U != 0) { memmove(local_20c,_Src,(int)_Src[4] + 1U); uVar11 = extraout_ECX_01; } } else { local_20c[0] = *_Src; *_Src = (void *)0x0; } local_1fc = (byte *)_Src[4]; local_1f8 = _Src[5]; _Src[5] = (void *)0xf; _Src[4] = (void *)0x0; *(undefined *)_Src = 0; } if (0xf < local_210) { operator_delete(local_224[0]); uVar11 = extraout_ECX_02; } ppbVar8 = ppbVar10; if ((byte *)0xf < ppbVar10[5]) { ppbVar8 = (byte **)*ppbVar10; } uVar2 = FUN_00401d50(local_20c,uVar11,local_1fc,ppbVar8,ppbVar10[4]); if (uVar2 != 0) break; local_c._0_1_ = 0x12; if (0xf < local_18c) { operator_delete(local_1a0[0]); } ppbVar10 = ppbVar10 + 6; local_228 = local_228 + 1; if (0xd < local_228) { if (local_1e0 < 0xf) { pcVar14 = FUN_00402560; this = FUN_00402340((int *)cout_exref); operator<<((basic_ostream<char,struct_std::char_traits<char>_> *)this,pcVar14); local_c = CONCAT31(local_c._1_3_,3); `eh_vector_destructor_iterator'(&local_188,0x18,0xf,(FuncDef4 *)0x401c00); if (0xf < local_1b0) { operator_delete(local_1c4[0]); } local_1b0 = 0xf; local_1b4 = 0; local_1c4[0] = (void *)((uint)local_1c4[0] & 0xffffff00); if ((void *)0xf < local_1f8) { operator_delete(local_20c[0]); } local_1f8 = (void *)0xf; local_1fc = (byte *)0x0; local_20c[0] = (void *)((uint)local_20c[0] & 0xffffff00); if (0xf < local_1dc) { operator_delete(local_1f0[0]); } *in_FS_OFFSET = local_14; FUN_0040498a(); return; } /* WARNING: Subroutine does not return */ exit(0); } } LAB_004014a7: /* WARNING: Subroutine does not return */ exit(0); }
クリップボードが入力になっているようだったが、文字をいろいろとコピーして、実行しても反応がない。コードを読んでみたが、あまり追えなかったので、推測しながら試行してみる。
sha1のような文字列はそのままでは1文字のsha1にはならない。14文字のフラグとのことだが、sha1のような文字列は16個ある。最後の文字列を除き、前後の文字列のXORを取ったものになる文字を割り出していけば、フラグにならないか試してみる。
import hashlib h_list = [ 'da39a3ee5e6b4b0d3255bfef95601890afd80709', '9033bacfd0636139084ea80aa654113f3240f7fc', '97f0f871be356f464bca862487e365d92fc507bb', '11071c464490c8baaa979bf83e098f3318b36003', '45fa0b57640f797ad28709cf7f3b495d61514418', '2540407ace41adaaa279c9a9f8d900bd87a8aa5d', 'f4c50cd4475f6a1833180506817b4bbd45dc17f7', 'f0e8c88568fcb989f60f09f52b1aad1b7d2454b5', '744dde01735bc3d2b047d7d9fbc5662b97628f01', '2cab6da567fa23426f81d54326ca537e5bd89d7e', '7f0bc15fb2695af18fd1e6c8df386f824cf67af9', '2326181b6f80ba790e6f164190dfdda8106a31ff', '59a7b725369a7d6af671b7ae79e2129e0517b289', 'b070a87bd15350073f989853d4f5aa234c563d11', '72c77719d0ae83311c01914cdedcff2ebf06667b', '5b8e4855bdc9d3bea82500fea95d4306d304dccb' ] chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&()*+,-./:;<=>?@[\]^_{}~' dic = {} for c in chars: dic[hashlib.sha1(c).hexdigest()] = c flag = '' for i in range(len(h_list) - 2): h = hex(int(h_list[i], 16) ^ int(h_list[i+1], 16))[2:].rstrip('L').zfill(40) flag += dic[h] print flag
flag{nice_job}
