この大会は2020/9/19 9:00(JST)~2020/9/21 9:00(JST)に開催されました。
今回もチームで参戦。結果は597点で648チーム中80位でした。
自分で解けた問題をWriteupとして書いておきます。
Welcome!! (Warmup)
問題にフラグが書いてあった。
TWCTF{Welcome_to_TWCTF_2020!!!}
Reversing iS Amazing (Reverse, Warmup)
Ghidraでデコンパイルする。
undefined8 FUN_00100a6a(int param_1,long param_2) { int iVar1; undefined8 uVar2; size_t sVar3; long lVar4; undefined8 *puVar5; undefined8 *puVar6; long in_FS_OFFSET; EVP_PKEY *local_b10; rsa_st *local_b08; BIO *local_b00; undefined local_af8; undefined local_af7; undefined local_af6; undefined local_af5; undefined local_af4; undefined local_af3; undefined local_af2; undefined local_af1; undefined local_af0; undefined local_aef; undefined local_aee; undefined local_aed; undefined local_aec; undefined local_aeb; undefined local_aea; undefined local_ae9; undefined local_ae8; undefined local_ae7; undefined local_ae6; undefined local_ae5; undefined local_ae4; undefined local_ae3; undefined local_ae2; undefined local_ae1; undefined local_ae0; undefined local_adf; undefined local_ade; undefined local_add; undefined local_adc; undefined local_adb; undefined local_ada; undefined local_ad9; undefined local_ad8; undefined local_ad7; undefined local_ad6; undefined local_ad5; undefined local_ad4; undefined local_ad3; undefined local_ad2; undefined local_ad1; undefined local_ad0; undefined local_acf; undefined local_ace; undefined local_acd; undefined local_acc; undefined local_acb; undefined local_aca; undefined local_ac9; undefined local_ac8; undefined local_ac7; undefined local_ac6; undefined local_ac5; undefined local_ac4; undefined local_ac3; undefined local_ac2; undefined local_ac1; undefined local_ac0; undefined local_abf; undefined local_abe; undefined local_abd; undefined local_abc; undefined local_abb; undefined local_aba; undefined local_ab9; undefined local_ab8; undefined local_ab7; undefined local_ab6; undefined local_ab5; undefined local_ab4; undefined local_ab3; undefined local_ab2; undefined local_ab1; undefined local_ab0; undefined local_aaf; undefined local_aae; undefined local_aad; undefined local_aac; undefined local_aab; undefined local_aaa; undefined local_aa9; undefined local_aa8; undefined local_aa7; undefined local_aa6; undefined local_aa5; undefined local_aa4; undefined local_aa3; undefined local_aa2; undefined local_aa1; undefined local_aa0; undefined local_a9f; undefined local_a9e; undefined local_a9d; undefined local_a9c; undefined local_a9b; undefined local_a9a; undefined local_a99; undefined local_a98; undefined local_a97; undefined local_a96; undefined local_a95; undefined local_a94; undefined local_a93; undefined local_a92; undefined local_a91; undefined local_a90; undefined local_a8f; undefined local_a8e; undefined local_a8d; undefined local_a8c; undefined local_a8b; undefined local_a8a; undefined