[moeCTF solution - 0x01] Reverse

title: [moeCTF solution-0x01] Reverse
categories:

  • CTF
  • moeCTF
    tags:
  • CTF

[moeCTF solution - 0x01] Reverse

A new field

[moeCTF solution] the general contents are as follows:

Introduction to reverse engineering

25points

The beginning is an article Reverier Greatly written reverse engineering guidelines

Read reverse The final flag of PDF:

moectf{0hhhhhhh_I_kn0w_hoW_t0_R3v3rs3!}

Welcome To Re!

50points

Welcome to the world of reverse engineering!

Note: you will find two binary files in the compressed package of the title Linux x86 without suffix_ Executable program on 64 platform, with suffix of Windows x86_64 executable program on the platform The verification logic of the two programs is the same as the solved flag. You can select one of them for reverse analysis Multi platform is to consider that players using different systems can execute the problem program on their own platform Some problem programs may have some system operations. If the security software reports poison, please ignore it or reverse it in the virtual machine The problem program will not damage the system, please rest assured to eat

Click View Hint below to view the problem solving tips given by the problem maker. Sometimes hint may give you a hand!

Opened a free Hint and prompted to use IDA

Disassemble with IDA64 and directly decompile with F5. main:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char Str1; // [rsp+20h] [rbp-60h]
  char Str2[8]; // [rsp+50h] [rbp-30h]

  _main();
  strcpy(Str2, "moectf{W3lc0me-T0_th3-W0rld_Of_R3v3rsE!}");
  puts("Welcome to MoeCTF! --by Reverier\nPlease Input your flag and I will check it:");
  scanf("%41s", &Str1);
  if ( !strcmp(&Str1, Str2) )
    puts("Congratulations!");
  else
    puts("Ruaaaaaaaaaaaaa~~~Wrong!");
  getchar();
  getchar();
  return 0;
}

You can see the flag: moectf{W3lc0me-T0_th3-W0rld_Of_R3v3rsE!}

Thank you JavaScript

75points

[the external chain image transfer fails. The source station may have an anti-theft chain mechanism. It is recommended to save the image and upload it directly (img-5mwnwia1-1602230512248)( https://i.loli.net/2020/07/25/rLTZdOaItNPgJnb.jpg )]

Please submit the flag exactly. Format: moectf{xxxx}

After downloading, I see a strange program with only one line:

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('l 1=m(\'k-4-2\');i j 6(){1.2(\'q r p --n o b\');1.2(5 1.4());1.2(`a ${5 1.d(\'9 h e?\')}!`);f 3=g;F(!3){1.2(\'D E 7 B 8:\');3=5 1.4()===\'G{H\'+\'c\'+\'v\'+\'w\'+\'0\'+\'u-\'+\'s\'+\'t\'+\'z\'+\'A\'+\'!}\'}1.2(\'y! x C 7 8!\')}6();',44,44,'|io|write|saidHi|read|await|main|the|flag|Who|Hello|Reverier||ask|you|let|false|are|async|function|console|const|require|written|by|ThankYouJavaScript|MoeCTF|2020|Jav|aS||k_|Y|You|Congratulations|cr|ipt|true|find|Please|input|while|moectf|Fx'.split('|'),0,{}))

Ah, what the hell is this? It's useless to format it. It's still a one-line sentence. I can't understand where there is input and output, but node can run

Attempt to refactor manually, failed * N

Observe the characteristics of the program and find eval(function(p,a,c,k,e,d {...}), So I went to Baidu and found that it was originally a feature of js code confusion tool. I changed the eval in front of the original program into console Log rerunning can easily eliminate confusion:

require('console-read-write'); 
async function main() {
    io.write('MoeCTF 2020 ThankYouJavaScript --written by Reverier');
    io.write(await io.read());
    io.write(`Hello ${await io.ask('Who are you?')}!`);
    let saidHi = false;
    while (!saidHi) {
        io.write('Please input the true flag:');
        saidHi = await io.read() === 'moectf{Fx' + 'c' + 'k_' + 'Y' + '0' + 'u-' + 'Jav' + 'aS' + 'cr' + 'ipt' + '!}'
    }
    io.write('Congratulations! You find the flag!')
} 

Get flag: moectf {fxck_y0u JavaScript!}

Is JavaScript really a language that he loves xie~

For specific principles, please refer to: Cryptography notes -- encryption cracking of eval(function(p,a,c,k,e,d)

In fact, this eval(function(p,a,c,k,e,d) {})) has its own decoding function e(), "while(c –) if(k[c])p=p.replace(new RegExp('\ B' + e ©+’\ b’,‘g’),k[c]);return p "each p generated by the while loop is the decoded function code. We delete the" return p "in the source code and directly output the result in a text area instead of returning it

SimpleRe

100points

xor xor xor!!!

