この大会は2022/12/17 9:00(JST)~2022/12/19 9:00(JST)に開催されました。
今回もチームで参戦。結果は 700点で174チーム中27位でした。
自分で解けた問題をWriteupとして書いておきます。
welcome (misc)
Discordに入り、#rulesチャネルのトピックを見ると、以下が書いてある。
Are you here for the flag? :eyes: try messaging our facebook bot.. Maybe it will tell you something... Make sure to firstly read all the rules! :eyes: PS: have you tried pinging for !flag?
FacebookのメッセンジャーでPING PGに"!flag"と入力、送信し、答えていくと、フラグが表示された。
ping{W3lc0m3_t0_p1ngCTF_2022!_3c08b6c9a06c7db}
guess what (misc)
PoWをクリアした後、課題が3つのパートに分かれている。
まず、Part1のコードを読み解く。
・strings: "A", "B"からi個(iが2から17までの問題)の順列、全種の配列 ・indexToRemove: stringsの長さ未満のランダム整数 ・removedString = strings[indexToRemove] ・stringsからremovedStringを削除 ・stringsをシャッフル ・stringsの一覧を表示 →削除されたremovedStringを答えればよい。
set関数で2つのリストのXORをとり、削除された文字列を抽出する。
次に、Part2のコードを読み解く。Part1との差は、辞書の差のみ。"AB"を"ABCD"にするだけでよい。
最後に、Part3のコードを読み解く。今度はping{}の中の順列、全種の配列の中から、フラグを削除している。これまでと同じようにして削除されたフラグを抽出し、ping{xxx}という形式に整形する。
#!/usr/bin/env python3 import socket import re import itertools import hashlib def recvuntil(s, tail): data = b'' while True: if tail in data: return data.decode() data += s.recv(1) def solve_pow(prefix, result, unknown_count): possibilities = itertools.product('0123456789abcdef', repeat=unknown_count) for ans in possibilities: answer = ''.join(ans) if hashlib.sha256((prefix + answer).encode()).hexdigest() == result: return answer intro_dictionary = 'AB' mid_dictionary = 'ABCD' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('guess_what.ctf.knping.pl', 20000)) data = recvuntil(s, b'\n').rstrip() print(data) pattern = 'sha256\("(.+) \+ \?\?\?\?\?\?"\) == "(.+)"' m = re.search(pattern, data) prefix = m.group(1) result = m.group(2) unknown_count = 6 solution = solve_pow(prefix, result, unknown_count) data = recvuntil(s, b'> ') print(data + solution) s.sendall(solution.encode() + b'\n') for _ in range(3): data = recvuntil(s, b'\n').rstrip() print(data) data = recvuntil(s, b'...') print(data) s.sendall(b'\n') for i in range(2, 18): data = recvuntil(s, b'...\n').rstrip() print(data) removed_strings = [] while True: data = recvuntil(s, b'\n').rstrip() print(data) if 'PRINTING' in data: break else: removed_strings.append(data) strings = ["".join(x) for x in itertools.product(intro_dictionary, repeat=i)] removedString = list(set(removed_strings) ^ set(strings))[0] data = recvuntil(s, b'\n').rstrip() print(data) data = recvuntil(s, b'> ') print(data + removedString) s.sendall(removedString.encode() + b'\n') data = recvuntil(s, b'\n').rstrip() print(data) for _ in range(4): data = recvuntil(s, b'\n').rstrip() print(data) data = recvuntil(s, b'...') print(data) s.sendall(b'\n') for i in range(2, 6): data = recvuntil(s, b'...\n').rstrip() print(data) removed_strings = [] while True: data = recvuntil(s, b'\n').rstrip() print(data) if 'PRINTING' in data: break else: removed_strings.append(data) strings = ["".join(x) for x in itertools.product(mid_dictionary, repeat=6)] removedString = list(set(removed_strings) ^ set(strings))[0] data = recvuntil(s, b'\n').rstrip() print(data) data = recvuntil(s, b'> ') print(data + removedString) s.sendall(removedString.encode() + b'\n') data = recvuntil(s, b'\n').rstrip() print(data) data = recvuntil(s, b'\n').rstrip() print(data) data = recvuntil(s, b'...') print(data) s.sendall(b'\n') data = recvuntil(s, b'...\n').rstrip() print(data) removed_flags = [] while True: data = recvuntil(s, b'\n').rstrip() #print(data) if 'PRINTING' in data: break else: removed_flags.append(data) flags = ["".join(x) for x in itertools.permutations(removed_flags[-1])] real_flag = list(set(removed_flags) ^ set(flags))[0] flag = 'ping{%s}' % real_flag data = recvuntil(s, b'\n').rstrip() print(data) data = recvuntil(s, b'> ') print(data + flag) s.sendall(flag.encode() + b'\n') data = recvuntil(s, b'\n').rstrip() print(data)
実行結果は以下の通り。
sha256("3eb7fe0d1d480a7d12d04043612cd9e536 + ??????") == "2c8e6e6c38cee110fb9d1718e7eced8485a136888585fbf9d5883525bc748289"
> 409e29
Hi, this is my game :)
I will give you some sTrInGs, and you will have to tell me, which one is missing, seems easy, right? :D
Let's try it out!
Press enter to continue...
PRINTING...
BA
AA
AB
DONE PRINTING
Which one is missing?
> BB
Correct!
PRINTING...
ABB
BAA
AAA
BAB
ABA
BBB
BBA
DONE PRINTING
Which one is missing?
> AAB
Correct!
:
:
You are doing great! Now, let's try something harder!