local_a89; undefined local_a88; undefined local_a87; undefined local_a86; undefined local_a85; undefined local_a84; undefined local_a83; undefined local_a82; undefined local_a81; undefined local_a80; undefined local_a7f; undefined local_a7e; undefined local_a7d; undefined local_a7c; undefined local_a7b; undefined local_a7a; undefined local_a79; undefined8 local_a78 [76]; uchar local_818 [1024]; uchar local_418 [1032]; long local_10; local_10 = *(long *)(in_FS_OFFSET + 0x28); local_af8 = 0x6f; local_af7 = 0x86; local_af6 = 0xe4; local_af5 = 0x96; local_af4 = 0x29; local_af3 = 0xbe; local_af2 = 0x8a; local_af1 = 0x5e; local_af0 = 0x21; local_aef = 0xe2; local_aee = 0xc0; local_aed = 0xda; local_aec = 0x25; local_aeb = 0xb7; local_aea = 0x95; local_ae9 = 0xe0; local_ae8 = 0x5f; local_ae7 = 10; local_ae6 = 0x6c; local_ae5 = 0xe9; local_ae4 = 0x44; local_ae3 = 0xdb; local_ae2 = 0x12; local_ae1 = 0x4c; local_ae0 = 0x3a; local_adf = 0x6c; local_ade = 0x14; local_add = 0x87; local_adc = 0xc6; local_adb = 0x36; local_ada = 0x6b; local_ad9 = 0x6d; local_ad8 = 0x95; local_ad7 = 6; local_ad6 = 0x1c; local_ad5 = 0x2d; local_ad4 = 0x11; local_ad3 = 0x9e; local_ad2 = 0xf8; local_ad1 = 0x72; local_ad0 = 0xcc; local_acf = 0x9b; local_ace = 0x74; local_acd = 0x87; local_acc = 0x73; local_acb = 0xa7; local_aca = 0x52; local_ac9 = 0x72; local_ac8 = 0xc; local_ac7 = 0x5b; local_ac6 = 0x92; local_ac5 = 0x8d; local_ac4 = 0x7c; local_ac3 = 0xa9; local_ac2 = 0x35; local_ac1 = 0xeb; local_ac0 = 0xc5; local_abf = 0xd6; local_abe = 0x1e; local_abd = 0x1c; local_abc = 0x9e; local_abb = 0x7e; local_aba = 0xd3; local_ab9 = 0x6e; local_ab8 = 0x43; local_ab7 = 0x35; local_ab6 = 0x93; local_ab5 = 0xd0; local_ab4 = 0x6c; local_ab3 = 0x26; local_ab2 = 0xb4; local_ab1 = 0x95; local_ab0 = 0xe5; local_aaf = 0x99; local_aae = 0x28; local_aad = 99; local_aac = 0x5e; local_aab = 0xeb; local_aaa = 0xad; local_aa9 = 0x40; local_aa8 = 0xce; local_aa7 = 0x26; local_aa6 = 0x67; local_aa5 = 0xf7; local_aa4 = 0x32; local_aa3 = 0xb2; local_aa2 = 3; local_aa1 = 0xd; local_aa0 = 0x30; local_a9f = 0x24; local_a9e = 0x93; local_a9d = 0x84; local_a9c = 0x3a; local_a9b = 0x19; local_a9a = 0xac; local_a99 = 0x6f; local_a98 = 0x11; local_a97 = 0xbb; local_a96 = 0xb; local_a95 = 0x5b; local_a94 = 0x41; local_a93 = 0x8d; local_a92 = 0x9d; local_a91 = 0x49; local_a90 = 0x1a; local_a8f = 0xb1; local_a8e = 0x21; local_a8d = 0xd9; local_a8c = 0x79; local_a8b = 0x43; local_a8a = 0xbc; local_a89 = 0x83; local_a88 = 0x1c; local_a87 = 0x36; local_a86 = 0x98; local_a85 = 0xb9; local_a84 = 0x5a; local_a83 = 0x53; local_a82 = 0xd9; local_a81 = 0xf4; local_a80 = 0xa3; local_a7f = 0x99; local_a7e = 0x34; local_a7d = 0x67; local_a7c = 0xa2; local_a7b = 0x8b; local_a7a = 0xce; local_a79 = 6; lVar4 = 