XOR is really a wonderful operation ~ note: in the compressed package of the topic, you will find two binary files Linux x86 without suffix_ Executable program on 64 platform, with suffix of Windows x86_64 executable program on the platform You can reverse select one of the two programs to verify the same flag Multi platform is to consider that players using different systems can execute the problem program on their own platform Some problem programs may have some system operations. If the security software reports poison, please ignore it or reverse it in the virtual machine The problem program will not damage the system, please rest assured to eat

IDA decompiles and finds the key function enc:

cpoy, make some modifications, and find it in another place

.data:0000000000404040 aim             db 'rpz|kydKw^qTl@Y/m2f/J-@o^k.,qkb',0

Bring in:

#include <stdio.h>

int main()
{
    int result;    // eax
    signed int i4; // [rsp+20h] [rbp-40h]
    signed int i3; // [rsp+24h] [rbp-3Ch]
    signed int i2; // [rsp+28h] [rbp-38h]
    signed int i1; // [rsp+2Ch] [rbp-34h]
    signed int nn; // [rsp+30h] [rbp-30h]
    signed int mm; // [rsp+34h] [rbp-2Ch]
    signed int ll; // [rsp+38h] [rbp-28h]
    signed int kk; // [rsp+3Ch] [rbp-24h]
    signed int jj; // [rsp+40h] [rbp-20h]
    signed int ii; // [rsp+44h] [rbp-1Ch]
    signed int n;  // [rsp+48h] [rbp-18h]
    signed int m;  // [rsp+4Ch] [rbp-14h]
    signed int l;  // [rsp+50h] [rbp-10h]
    signed int k;  // [rsp+54h] [rbp-Ch]
    signed int j;  // [rsp+58h] [rbp-8h]
    signed int i;  // [rsp+5Ch] [rbp-4h]
    char out[] = "rpz|kydKw^qTl@Y/m2f/J-@o^k.,qkb";
    for (i = 0; i <= 30; ++i)
        out[i] ^= 0x17;
    for (j = 0; j <= 30; ++j)
        out[j] ^= 0x39u;
    for (k = 0; k <= 30; ++k)
        out[k] ^= 0x4Bu;
    for (l = 0; l <= 30; ++l)
        out[l] ^= 0x4Au;
    for (m = 0; m <= 30; ++m)
        out[m] ^= 0x49u;
    for (n = 0; n <= 30; ++n)
        out[n] ^= 0x26u;
    for (ii = 0; ii <= 30; ++ii)
        out[ii] ^= 0x15u;
    for (jj = 0; jj <= 30; ++jj)
        out[jj] ^= 0x61u;
    for (kk = 0; kk <= 30; ++kk)
        out[kk] ^= 0x56u;
    for (ll = 0; ll <= 30; ++ll)
        out[ll] ^= 0x1Bu;
    for (mm = 0; mm <= 30; ++mm)
        out[mm] ^= 0x21u;
    for (nn = 0; nn <= 30; ++nn)
        out[nn] ^= 0x40u;
    for (i1 = 0; i1 <= 30; ++i1)
        out[i1] ^= 0x57u;
    for (i2 = 0; i2 <= 30; ++i2)
        out[i2] ^= 0x2Eu;
    for (i3 = 0; i3 <= 30; ++i3)
        out[i3] ^= 0x49u;
    for (i4 = 0; i4 <= 30; ++i4)
        out[i4] ^= 0x37u;
    printf("%s",out);
    return 0;

}

Because XOR encryption and decryption are symmetrical, we can directly compile the executable file with gcc and run it to get the flag:

moectf{ThAnKs_F0r-y0U2_pAt13nt}

Protection

100points

Revier once wrote a small software, which was easily cracked by others, and then pasted another logo and sold it Since then, Revier has been looking for ways to protect its programs For example... Put a layer of clothes on the program

First IDA, no clue, so Baidu

It is known that few programs are shelled under Linux (the spirit of open source), and there are only several commonly used methods of shelling, such as upx

Observing the hex of the original program, it is found that upx is indeed used to shell