I will give you AGAIN some StRiNgS, and you will have to tell me, which one is missing, seems still doable, right? :D
But I need you to hurry this time, so you will have to guess the missing string in 5 seconds.
Let's try it out!
Press enter to continue...
PRINTING...
ADDADA
DCCCCB
BBBAAA
AADBCA
DDCCAD
:
:
Ok. This is kinda spooky. This time I will show you that I know everything, and you will have to prove me wrong in order to get the flag.
Press enter to continue...
PRINTING...
If you are so smart, then you should be able to give the flag in 15 seconds!
> ping{4nF8ai2e9d}
Correct! Here is your flag: ping{4nF8ai2e9d}
ping{4nF8ai2e9d}
high school grades (misc)
xlsxファイルだが、パスワードがかかっている。
$ office2john HS_Grades_December_2022.xlsx > hash.txt $ john --wordlist=dict/rockyou.txt hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 256/256 AVX2 8x / SHA512 256/256 AVX2 4x AES]) Cost 1 (MS Office version) is 2013 for all loaded hashes Cost 2 (iteration count) is 100000 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 1234567 (HS_Grades_December_2022.xlsx) 1g 0:00:00:00 DONE (2022-12-17 12:20) 6.250g/s 100.0p/s 100.0c/s 100.0C/s 123456..jessica Use the "--show" option to display all of the cracked passwords reliably Session completed
パスワード"1234567"でExcelファイルを開く。Grades_December_2022シートの以下の2つのセルに以下のように書いてある。
D9: ApnL3omr,ih? E9: AigssatrgtO3
L3とO3には"{"と"}"が書いてあるので、"A"を削除し、置き換える。
D9: pn{omr,ih?
E9: igssatrgt}交互につなげていくと、フラグになる。
ping{sosmart,right?}
baby rev (rev)
Ghidraでデコンパイルする。
undefined8 main(void) { char cVar1; long in_FS_OFFSET; undefined local_78 [104]; long local_10; local_10 = *(long *)(in_FS_OFFSET + 0x28); puts("Hi! I\'m baby rev!"); puts("I\'m a baby reverse engineering challenge!"); puts("I\'m not very good at reversing, but I\'m trying my best!"); puts("Can you help me?"); puts("Please tell me the first flag!"); printf("Input: "); __isoc99_scanf(&DAT_001020c7,local_78); cVar1 = checkflag(local_78); if (cVar1 == '\0') { puts("Incorrect! :(( But definitely try next time!!!!"); } else { puts("Correct! :) So happy for you!!!"); } if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) { /* WARNING: Subroutine does not return */ __stack_chk_fail(); } return 0; } undefined8 checkflag(char *param_1) { bool bVar1; undefined8 uVar2; long in_FS_OFFSET; int local_40; int local_3c; char acStack56 [40]; long local_10; local_10 = *(long *)(in_FS_OFFSET + 0x28); if ((((*param_1 == 'p') && (param_1[1] == 'i')) && (param_1[2] == 'n')) && (((param_1[3] == 'g' && (param_1[4] == '{')) && (param_1[0x25] == '}')))) { bVar1 = true; } else { bVar1 = false; } if (bVar1) { for (local_40 = 0; local_40 < 0x20; local_40 = local_40 + 1) { acStack56[local_40] = param_1[(long)local_40 + 5]; } for (local_3c = 0; local_3c < 0x99; local_3c = local_3c + 1) { if ((*(uint *)(&KEYS + (long)(local_3c % 0xe) * 4) ^ (int)acStack56[local_3c % 0x1f]) * 4 + local_3c * 2 != *(int *)(FLAG + (long)local_3c * 4)) { uVar2 = 0; goto LAB_00101336; } } uVar2 = 1; } else { uVar2 = 0; } LAB_00101336: if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) { /* WARNING: Subroutine does not return */ __stack_chk_fail(); } return uVar2; } KEYS XREF[3]: Entry Point(*), checkflag:001012e3(*), checkflag:001012ea(R) 00104020 01 ?? 01h 00104021 00 ?? 00h 00104022 00 ?? 00h 00104023 00 ?? 00h 00104024 03 ?? 03h 00104025 00 ?? 00h 00104026 00 ?? 00h 00104027 00 ?? 00h 00104028 03 ?? 03h 00104029 00 ?? 00h 0010402a 00 ?? 00h 0010402b 00 ?? 00h 0010402c 07 ?? 07h 0010402d 00 ?? 00h 0010402e 00 ?? 00h 0010402f 00 ?? 00h 00104030 50 00 00 unicode32 U"PING ROCKS" 00 49 00 00 00 4e 0010405c 00 ?? 00h 0010405d 00 ?? 00h 0010405e 00 ?? 00h 0010405f 00 ?? 