0x4c; puVar5 = &DAT_00101100; puVar6 = local_a78; while (lVar4 != 0) { lVar4 = lVar4 + -1; *puVar6 = *puVar5; puVar5 = puVar5 + 1; puVar6 = puVar6 + 1; } if (param_1 == 2) { sVar3 = strlen(*(char **)(param_2 + 8)); memcpy(local_418,*(void **)(param_2 + 8),(long)(int)sVar3); local_b08 = (rsa_st *)0x0; local_b10 = (EVP_PKEY *)0x0; local_b00 = (BIO *)0x0; local_b00 = BIO_new_mem_buf(local_a78,0x260); if (local_b00 == (BIO *)0x0) { uVar2 = 1; } else { local_b10 = d2i_PrivateKey_bio(local_b00,&local_b10); if (local_b10 == (EVP_PKEY *)0x0) { uVar2 = 1; } else { local_b08 = EVP_PKEY_get1_RSA(local_b10); if (local_b08 == (rsa_st *)0x0) { uVar2 = 1; } else { iVar1 = RSA_private_encrypt((int)sVar3,local_418,local_818,(RSA *)local_b08,1); if (iVar1 < 0) { uVar2 = 1; } else { iVar1 = memcmp(local_818,&local_af8,(long)iVar1); if (iVar1 == 0) { puts("Correct!"); } else { puts("Incorrect!"); } RSA_free((RSA *)local_b08); EVP_PKEY_free(local_b10); BIO_free_all(local_b00); uVar2 = 0; } } } } } else { printf("./rsa TWCTF{*****************************}"); uVar2 = 1; } if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) { /* WARNING: Subroutine does not return */ __stack_chk_fail(); } return uVar2; } DAT_00101100 XREF[3]: FUN_00100a6a:00100e18(*), FUN_00100a6a:00100e27(*), FUN_00100a6a:00100e2a(R) 00101100 30 82 02 undefined8 020001025C028230h 5c 02 01 00 02 00101108 81 ?? 81h 00101109 81 ?? 81h 0010110a 00 ?? 00h 0010110b ae ?? AEh 0010110c 68 ?? 68h h 0010110d 61 ?? 61h a 0010110e d4 ?? D4h 0010110f 73 ?? 73h s 00101110 a6 ?? A6h 00101111 33 ?? 33h 3 00101112 31 ?? 31h 1 00101113 33 ?? 33h 3 00101114 c2 ?? C2h 00101115 1a ?? 1Ah 00101116 5e ?? 5Eh ^ 00101117 be ?? BEh 00101118 f5 ?? F5h 00101119 ec ?? ECh 0010111a 90 ?? 90h 0010111b ea ?? EAh 0010111c 85 ?? 85h 0010111d 77 ?? 77h w 0010111e ea ?? EAh 0010111f c2 ?? C2h 00101120 db ?? DBh 00101121 62 ?? 62h b 00101122 73 ?? 73h s 00101123 b5 ?? B5h 00101124 29 ?? 29h ) 00101125 5d ?? 5Dh ] 00101126 c2 ?? C2h 00101127 bb ?? BBh 00101128 3a ?? 3Ah : 00101129 3c ?? 3Ch < 0010112a d1 ?? D1h 0010112b 50 ?? 50h P 0010112c bb ?? BBh 0010112d d4 ?? D4h 0010112e d4 ?? D4h 0010112f 9e ?? 9Eh 00101130 ee ?? EEh 00101131 33 ?? 33h 3 00101132 dd ?? DDh 00101133 3b ?? 3Bh ; 00101134 30 ?? 30h 0 00101135 45 ?? 45h E 00101136 3c ?? 3Ch < 00101137 eb ?? EBh 00101138 be ?? BEh 00101139 f1 ?? F1h 0010113a 1f ?? 1Fh 0010113b 67 ?? 67h g 0010113c e4 ?? E4h 0010113d 05 ?? 05h 0010113e 5c ?? 5Ch \ 0010113f 8b ?? 8Bh 00101140 9c ?? 9Ch 00101141 6f ?? 6Fh o 00101142 3a ?? 3Ah : 00101143 56 ?? 56h V 00101144 ba ?? BAh 00101145 e2 ?? E2h 00101146 ba ?? BAh 00101147 ec ?? ECh 00101148 9a ?? 9Ah 00101149 a7 ?? A7h 0010114a d0 ?? D0h 0010114b 43 ?? 43h C 0010114c ed ?? EDh 0010114d bc ?? BCh 0010114e 27 ?? 27h ' 0010114f 50 ?? 50h P 00101150 46 ?? 46h F 00101151 c8 ?? C8h 00101152 40 ?? 40h @ 00101153 92 ?? 92h 00101154 2e ?? 2Eh . 00101155 87 ?? 87h 00101156 b6 ?? B6h 00101157 24 ?? 24h $ 00101158 e3 ?? E3h 00101159 f4 ?? F4h 0010115a c3 ?? C3h 0010115b 1b ?? 1Bh 0010115c d6 ?? D6h 0010115d bd ?? BDh 0010115e ad ?? ADh 0010115f 55 ?? 55h U 00101160 a4 ?? A4h 00101161 51 ?? 51h Q 00101162 64 ?? 64h d 00101163 23 ?? 23h # 00101164 10 ?? 10h 00101165 d1 ?? D1h 00101166 6c ?? 6Ch l 00101167 14 ?? 14h 00101168 fd ?? FDh 00101169 35 ?? 35h 5 0010116a a8 ?? A8h 0010116b 18 ?? 18h 0010116c a1 ?? A1h 0010116d 9f ?? 9Fh 0010116e ab ?? ABh 0010116f 33 ?? 33h 3 00101170 14 ?? 14h 00101171 f9 ?? F9h 00101172 3e ?? 3Eh > 00101173 50 ?? 50h P 00101174 34 ?? 34h 4 00101175 c4 ?? C4h 00101176 3c ?? 3Ch < 00101177 28 ?? 28h ( 00101178 b6 ?? B6h 00101179 10 ?? 10h 0010117a d2 ?? D2h 0010117b fc ?? FCh 0010117c 90 ?? 90h 0010117d 9b ?? 9Bh 0010117e 97 ?? 97h 0010117f 60 ?? 60h ` 00101180 d5 ?? D5h 00101181 9a ?? 9Ah 00101182 13 ?? 13h 00101183 e5 ?? E5h 00101184 3e ?? 3Eh > 00101185 bf ?? BFh 00101186 38 ?? 38h 8 00101187 d0 ?? D0h 00101188 52 ?? 52h R 00101189 66 ?? 66h f 0010118a 7d ?? 7Dh } 0010118b 02 ?? 02h 0010118c 03 ?? 03h 0010118d 01 ?? 01h 0010118e 00 ?? 00h 0010118f 01 ?? 01h 00101190 02 ?? 02h 00101191 81 ?? 81h 00101192 80 ?? 80h 00101193 03 ?? 03h 00101194 7e ?? 7Eh ~ 00101195 81 ?? 81h 00101196 df ?? DFh 00101197 40 ?? 40h @ 00101198 c5 ?? C5h 00101199 e6 ?? E6h 0010119a a6 ?? A6h 0010119b a8 ?? A8h 0010119c b3 ?? B3h 0010119d cd ?? CDh 0010119e d5 ?? D5h 0010119f 72 ?? 72h r 001011a0 1b ?? 1Bh 001011a1 f9 ?? F9h 001011a2 36 ?? 36h 6 001011a3 5a ?? 5Ah Z 001011a4 0c ?? 0Ch 001011a5 7c ?? 7Ch | 001011a6 7f ?? 7Fh 001011a7 8e ?? 8Eh 001011a8 91 ?? 91h 001011a9 d8 ?? D8h 001011aa a2 ?? A2h 001011ab 1a ?? 1Ah 001011ac d2 ?? D2h 001011ad 0e ?? 0Eh 001011ae 57 ?? 57h W 001011af d5 ?? D5h 001011b0 6a ?? 6Ah j 001011b1 70 ?? 70h p 001011b2 47 ?? 47h G 001011b3 7d ?? 7Dh } 001011b4 47 ?? 47h G 001011b5 96 ?? 96h 001011b6 17 ?? 17h 001011b7 00 ?? 00h 001011b8 6c ?? 6Ch l 001011b9 23 ?? 23h # 001011ba 4b ?? 4Bh K 001011bb de ?? DEh 001011bc 60 ?? 60h ` 001011bd b4 ?? B4h 001011be 32 ?? 32h 2 001011bf 69 ?? 69h i 001011c0 42 ?? 42h B 001011c1 b5 ?? B5h 001011c2 0f ?? 0Fh 001011c3 fd ?? FDh 001011c4 03 ?? 03h 001011c5 db ?? DBh 001011c6 7b ?? 7Bh { 001011c7 a4 ?? A4h 001011c8 2c ?? 2Ch , 001011c9 69 ?? 69h i 001011ca 2a ?? 2Ah * 001011cb 11 ?? 11h 001011cc 0c ?? 0Ch 001011cd c3 ?? C3h 001011ce 78 ?? 78h x 001011cf 1d ?? 1Dh 001011d0 3f ?? 3Fh ? 001011d1 67 ?? 67h g 001011d2 f7 ?? F7h 001011d3 42 ?? 42h B 001011d4 bc ?? BCh 001011d5 ba ?? BAh 001011d6 38 ?? 38h 8 001011d7 ae ?? AEh 001011d8 cc ?? CCh 001011d9 26 ?? 26h & 001011da db ?? DBh 001011db ca ?? CAh 001011dc 81 ?? 81h 001011dd 1e ?? 