00h FLAG XREF[3]: Entry Point(*), checkflag:0010130b(*), checkflag:00101312(R) 00104060 cc 01 00 undefine 00 c2 00 00 00 d8 00104060 cc undefined1CCh [0] XREF[3]: Entry Point(*), checkflag:0010130b(*), checkflag:00101312(R) 00104061 01 undefined101h [1] 00104062 00 undefined100h [2] 00104063 00 undefined100h [3] 00104064 c2 undefined1C2h [4] 00104065 00 undefined100h [5] 00104066 00 undefined100h [6] 00104067 00 undefined100h [7] 00104068 d8 undefined1D8h [8] 00104069 01 undefined101h [9] 0010406a 00 undefined100h [10] 0010406b 00 undefined100h [11] 0010406c d6 undefined1D6h [12] 0010406d 00 undefined100h [13] 0010406e 00 undefined100h [14] 0010406f 00 undefined100h [15] 00104070 90 undefined190h [16] 00104071 00 undefined100h [17] 00104072 00 undefined100h [18] 00104073 00 undefined100h [19] 00104074 f2 undefined1F2h [20] 00104075 00 undefined100h [21] 00104076 00 undefined100h [22] 00104077 00 undefined100h [23] 00104078 08 undefined108h [24] 00104079 02 undefined102h [25] 0010407a 00 undefined100h [26] 0010407b 00 undefined100h [27] 0010407c b2 undefined1B2h [28] 0010407d 00 undefined100h [29] 0010407e 00 undefined100h [30] 0010407f 00 undefined100h [31] 00104080 2c undefined12Ch [32] 00104081 01 undefined101h [33] 00104082 00 undefined100h [34] 00104083 00 undefined100h [35] 00104084 46 undefined146h [36] 00104085 00 undefined100h [37] 00104086 00 undefined100h [38] 00104087 00 undefined100h [39] 00104088 c4 undefined1C4h [40] 00104089 00 undefined100h [41] 0010408a 00 undefined100h [42] 0010408b 00 undefined100h [43] 0010408c f2 undefined1F2h [44] 0010408d 01 undefined101h [45] 0010408e 00 undefined100h [46] 0010408f 00 undefined100h [47] 00104090 ac undefined1ACh [48] 00104091 00 undefined100h [49] 00104092 00 undefined100h [50] 00104093 00 undefined100h [51] 00104094 4a undefined14Ah [52] 00104095 00 undefined100h [53] 00104096 00 undefined100h [54] 00104097 00 undefined100h [55] 00104098 a8 undefined1A8h [56] 00104099 01 undefined101h [57] 0010409a 00 undefined100h [58] 0010409b 00 undefined100h [59] 0010409c de undefined1DEh [60] 0010409d 00 undefined100h [61] 0010409e 00 undefined100h [62] 0010409f 00 undefined100h [63] 001040a0 90 undefined190h [64] 001040a1 01 undefined101h [65] 001040a2 00 undefined100h [66] 001040a3 00 undefined100h [67] 001040a4 72 undefined172h [68] 001040a5 01 undefined101h [69] 001040a6 00 undefined100h [70] 001040a7 00 undefined100h [71] 001040a8 a4 undefined1A4h [72] 001040a9 01 undefined101h [73] 001040aa 00 undefined100h [74] 001040ab 00 undefined100h [75] 001040ac 7e undefined17Eh [76] 001040ad 00 undefined100h [77] 001040ae 00 undefined100h [78] 001040af 00 undefined100h [79] 001040b0 b4 undefined1B4h [80] 001040b1 00 undefined100h [81] 001040b2 00 undefined100h [82] 001040b3 00 undefined100h [83] 001040b4 f2 undefined1F2h [84] 001040b5 00 undefined100h [85] 001040b6 00 undefined100h [86] 001040b7 00 undefined100h [87] 001040b8 b8 undefined1B8h [88] 001040b9 01 undefined101h [89] 001040ba 00 undefined100h [90] 001040bb 00 undefined100h [91] 001040bc 96 undefined196h [92] 001040bd 00 undefined100h [93] 001040be 00 undefined100h [94] 001040bf 00 undefined100h [95] 001040c0 70 undefined170h [96] 001040c1 00 undefined100h [97] 001040c2 00 undefined100h [98] 001040c3 00 undefined100h [99] 001040c4 46 undefined146h [100] 001040c5 00 undefined100h [101] 001040c6 00 undefined100h [102] 001040c7 00 undefined100h [103] 001040c8 ac undefined1ACh [104] 001040c9 00 undefined100h [105] 001040ca 00 undefined100h [106] 001040cb 00 undefined100h [107] 001040cc aa undefined1AAh [108] 001040cd 00 undefined100h [109] 001040ce 00 undefined100h [110] 001040cf 00 undefined100h [111] 001040d0 b8 undefined1B8h [112] 001040d1 00 undefined100h [113] 001040d2 00 undefined100h [114] 001040d3 00 undefined100h [115] 001040d4 c2 undefined1C2h [116] 001040d5 00 undefined100h [117] 001040d6 00 undefined100h [118] 001040d7 00 undefined100h [119] 001040d8 c4 undefined1C4h [120] 001040d9 00 undefined100h [121] 001040da 00 undefined100h [122] 001040db 00 undefined100h [123] 001040dc 12 undefined112h [124] 001040dd 02 undefined102h [125] 001040de 00 undefined100h [126] 001040df 00 undefined100h [127] 001040e0 cc undefined1CCh [128] 001040e1 01 undefined101h [129] 001040e2 00 undefined100h [130] 001040e3 00 undefined100h [131] 001040e4 3e undefined13Eh [132] 001040e5 01 undefined101h [133] 001040e6 00 undefined100h [134] 001040e7 00 undefined100h [135] 001040e8 38 undefined138h [136] 001040e9 02 undefined102h [137] 001040ea 00 undefined100h [138] 001040eb 00 undefined100h [139] 001040ec 1a undefined11Ah [140] 001040ed 01 undefined101h [141] 001040ee 00 undefined100h [142] 001040ef 00 undefined100h [143] 001040f0 94 undefined194h [144] 001040f1 01 undefined101h [145] 001040f2 00 undefined100h [146] 001040f3 00 undefined100h [147] 001040f4 d6 undefined1D6h [148] 001040f5 01 undefined101h [149] 001040f6 00 undefined100h [150] 001040f7 00 undefined100h [151] 001040f8 d0 undefined1D0h [152] 001040f9 00 undefined100h [153] 001040fa 00 undefined100h [154] 001040fb 00 undefined100h [155] 001040fc de undefined1DEh [156] 001040fd 00 undefined100h [157] 001040fe 00 undefined100h [158] 001040ff 00 undefined100h [159] 00104100 a0 undefined1A0h [160] 00104101 00 undefined100h [161] 00104102 00 undefined100h [162] 00104103 00 undefined100h [163] 00104104 12 undefined112h [164] 00104105 01 undefined101h [165] 00104106 00 undefined100h [166] 00104107 00 undefined100h [167] 00104108 28 undefined128h [168] 00104109 01 undefined101h [169] 0010410a 00 undefined100h [170] 0010410b 00 undefined100h [171] 0010410c 0a undefined10Ah [172] 0010410d 02 undefined102h [173] 0010410e 00 undefined100h [174] 0010410f 00 undefined100h [175] 00104110 c8 undefined1C8h [176] 00104111 01 undefined101h [177] 00104112 00 undefined100h [178] 00104113 00 undefined100h [179] 00104114 ee undefined1EEh [180] 00104115 01 undefined101h [181] 00104116 00 undefined100h [182] 00104117 00 undefined100h [183] 00104118 e8 undefined1E8h [184] 00104119 01 undefined101h [185] 0010411a 00 undefined100h [186] 0010411b 00 undefined100h [187] 0010411c b6 undefined1B6h [188] 0010411d 00 undefined100h [189] 0010411e 00 undefined100h [190] 0010411f 00 undefined100h [191] 00104120 d4 undefined1D4h [192] 00104121 00 undefined100h [193] 00104122 00 undefined100h [194] 00104123 00 undefined100h [195] 00104124 3e undefined13Eh [196] 00104125 02 undefined102h [197] 00104126 00 undefined100h [198] 00104127 00 undefined100h [199] 00104128 60 undefined160h [200] 00104129 02 undefined102h [201] 0010412a 00 undefined100h [202] 0010412b 00 undefined100h [203] 0010412c 62 undefined162h [204] 0010412d 01 undefined101h [205] 0010412e 00 undefined100h [206] 0010412f 00 undefined100h [207] 00104130 50 undefined150h [208] 00104131 01 undefined101h [209] 00104132 00 undefined100h [210] 00104133 00 undefined100h [211] 00104134 6a undefined16Ah [212] 00104135 00 undefined100h [213] 00104136 00 undefined100h [214] 00104137 00 undefined100h [215] 00104138 78 undefined178h [216] 00104139 00 undefined100h [217] 0010413a 00 undefined100h [218] 0010413b 00 undefined100h [219] 0010413c 9e undefined19Eh [220] 0010413d 00 undefined100h [221] 0010413e 00 undefined100h [222] 0010413f 00 undefined100h [223] 00104140 8c undefined18Ch [224] 00104141 01 undefined101h [225] 00104142 00 undefined100h [226] 00104143 00 undefined100h [227] 00104144 ca undefined1CAh [228] 00104145 01 undefined101h [229] 00104146 00 undefined100h [230] 00104147 00 undefined100h [231] 00104148 a8 undefined1A8h [232] 00104149 01 undefined101h [233] 0010414a 00 undefined100h [234] 0010414b 00 undefined100h [235] 0010414c 0e undefined10Eh [236] 0010414d 01 undefined101h [237] 0010414e 00 undefined100h [238] 0010414f 00 undefined100h [239] 00104150 3c undefined13Ch [240] 00104151 02 undefined102h [241] 00104152 00 undefined100h [242] 00104153 00 undefined100h [243] 00104154 1a undefined11Ah [244] 00104155 02 undefined102h [245] 00104156 00 undefined100h [246] 00104157 00 undefined100h [247] 00104158 6c undefined16Ch [248] 00104159 01 undefined101h [249] 0010415a 00 undefined100h [250] 0010415b 00 undefined100h [251] 0010415c 4e undefined14Eh [252] 0010415d 02 undefined102h [253] 0010415e 00 undefined100h [254] 0010415f 00 undefined100h [255] 00104160 d8 undefined1D8h [256] 00104161 01 undefined101h [257] 00104162 00 undefined100h [258] 00104163 00 undefined100h [259] 00104164 06 undefined106h [260] 00104165 02 undefined102h [261] 00104166 00 undefined100h [262] 00104167 00 undefined100h [263] 00104168 78 undefined178h [264] 00104169 01 undefined101h [265] 0010416a 00 undefined100h [266] 0010416b 00 undefined100h [267] 