1Eh 001011de 49 ?? 49h I 001011df fd ?? FDh 001011e0 fa ?? FAh 001011e1 06 ?? 06h 001011e2 bd ?? BDh 001011e3 32 ?? 32h 2 001011e4 83 ?? 83h 001011e5 3b ?? 3Bh ; 001011e6 9e ?? 9Eh 001011e7 66 ?? 66h f 001011e8 1e ?? 1Eh 001011e9 9b ?? 9Bh 001011ea 8b ?? 8Bh 001011eb 4f ?? 4Fh O 001011ec f5 ?? F5h 001011ed 04 ?? 04h 001011ee 5e ?? 5Eh ^ 001011ef 81 ?? 81h 001011f0 da ?? DAh 001011f1 69 ?? 69h i 001011f2 db ?? DBh 001011f3 91 ?? 91h 001011f4 7e ?? 7Eh ~ 001011f5 0f ?? 0Fh 001011f6 96 ?? 96h 001011f7 69 ?? 69h i 001011f8 a1 ?? A1h 001011f9 51 ?? 51h Q 001011fa 93 ?? 93h 001011fb b3 ?? B3h 001011fc 50 ?? 50h P 001011fd f4 ?? F4h 001011fe 84 ?? 84h 001011ff 10 ?? 10h 00101200 d8 ?? D8h 00101201 49 ?? 49h I 00101202 24 ?? 24h $ 00101203 c6 ?? C6h 00101204 b0 ?? B0h 00101205 51 ?? 51h Q 00101206 2b ?? 2Bh + 00101207 bc ?? BCh 00101208 7a ?? 7Ah z 00101209 e0 ?? E0h 0010120a 26 ?? 26h & 0010120b df ?? DFh 0010120c 42 ?? 42h B 0010120d ef ?? EFh 0010120e bb ?? BBh 0010120f 9b ?? 9Bh 00101210 57 ?? 57h W 00101211 e2 ?? E2h 00101212 dd ?? DDh 00101213 02 ?? 02h 00101214 41 ?? 41h A 00101215 00 ?? 00h 00101216 d9 ?? D9h 00101217 8b ?? 8Bh 00101218 83 ?? 83h 00101219 a9 ?? A9h 0010121a f6 ?? F6h 0010121b bd ?? BDh 0010121c 94 ?? 94h 0010121d cc ?? CCh 0010121e ef ?? EFh 0010121f 93 ?? 93h 00101220 34 ?? 34h 4 00101221 5a ?? 5Ah Z 00101222 35 ?? 35h 5 00101223 ee ?? EEh 00101224 8b ?? 8Bh 00101225 b3 ?? B3h 00101226 4e ?? 4Eh N 00101227 32 ?? 32h 2 00101228 41 ?? 41h A 00101229 7c ?? 7Ch | 0010122a c6 ?? C6h 0010122b 9c ?? 9Ch 0010122c 2a ?? 2Ah * 0010122d 5e ?? 5Eh ^ 0010122e f0 ?? F0h 0010122f 97 ?? 97h 00101230 c2 ?? C2h 00101231 45 ?? 45h E 00101232 3d ?? 3Dh = 00101233 8f ?? 8Fh 00101234 68 ?? 68h h 00101235 1e ?? 1Eh 00101236 34 ?? 34h 4 00101237 b7 ?? B7h 00101238 b0 ?? B0h 00101239 5f ?? 5Fh _ 0010123a af ?? AFh 0010123b 5e ?? 5Eh ^ 0010123c 9e ?? 9Eh 0010123d fd ?? FDh 0010123e 41 ?? 41h A 0010123f b8 ?? B8h 00101240 ee ?? EEh 00101241 5c ?? 5Ch \ 00101242 8b ?? 8Bh 00101243 5a ?? 5Ah Z 00101244 ca ?? CAh 00101245 4e ?? 4Eh N 00101246 b7 ?? B7h 00101247 51 ?? 51h Q 00101248 7a ?? 7Ah z 00101249 de ?? DEh 0010124a 57 ?? 57h W 0010124b 21 ?? 21h ! 0010124c 37 ?? 37h 7 0010124d aa ?? AAh 0010124e 40 ?? 40h @ 0010124f 9e ?? 9Eh 00101250 23 ?? 23h # 00101251 0a ?? 0Ah 00101252 51 ?? 51h Q 00101253 1d ?? 1Dh 00101254 ed ?? EDh 00101255 6b ?? 6Bh k 00101256 02 ?? 02h 00101257 41 ?? 41h A 00101258 00 ?? 00h 00101259 cd ?? CDh 0010125a 3c ?? 3Ch < 0010125b cb ?? CBh 0010125c 39 ?? 39h 9 0010125d 7e ?? 7Eh ~ 0010125e ce ?? CEh 0010125f df ?? DFh 00101260 9f ?? 9Fh 00101261 d2 ?? D2h 00101262 c8 ?? C8h 00101263 67 ?? 67h g 00101264 9d ?? 9Dh 00101265 64 ?? 64h d 00101266 86 ?? 86h 00101267 22 ?? 22h " 00101268 d3 ?? D3h 00101269 e5 ?? E5h 0010126a bc ?? BCh 0010126b 3f ?? 3Fh ? 0010126c 0a ?? 0Ah 0010126d 33 ?? 33h 3 0010126e 32 ?? 32h 2 0010126f b8 ?? B8h 00101270 e0 ?? E0h 00101271 3f ?? 3Fh ? 00101272 dc ?? DCh 00101273 a0 ?? A0h 00101274 7f ?? 7Fh 00101275 e6 ?? E6h 00101276 a6 ?? A6h 00101277 fc ?? FCh 00101278 87 ?? 87h 00101279 df ?? DFh 0010127a 4e ?? 4Eh N 0010127b 86 ?? 86h 0010127c 80 ?? 80h 0010127d 81 ?? 81h 0010127e 3a ?? 3Ah : 0010127f e4 ?? E4h 00101280 e0 ?? E0h 00101281 5e ?? 5Eh ^ 00101282 e1 ?? E1h 00101283 41 ?? 41h A 00101284 1a ?? 1Ah 00101285 d0 ?? D0h 00101286 f4 ?? F4h 00101287 b8 ?? B8h 00101288 c2 ?? C2h 00101289 4e ?? 4Eh N 0010128a 00 ?? 00h 0010128b 91 ?? 91h 0010128c 9a ?? 9Ah 0010128d 1a ?? 1Ah 0010128e f0 ?? F0h 0010128f 1e ?? 1Eh 00101290 38 ?? 38h 8 00101291 9f ?? 9Fh 00101292 ca ?? CAh 00101293 55 ?? 55h U 00101294 e2 ?? E2h 00101295 a3 ?? A3h 00101296 2d ?? 2Dh - 00101297 cd ?? CDh 00101298 b7 ?? B7h 00101299 02 ?? 02h 0010129a 41 ?? 41h A 0010129b 00 ?? 00h 0010129c 81 ?? 81h 0010129d 29 ?? 29h ) 0010129e 7b ?? 7Bh { 0010129f 77 ?? 77h w 001012a0 eb ?? EBh 001012a1 5e ?? 5Eh ^ 001012a2 ae ?? AEh 001012a3 3d ?? 3Dh = 001012a4 6b ?? 6Bh k 001012a5 35 ?? 35h 5 001012a6 0c ?? 0Ch 001012a7 4d ?? 4Dh M 001012a8 4f ?? 4Fh O 001012a9 5e ?? 5Eh ^ 001012aa 1d ?? 1Dh 001012ab a5 ?? A5h 001012ac cd ?? CDh 001012ad 14 ?? 14h 001012ae bb ?? BBh 001012af 9b ?? 9Bh 001012b0 18 ?? 18h 001012b1 d4 ?? D4h 001012b2 d9 ?? D9h 001012b3 b7 ?? B7h 001012b4 5a ?? 5Ah Z 001012b5 c3 ?? C3h 001012b6 cf ?? CFh 001012b7 fd ?? FDh 001012b8 8a ?? 8Ah 001012b9 4a ?? 4Ah J 001012ba 5d ?? 5Dh ] 001012bb f8 ?? F8h 001012bc 29 ?? 29h ) 001012bd 36 ?? 36h 6 001012be b2 ?? B2h 001012bf ca ?? CAh 001012c0 6c ?? 6Ch l 001012c1 f6 ?? F6h 001012c2 12 ?? 12h 001012c3 11 ?? 11h 001012c4 ad ?? ADh 001012c5 f6 ?? F6h 001012c6 dd ?? DDh 001012c7 d7 ?? D7h 001012c8 26 ?? 26h & 001012c9 8a ?? 8Ah 001012ca 36 ?? 36h 6 001012cb 39 ?? 39h 9 001012cc bc ?? BCh 001012cd 4f ?? 4Fh O 001012ce ed ?? EDh 001012cf 52 ?? 52h R 001012d0 9b ?? 9Bh 001012d1 8a ?? 8Ah 001012d2 c6 ?? C6h 001012d3 61 ?? 61h a 001012d4 18 ?? 18h 001012d5 52 ?? 52h R 001012d6 8b ?? 8Bh 001012d7 dd ?? DDh 001012d8 71 ?? 71h q 001012d9 42 ?? 42h B 001012da 02 ?? 02h 001012db 97 ?? 97h 001012dc 02 ?? 02h 001012dd 40 ?? 40h @ 001012de 12 ?? 12h 001012df ad ?? ADh 001012e0 51 ?? 51h Q 001012e1 a1 ?? A1h 001012e2 2d ?? 2Dh - 001012e3 d5 ?? D5h 001012e4 0d ?? 0Dh 001012e5 ac ?? ACh 001012e6 b1 ?? B1h 001012e7 b5 ?? B5h 001012e8 e3 ?? E3h 001012e9 18 ?? 18h 001012ea 03 ?? 03h 001012eb a9 ?? A9h 001012ec e1 ?? E1h 001012ed 49 ?? 49h I 001012ee 7f ?? 7Fh 001012ef 42 ?? 42h B 001012f0 9e ?? 9Eh 001012f1 4a ?? 4Ah J 001012f2 03 ?? 03h 001012f3 56 ?? 56h V 001012f4 be ?? BEh 001012f5 54 ?? 54h T 001012f6 49 ?? 49h I 001012f7 fb ?? FBh 001012f8 7d ?? 