0010416c 46 undefined146h [268] 0010416d 01 undefined101h [269] 0010416e 00 undefined100h [270] 0010416f 00 undefined100h [271] 00104170 70 undefined170h [272] 00104171 02 undefined102h [273] 00104172 00 undefined100h [274] 00104173 00 undefined100h [275] 00104174 7e undefined17Eh [276] 00104175 01 undefined101h [277] 00104176 00 undefined100h [278] 00104177 00 undefined100h [279] 00104178 24 undefined124h [280] 00104179 02 undefined102h [281] 0010417a 00 undefined100h [282] 0010417b 00 undefined100h [283] 0010417c fe undefined1FEh [284] 0010417d 01 undefined101h [285] 0010417e 00 undefined100h [286] 0010417f 00 undefined100h [287] 00104180 10 undefined110h [288] 00104181 02 undefined102h [289] 00104182 00 undefined100h [290] 00104183 00 undefined100h [291] 00104184 5e undefined15Eh [292] 00104185 01 undefined101h [293] 00104186 00 undefined100h [294] 00104187 00 undefined100h [295] 00104188 8c undefined18Ch [296] 00104189 01 undefined101h [297] 0010418a 00 undefined100h [298] 0010418b 00 undefined100h [299] 0010418c ee undefined1EEh [300] 0010418d 00 undefined100h [301] 0010418e 00 undefined100h [302] 0010418f 00 undefined100h [303] 00104190 48 undefined148h [304] 00104191 01 undefined101h [305] 00104192 00 undefined100h [306] 00104193 00 undefined100h [307] 00104194 6a undefined16Ah [308] 00104195 02 undefined102h [309] 00104196 00 undefined100h [310] 00104197 00 undefined100h [311] 00104198 98 undefined198h [312] 00104199 02 undefined102h [313] 0010419a 00 undefined100h [314] 0010419b 00 undefined100h [315] 0010419c a2 undefined1A2h [316] 0010419d 00 undefined100h [317] 0010419e 00 undefined100h [318] 0010419f 00 undefined100h [319] 001041a0 9c undefined19Ch [320] 001041a1 02 undefined102h [321] 001041a2 00 undefined100h [322] 001041a3 00 undefined100h [323] 001041a4 12 undefined112h [324] 001041a5 01 undefined101h [325] 001041a6 00 undefined100h [326] 001041a7 00 undefined100h [327] 001041a8 3c undefined13Ch [328] 001041a9 01 undefined101h [329] 001041aa 00 undefined100h [330] 001041ab 00 undefined100h [331] 001041ac 3e undefined13Eh [332] 001041ad 01 undefined101h [333] 001041ae 00 undefined100h [334] 001041af 00 undefined100h [335] 001041b0 b0 undefined1B0h [336] 001041b1 01 undefined101h [337] 001041b2 00 undefined100h [338] 001041b3 00 undefined100h [339] 001041b4 d6 undefined1D6h [340] 001041b5 01 undefined101h [341] 001041b6 00 undefined100h [342] 001041b7 00 undefined100h [343] 001041b8 1c undefined11Ch [344] 001041b9 02 undefined102h [345] 001041ba 00 undefined100h [346] 001041bb 00 undefined100h [347] 001041bc b2 undefined1B2h [348] 001041bd 01 undefined101h [349] 001041be 00 undefined100h [350] 001041bf 00 undefined100h [351] 001041c0 c4 undefined1C4h [352] 001041c1 00 undefined100h [353] 001041c2 00 undefined100h [354] 001041c3 00 undefined100h [355] 001041c4 ce undefined1CEh [356] 001041c5 00 undefined100h [357] 001041c6 00 undefined100h [358] 001041c7 00 undefined100h [359] 001041c8 70 undefined170h [360] 001041c9 02 undefined102h [361] 001041ca 00 undefined100h [362] 001041cb 00 undefined100h [363] 001041cc 4e undefined14Eh [364] 001041cd 02 undefined102h [365] 001041ce 00 undefined100h [366] 001041cf 00 undefined100h [367] 001041d0 bc undefined1BCh [368] 001041d1 00 undefined100h [369] 001041d2 00 undefined100h [370] 001041d3 00 undefined100h [371] 001041d4 3a undefined13Ah [372] 001041d5 01 undefined101h [373] 001041d6 00 undefined100h [374] 001041d7 00 undefined100h [375] 001041d8 ac undefined1ACh [376] 001041d9 02 undefined102h [377] 001041da 00 undefined100h [378] 001041db 00 undefined100h [379] 001041dc 92 undefined192h [380] 001041dd 01 undefined101h [381] 001041de 00 undefined100h [382] 001041df 00 undefined100h [383] 001041e0 a0 undefined1A0h [384] 001041e1 02 undefined102h [385] 001041e2 00 undefined100h [386] 001041e3 00 undefined100h [387] 001041e4 46 undefined146h [388] 001041e5 01 undefined101h [389] 001041e6 00 undefined100h [390] 001041e7 00 undefined100h [391] 001041e8 8c undefined18Ch [392] 001041e9 02 undefined102h [393] 001041ea 00 undefined100h [394] 001041eb 00 undefined100h [395] 001041ec 