7Dh } 001012f9 ef ?? EFh 001012fa a5 ?? A5h 001012fb c1 ?? C1h 001012fc d4 ?? D4h 001012fd 81 ?? 81h 001012fe 58 ?? 58h X 001012ff e5 ?? E5h 00101300 00 ?? 00h 00101301 80 ?? 80h 00101302 79 ?? 79h y 00101303 42 ?? 42h B 00101304 2e ?? 2Eh . 00101305 c9 ?? C9h 00101306 ec ?? ECh 00101307 58 ?? 58h X 00101308 7b ?? 7Bh { 00101309 60 ?? 60h ` 0010130a 41 ?? 41h A 0010130b 5b ?? 5Bh [ 0010130c c3 ?? C3h 0010130d e4 ?? E4h 0010130e 8a ?? 8Ah 0010130f cc ?? CCh 00101310 aa ?? AAh 00101311 73 ?? 73h s 00101312 67 ?? 67h g 00101313 b8 ?? B8h 00101314 2a ?? 2Ah * 00101315 47 ?? 47h G 00101316 e4 ?? E4h 00101317 e2 ?? E2h 00101318 b8 ?? B8h 00101319 e6 ?? E6h 0010131a 23 ?? 23h # 0010131b 0b ?? 0Bh 0010131c 6c ?? 6Ch l 0010131d 09 ?? 09h 0010131e 02 ?? 02h 0010131f 40 ?? 40h @ 00101320 3e ?? 3Eh > 00101321 76 ?? 76h v 00101322 64 ?? 64h d 00101323 63 ?? 63h c 00101324 d4 ?? D4h 00101325 83 ?? 83h 00101326 b0 ?? B0h 00101327 0e ?? 0Eh 00101328 62 ?? 62h b 00101329 46 ?? 46h F 0010132a b8 ?? B8h 0010132b 1f ?? 1Fh 0010132c 0d ?? 0Dh 0010132d e3 ?? E3h 0010132e 30 ?? 30h 0 0010132f 3e ?? 3Eh > 00101330 e9 ?? E9h 00101331 16 ?? 16h 00101332 40 ?? 40h @ 00101333 79 ?? 79h y 00101334 8f ?? 8Fh 00101335 8a ?? 8Ah 00101336 77 ?? 77h w 00101337 30 ?? 30h 0 00101338 66 ?? 66h f 00101339 ae ?? AEh 0010133a 25 ?? 25h % 0010133b e6 ?? E6h 0010133c c3 ?? C3h 0010133d 3b ?? 3Bh ; 0010133e 75 ?? 75h u 0010133f 7e ?? 7Eh ~ 00101340 ab ?? ABh 00101341 7e ?? 7Eh ~ 00101342 ff ?? FFh 00101343 4a ?? 4Ah J 00101344 09 ?? 09h 00101345 e0 ?? E0h 00101346 38 ?? 38h 8 00101347 ec ?? ECh 00101348 b6 ?? B6h 00101349 5d ?? 5Dh ] 0010134a eb ?? EBh 0010134b b3 ?? B3h 0010134c 85 ?? 85h 0010134d 59 ?? 59h Y 0010134e c0 ?? C0h 0010134f 6d ?? 6Dh m 00101350 55 ?? 55h U 00101351 4e ?? 4Eh N 00101352 a8 ?? A8h 00101353 05 ?? 05h 00101354 c3 ?? C3h 00101355 71 ?? 71h q 00101356 ef ?? EFh 00101357 60 ?? 60h ` 00101358 18 ?? 18h 00101359 db ?? DBh 0010135a 2b ?? 2Bh + 0010135b 6d ?? 6Dh m 0010135c cc ?? CCh 0010135d 1e ?? 1Eh 0010135e 92 ?? 92h 0010135f fc ?? FCh
data部にある秘密鍵はバイナリから切り取った方が早い。秘密鍵は暗号化に使われているので、公開鍵で復号できる。local_af8以下のデータを暗号化データとして、公開鍵で復号する。
from Crypto.PublicKey import RSA from Crypto.Util.number import * def codes_to_c(codes): c = 0 for code in codes: c *= 256 c += code return c with open('rsa', 'rb') as f: data = f.read() prikey = data[0x1100:0x1360] pri = RSA.importKey(prikey) n = pri.n e = pri.e codes = [0x6f, 0x86, 0xe4, 0x96, 0x29, 0xbe, 0x8a, 0x5e, 0x21, 0xe2, 0xc0, 0xda, 0x25, 0xb7, 0x95, 0xe0, 0x5f, 10, 0x6c, 0xe9, 0x44, 0xdb, 0x12, 0x4c, 0x3a, 0x6c, 0x14, 0x87, 0xc6, 0x36, 0x6b, 0x6d, 0x95, 6, 0x1c, 0x2d, 0x11, 0x9e, 0xf8, 0x72, 0xcc, 0x9b, 0x74, 0x87, 0x73, 0xa7, 0x52, 0x72, 0xc, 0x5b, 0x92, 0x8d, 0x7c, 0xa9, 0x35, 0xeb, 0xc5, 0xd6, 0x1e, 0x1c, 0x9e, 0x7e, 0xd3, 0x6e, 0x43, 0x35, 0x93, 0xd0, 0x6c, 0x26, 0xb4, 0x95, 0xe5, 0x99, 0x28, 99, 0x5e, 0xeb, 0xad, 0x40, 0xce, 0x26, 0x67, 0xf7, 0x32, 0xb2, 3, 0xd, 0x30, 0x24, 0x93, 0x84, 0x3a, 0x19, 0xac, 0x6f, 0x11, 0xbb, 0xb, 0x5b, 0x41, 0x8d, 0x9d, 0x49, 0x1a, 0xb1, 0x21, 0xd9, 0x79, 0x43, 0xbc, 0x83, 0x1c, 0x36, 0x98, 0xb9, 0x5a, 0x53, 0xd9, 0xf4, 0xa3, 0x99, 0x34, 0x67, 0xa2, 0x8b, 0xce, 6] c = codes_to_c(codes) m = pow(c, e, n) flag = long_to_bytes(m) print flag
実行結果は以下の通り。
TWCTF{Rivest_Shamir_Adleman}
TWCTF{Rivest_Shamir_Adleman}
easy-hash (Crypto, Warmup)
'twctf: 'から始まり、'2020'で終わり、'twctf: please give me the flag of 2020'とは異なる文字列のハッシュ(easy_hash)で'twctf: please give me the flag of 2020'のハッシュと同じになるものを指定する必要がある。
easy_hashは4バイトごとに数値にして足しているので、どこか4バイトのブロックを交換したものを指定する。例えば、以下のように入れ替えてみる。
'twctf: please give me the flag of 2020' ↓ 'twctf: pe gileasve me the flag of 2020'
$ curl https://crypto01.chal.ctf.westerns.tokyo -d 'twctf: pe gileasve me the flag of 2020' Congrats! The flag is TWCTF{colorfully_decorated_dream}
TWCTF{colorfully_decorated_dream}
mask (Misc)
サブネットマスクからホストアドレスの第四オクテットをASCIIコードとしてデコードすると、base64文字列になる。これをデコードするとフラグになる。
adrs_list = '''192.168.55.86/255.255.255.0 192.168.80.198/255.255.255.128 192.168.1.228/255.255.255.128 192.168.90.68/255.255.254.0 192.168.8.214/255.255.255.128 192.168.5.197/255.255.255.128 192.168.71.90/255.255.255.0 192.168.62.55/255.255.255.192 192.168.78.209/255.255.255.128 192.168.76.216/255.255.255.128 192.168.91.202/255.255.255.128 192.168.93.108/255.255.255.0 192.168.74.76/255.255.254.0 192.168.10.88/255.255.254.0 192.168.82.236/255.255.255.128 192.168.13.246/255.255.255.128 192.168.99.228/255.255.255.128 192.168.68.83/255.255.252.0 192.168.23.113/255.255.255.192 192.168.52.113/255.255.255.192 192.168.69.99/255.255.255.0 192.168.19.114/255.255.255.192 192.168.53.236/255.255.255.128 192.168.90.117/255.255.254.0 192.168.35.90/255.255.255.0 192.168.91.121/255.255.255.0 192.168.48.49/255.255.255.192 192.168.27.104/255.255.255.0 192.168.98.204/255.255.255.128 192.168.93.87/255.255.255.0 192.168.44.113/255.255.255.192 192.168.40.104/255.255.248.0 192.168.25.227/255.255.255.128 192.168.57.50/255.255.255.192 192.168.97.115/255.255.255.0 192.168.30.47/255.255.255.192 192.168.10.102/255.255.254.0 192.168.51.209/255.255.255.128 192.168.82.125/255.255.255.192 192.168.72.125/255.255.255.192''' adrs_list = adrs_list.split('\n') b64_flag = '' for adrs in adrs_list: ip_tail = int(adrs.split('/')[0].split('.')[3]) subnet_mask_tail = int(adrs.split('/')[1].split('.')[3]) no_mask = subnet_mask_tail ^ 0xff b64_flag += chr(ip_tail & no_mask) print '[+] base64 str:', b64_flag flag = b64_flag.decode('base64') print flag
実行結果は以下の通り。
[+] base64 str: VFdDVEZ7QXJlLXlvdS11c2luZy1hLW1hc2s/fQ==
TWCTF{Are-you-using-a-mask?}
TWCTF{Are-you-using-a-mask?}