8e undefined18Eh [396] 001041ed 01 undefined101h [397] 001041ee 00 undefined100h [398] 001041ef 00 undefined100h [399] 001041f0 7c undefined17Ch [400] 001041f1 02 undefined102h [401] 001041f2 00 undefined100h [402] 001041f3 00 undefined100h [403] 001041f4 4a undefined14Ah [404] 001041f5 02 undefined102h [405] 001041f6 00 undefined100h [406] 001041f7 00 undefined100h [407] 001041f8 08 undefined108h [408] 001041f9 01 undefined101h [409] 001041fa 00 undefined100h [410] 001041fb 00 undefined100h [411] 001041fc 76 undefined176h [412] 001041fd 01 undefined101h [413] 001041fe 00 undefined100h [414] 001041ff 00 undefined100h [415] 00104200 b8 undefined1B8h [416] 00104201 02 undefined102h [417] 00104202 00 undefined100h [418] 00104203 00 undefined100h [419] 00104204 76 undefined176h [420] 00104205 01 undefined101h [421] 00104206 00 undefined100h [422] 00104207 00 undefined100h [423] 00104208 d0 undefined1D0h [424] 00104209 02 undefined102h [425] 0010420a 00 undefined100h [426] 0010420b 00 undefined100h [427] 0010420c 96 undefined196h [428] 0010420d 01 undefined101h [429] 0010420e 00 undefined100h [430] 0010420f 00 undefined100h [431] 00104210 c8 undefined1C8h [432] 00104211 02 undefined102h [433] 00104212 00 undefined100h [434] 00104213 00 undefined100h [435] 00104214 4a undefined14Ah [436] 00104215 01 undefined101h [437] 00104216 00 undefined100h [438] 00104217 00 undefined100h [439] 00104218 3c undefined13Ch [440] 00104219 01 undefined101h [441] 0010421a 00 undefined100h [442] 0010421b 00 undefined100h [443] 0010421c 6a undefined16Ah [444] 0010421d 02 undefined102h [445] 0010421e 00 undefined100h [446] 0010421f 00 undefined100h [447] 00104220 58 undefined158h [448] 00104221 02 undefined102h [449] 00104222 00 undefined100h [450] 00104223 00 undefined100h [451] 00104224 9a undefined19Ah [452] 00104225 02 undefined102h [453] 00104226 00 undefined100h [454] 00104227 00 undefined100h [455] 00104228 bc undefined1BCh [456] 00104229 02 undefined102h [457] 0010422a 00 undefined100h [458] 0010422b 00 undefined100h [459] 0010422c f6 undefined1F6h [460] 0010422d 01 undefined101h [461] 0010422e 00 undefined100h [462] 0010422f 00 undefined100h [463] 00104230 48 undefined148h [464] 00104231 01 undefined101h [465] 00104232 00 undefined100h [466] 00104233 00 undefined100h [467] 00104234 42 undefined142h [468] 00104235 01 undefined101h [469] 00104236 00 undefined100h [470] 00104237 00 undefined100h [471] 00104238 0c undefined10Ch [472] 00104239 01 undefined101h [473] 0010423a 00 undefined100h [474] 0010423b 00 undefined100h [475] 0010423c 36 undefined136h [476] 0010423d 01 undefined101h [477] 0010423e 00 undefined100h [478] 0010423f 00 undefined100h [479] 00104240 a8 undefined1A8h [480] 00104241 02 undefined102h [481] 00104242 00 undefined100h [482] 00104243 00 undefined100h [483] 00104244 be undefined1BEh [484] 00104245 02 undefined102h [485] 00104246 00 undefined100h [486] 00104247 00 undefined100h [487] 00104248 ac undefined1ACh [488] 00104249 02 undefined102h [489] 0010424a 00 undefined100h [490] 0010424b 00 undefined100h [491] 0010424c 7e undefined17Eh [492] 0010424d 02 undefined102h [493] 0010424e 00 undefined100h [494] 0010424f 00 undefined100h [495] 00104250 dc undefined1DCh [496] 00104251 01 undefined101h [497] 00104252 00 undefined100h [498] 00104253 00 undefined100h [499] 00104254 7a undefined17Ah [500] 00104255 02 undefined102h [501] 00104256 00 undefined100h [502] 00104257 00 undefined100h [503] 00104258 d8 undefined1D8h [504] 00104259 02 undefined102h [505] 0010425a 00 undefined100h [506] 0010425b 00 undefined100h [507] 0010425c be undefined1BEh [508] 0010425d 01 undefined101h [509] 0010425e 00 undefined100h [510] 0010425f 00 undefined100h [511] 00104260 c4 undefined1C4h [512] 00104261 02 undefined102h [513] 00104262 00 undefined100h [514] 00104263 00 undefined100h [515] 00104264 d2 undefined1D2h [516] 00104265 02 undefined102h [517] 00104266 00 undefined100h [518] 00104267 00 undefined100h [519] 00104268 88 undefined188h [520] 00104269 02 undefined102h [521] 0010426a 00 undefined100h [522] 0010426b 00 undefined100h [523] 0010426c a2 undefined1A2h [524] 0010426d 01 undefined101h [525] 0010426e 00 undefined100h [526] 0010426f 00 undefined100h [527] 00104270 ac undefined1ACh [528] 00104271 01 undefined101h [529] 00104272 00 undefined100h [530] 00104273 00 undefined100h [531] 00104274 6a undefined16Ah [532] 00104275 01 undefined101h [533] 00104276 00 undefined100h [534] 00104277 00 undefined100h [535] 00104278 18 undefined118h [536] 00104279 02 undefined102h [537] 0010427a 00 undefined100h [538] 0010427b 00 undefined100h [539] 0010427c a6 undefined1A6h [540] 0010427d 02 undefined102h [541] 0010427e 00 undefined100h [542] 0010427f 00 undefined100h [543] 00104280 94 undefined194h [544] 00104281 01 undefined101h [545] 00104282 00 undefined100h [546] 00104283 00 undefined100h [547] 00104284 82 undefined182h [548] 00104285 01 undefined101h [549] 00104286 00 undefined100h [550] 00104287 00 undefined100h [551] 00104288 b8 undefined1B8h [552] 00104289 01 undefined101h [553] 0010428a 00 undefined100h [554] 0010428b 00 undefined100h [555] 0010428c 96 undefined196h [556] 0010428d 02 undefined102h [557] 0010428e 00 undefined100h [558] 0010428f 00 undefined100h [559] 00104290 90 undefined190h [560] 00104291 02 undefined102h [561] 00104292 00 undefined100h [562] 00104293 00 undefined100h [563] 00104294 5a undefined15Ah [564] 00104295 02 undefined102h [565] 00104296 00 undefined100h [566] 00104297 00 undefined100h [567] 00104298 e8 undefined1E8h [568] 00104299 01 undefined101h [569] 0010429a 00 undefined100h [570] 0010429b 00 undefined100h [571] 0010429c 7e undefined17Eh [572] 0010429d 02 undefined102h [573] 0010429e 00 undefined100h [574] 0010429f 00 undefined100h [575] 001042a0 14 undefined114h [576] 001042a1 02 undefined102h [577] 001042a2 00 undefined100h [578] 001042a3 00 undefined100h [579] 001042a4 12 undefined112h [580] 001042a5 02 undefined102h [581] 001042a6 00 undefined100h [582] 001042a7 00 undefined100h [583] 001042a8 58 undefined158h [584] 001042a9 01 undefined101h [585] 001042aa 00 undefined100h [586] 001042ab 00 undefined100h [587] 001042ac 62 undefined162h [588] 001042ad 01 undefined101h [589] 001042ae 00 undefined100h [590] 001042af 00 undefined100h [591] 001042b0 24 undefined124h [592] 001042b1 03 undefined103h [593] 001042b2 00 undefined100h [594] 001042b3 00 undefined100h [595] 001042b4 7a undefined17Ah [596] 001042b5 01 undefined101h [597] 001042b6 00 undefined100h [598] 001042b7 00 undefined100h [599] 001042b8 94 undefined194h [600] 001042b9 01 undefined101h [601] 001042ba 00 undefined100h [602] 001042bb 00 undefined100h [603] 001042bc 62 undefined162h [604] 001042bd 01 undefined101h [605] 001042be 00 undefined100h [606] 001042bf 00 undefined100h [607] 001042c0 d8 undefined1D8h [608] 001042c1 02 undefined102h [609] 001042c2 00 undefined100h [610] 001042c3 00 undefined100h [611]
checkflagの結果が1になるルートの条件を見ていけばよい。
・インデックス0~4は"ping{"
・インデックス37は"}"
・インデックス5~36を新たにインデックス0~31として以下の条件を満たす必要がある。
・(KEYS[i % 14] ^ acStack56[i % 31]) * 4 + i * 2 == FLAG[i]インデックス31については何でもよいことになるので、結果から調整し、インデックス36と同じ文字にしてみる。
#!/usr/bin/env python3 with open('baby_rev', 'rb') as f: data = f.read() KEYS = [] for i in range(0x3020, 0x3020 + 14 * 4, 4): k = int.from_bytes(data[i:i+4], byteorder='little') KEYS.append(k) FLAG = [] for i in range(0x3060, 0x3060 + 0x99 * 4, 4): f = int.from_bytes(data[i:i+4], byteorder='little') FLAG.append(f) flag = [-1] * 31 for i in range(0x99): f = ((FLAG[i] - i * 2) // 4) ^ KEYS[i % 14] if flag[i % 31] == -1: flag[i % 31] = f else: assert flag[i % 31] == f flag = ''.join([chr(i) for i in flag]) flag += flag[-1] flag = 'ping{%s}' % flag print(flag)
ping{r3v3rs1ng_c4n_b3_S0_muCH_FUN!!!!}
dialog (crypto)
暗号化処理の概要は以下の通り。
・key: フラグ ・dialog = DialogEncryption(key) ・dialog.key = key ・message: 既知固定文字列 ・encrypted = dialog.encrypt(message) ・encoded = '' ・messageの各インデックスiについて以下を実行 ・key_c: dialog.keyの インデックス i % dialog.keyの文字 ・encoded_c: message[i]のASCIIコードにkey_cのASCIIコードを足して、256で割った余りを文字化したもの ・encodedにencoded_cを結合 ・encodedをbase64エンコードして返却 ・encryptedを出力
平文と暗号文からシフト数を求め、フラグを割り出す。
#!/usr/bin/env python3 import base64 message = "Hi Alice, I'm Bob. I'm sending you a secret message. I hope you can decrypt it." with open('out.txt', 'r') as f: encrypted = f.read() encoded = base64.b64decode(encrypted).decode() flag = '' for i in range(len(message)): flag += chr((ord(encoded[i]) - ord(message[i])) % 256) flag = flag[:flag.find('}') + 1] print(flag)
ping{B451c5_0f_3ncrypt10n_t00_345y?-K3y_r3tr13v3d!}
toss a coin to your witcher (crypto)
Vigenere暗号と推測して、まずは1行目をhttps://www.guballa.de/vigenere-solverで復号してみる。このサイトでは文が長すぎると、復号結果は途中で切られる。鍵を見てみると、"lambertwhataprick"になっている。
2行目も同様に復号してみる。鍵は、"rtwhatapricklambe"になっている。2行目は鍵がずれているので、全部の文で鍵が"lambertwhataprick"に決まっているようだ。
https://www.dcode.fr/vigenere-cipherで全文を指定して復号してみる。ここで鍵は"LAMBERTWHATAPRICK"を指定する。復号結果は以下の通り。
ASKESPECIALLYCOLLECTINGTERMINATEDMAYSONEXPRESSIONEXTREMELYEAGERNESSPRINCIPLEESTIMABLEOWNWASMANMENRECEIVEDFARHISDASHWOODSUBJECTSNEWMYSUFFICIENTSURROUNDEDANCOMPANIONSDISPATCHEDINONCONNECTIONTOOUNAFFECTEDEXPRESSIONLEDSONPOSSESSIONNEWSMILINGFRIENDSANDHERANOTHERLEAFSHEDOESNONELOVEH IGHYETSNUGLOVEWILLUPBOREASBEPURSUITMANSONMUSICALGENERALPOINTEDITSURPRISEINFORMEDMRADVANCEDDOOUTWEIGHATEVERYTILEDONYEDEFERDONOATTENTIONSUSPECTEDOHDIFFICULTFONDHISSAYOLDMEETCOLDFINDCOMEWHOMTHESIRPARKSAKEBREDWONDERMATTERNOWCANESTATEESTEEMASS UREFATROUSEDAMPERFORMEDONEXISTENCEASDISCOURSEISPLEASUREFRIENDLYATMARRIAGEBLESSINGORINCREASINGIMPRESSIONINTERESTEDEXPRESSIONHEMYATRESPECTINVITEDREQUESTCHARMEDMEWARRANTTOEXPECTNOPRETTYASDOTHOUGHSOGENIUSAFRAIDCOUSINGIRLWHENOFYESNUGPOORDRAWMISTAKETOTALLYOFINCHIEFLYJUSTICEVISITORHIMENTEREDFORCONTINUEDELICATEASUNLOCKEDENTIRELYMRRELATIONDIVERTEDINKNOWNNOTENDFULLYBEINGSTYLEHOUSEANWHOMDOWNKEPTLAINNAMES OATEASYBEHINDSOONERDININGSOWINDOWEXCUSEHESUMMERBREAKFASTMETCERTAINTYANDFULFILLEDPROPRIETYLEDWAITEDGETEITHERAREWOODEDLITTLEHERCONTRASTEDUNRESERVEDASMRPARTICULARCOLLECTINGITEVERYTHINGASINDULGENCESEEMSASKMEANTMERRYCOULDPUTAGEOLDBEGINHADBOYNOISYTABLEFRONTWHOLEGIVENBRINGINGSOSOCIAB LEFELICITYSUPPLIEDMRSEPTEMBERSUSPICIONFARHIMTWOACUTENESSPERFECTLYCOVEREDASANEXAMINESOREGULAROFYEASTONISHEDFRIENDSHIPREMARKABLYNOWINDOWADMIREMATTERPRAISEYOUBEDWHENCEDELIVEREDYESPORTSMENZEALOUSLYARRANGINGFRANKNESSESTIMABLEASNAYANYARTICLEENABLEDMUSICALSHYNESSYETSIXTEENYETBLUSHESENTIREITSTHEDIDFIGUREWONDEROFF
スペース、ピリオドを入れ、英文になるようにする。
ASK ESPECIALLY COLLECTING TERMINATED MAY SON EXPRESSION. EXTREMELY EAGERNESS PRINCIPLE ESTIMABLE OWN WAS MAN. MEN RECEIVED FAR HIS DASHWOOD SUBJECTS NEW. MY SUFFICIENT SURROUNDED AN COMPANIONS DISPATCHED IN ON. CONNECTION TOO UNAFFECTED EXPRESSION LED SON POSSESSION. NEW SMILING FRIENDS AND HER ANOTHER. LEAF SHE DOES NONE LOVE HIGH YET. SNUG LOVE WILL UP BORE AS BE. PURSUIT MAN SON MUSICAL GENERAL POINTED. IT SURPRISE INFORMED MR ADVANCED DO OUTWEIGH. AT EVERY TILED ON YE DEFER DO. NO ATTENTION SUSPECTED OH DIFFICULT. FOND HIS SAY OLD MEET COLD FIND COME WHOM. THE SIR PARK SAKE BRED. WONDER MATTER NOW CAN ESTATE ESTEEM ASSURE FAT ROUSED. AM PERFORMED ON EXISTENCE AS DISCOURSE IS. PLEASURE FRIENDLY AT MARRIAGE BLESSING OR. INCREASING IMPRESSION INTERESTED EXPRESSION HE MY AT. RESPECT INVITED REQUEST CHARMED ME WARRANT TO. EXPECT NO PRETTY AS DO THOUGH SO GENIUS AFRAID COUSIN. GIRL WHEN OF YE SNUG POOR DRAW. MISTAKE TOTALLY OF IN CHIEFLY. JUSTICE VISITOR HIM ENTERED FOR. CONTINUE DELICATE AS UNLOCKED ENTIRELY MR RELATION DIVERTED IN. KNOWN NOT END FULLY BEING STYLE HOUSE. AN WHOM DOWN KEPT LAIN NAME SO AT EASY. BEHIND SOONER DINING SO WINDOW EXCUSE HE SUMMER. BREAKFAST MET CERTAINTY AND FULFILLED PROPRIETY LED. WAITED GET EITHER ARE WOODED LITTLE HER. CONTRASTED UNRESERVED AS MR PARTICULAR COLLECTING IT EVERYTHING AS INDULGENCE. SEEMS ASK MEANT MERRY COULD PUT. AGE OLD BEGIN HAD BOY NOISY TABLE FRONT WHOLE GIVEN. BRINGING SO SOCIABLE FELICITY SUPPLIED MR. SEPTEMBER SUSPICION FAR HIM TWO ACUTENESS PERFECTLY. COVERED AS AN EXAMINE SO REGULAR OF. YE ASTONISHED FRIENDSHIP REMARKABLY NO. WINDOW ADMIRE MATTER PRAISE YOU BED WHENCE. DELIVERED YE SPORTSMEN ZEALOUSLY ARRANGING FRANKNESS ESTIMABLE AS. NAY ANY ARTICLE ENABLED MUSICAL SHYNESS YET SIXTEEN YET BLUSHES. ENTIRE ITS THE DID FIGURE WONDER OFF.
特にフラグに結びつくものは無さそう。鍵がフラグかも。単語に区切り、"_"を入れ、フラグの形式にする。
ping{LAMBERT_WHAT_A_PRICK}