0004e6f0: 00 0A 00 24 49 6E 66 6F 3A 20 54 68 69 73 20 66    ...$Info:.This.f
0004e700: 69 6C 65 20 69 73 20 70 61 63 6B 65 64 20 77 69    ile.is.packed.wi
0004e710: 74 68 20 74 68 65 20 55 50 58 20 65 78 65 63 75    th.the.UPX.execu
0004e720: 74 61 62 6C 65 20 70 61 63 6B 65 72 20 68 74 74    table.packer.htt
0004e730: 70 3A 2F 2F 75 70 78 2E 73 66 2E 6E 65 74 20 24    p://upx.sf.net.$
0004e740: 0A 00 24 49 64 3A 20 55 50 58 20 33 2E 39 36 20    ..$Id:.UPX.3.96.
0004e750: 43 6F 70 79 72 69 67 68 74 20 28 43 29 20 31 39    Copyright.(C).19
0004e760: 39 36 2D 32 30 32 30 20 74 68 65 20 55 50 58 20    96-2020.the.UPX.
0004e770: 54 65 61 6D 2E 20 41 6C 6C 20 52 69 67 68 74 73    Team..All.Rights
0004e780: 20 52 65 73 65 72 76 65 64 2E 20 24 0A 00 90 90    .Reserved..$....

The person who tied the bell must untie the bell. Upx can also be used for shelling. Run upx -d under Linux to get the shelled program

Analysis source code of upper IDA64:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  signed int i; // [rsp+Ch] [rbp-34h]
  char v5[40]; // [rsp+10h] [rbp-30h]
  unsigned __int64 v6; // [rsp+38h] [rbp-8h]

  v6 = __readfsqword(0x28u);
  printf((unsigned __int64)"please input your flag: ");
  _isoc99_scanf((unsigned __int64)"%28s");
  for ( i = 0; i <= 27; ++i )
  {
    if ( ((unsigned __int8)x[i] ^ (unsigned __int8)v5[i]) != y[i] )
    {
      puts("wrong!", v5);
      return 0;
    }
  }
  puts("right!", v5);
  return 0;
}

Write corresponding decryption script:

x = "aouv#@!V08asdozpnma&*#%!$^&*"
y = [0x0C, 0, 0x10, 0x15, 0x57, 0x26, 0x5A, 0x23, 0x40 ,0x40,0x3E,
0x42, 0x37, 0x30, 9, 0x19, 3, 0x1D, 0x50, 0x43, 7, 0x57, 0x15,
0x7E, 0x51, 0x6D, 0x43, 0x57, 0,0,0,0]

# [0x0C, 0, 0x10, 0x15, 0x57, 0x26, 0x5A, 0x23, 2,0x3E,
# 0x42, 0x37, 0x30, 9, 0x19, 3, 0x1D, 0x50, 0x43, 7, 0x57, 0x15,
# 0x7E, 0x51, 0x6D, 0x43, 0x57, 4]
# ((unsigned __int8)x[i] ^ (unsigned __int8)v5[i]) != y[i] )
flag = ''
for i in range(28):
    flag = flag + chr(ord(x[i]) ^ y[i])

print(flag)

Get the flag: moectf{upx_1S_simp1e-t0_u3e}

Real EasyPython

100points

Life is short. I use pyyyyyyyython

Environment: Python 3.7.8 x86_ sixty-four

Q&A

  • What is the problem?

Python reverse.

  • How?

uncompyle, have a nice trip.

According to the prompt, decompile with uncompyle6:

uncompyle6 -o puzz.py puzzle.pyc
# uncompyle6 version 3.7.4
# Python bytecode 3.7 (3394)
# Decompiled from: Python 3.8.2 (default, Jul 16 2020, 14:00:26) 
# [GCC 9.3.0]
# Embedded file name: ./source.py
# Compiled at: 2020-08-03 20:55:47
# Size of source mod 2**32: 515 bytes
key = [
 115, 76, 50, 116, 90, 50, 116, 90, 115, 110, 48, 47, 87, 48, 103, 50, 106, 126, 90, 48, 103, 116, 126, 90, 85, 126, 115, 110, 105, 104, 35]
print('Input your flag: ', end='')
flag = input()
out = []
for i in flag:
    out.append(ord(i) >> 4 ^ ord(i))

if len(out) != len(key):
    print('TRY AGAIN!')
    exit()
for i in range(len(out)):
    if out[i] != key[i]:
        print('TRY AGAIN!')
        exit()

print('you are right! the flag is : moectf{%s}' % flag)

Write the corresponding decryption script:

key = [
 115, 76, 50, 116, 90, 50, 116, 90, 115, 110, 48, 47, 87, 48, 103, 50, 106, 126, 90, 48, 103, 116, 126, 90, 85, 126, 115, 110, 105, 104, 35]

out1 = ''
for i in key:
    ii = i
    out1 = out1 + chr(ii >> 4 ^ ii)

print(out1)

Get flag:

moectf{tH1s_1s_th3-R3a1ly_3asy_Python!}

On the principle of python compilation, reference: (the original author can't be found... Invasion and deletion)

1. Is Python an interpretative language?

When I first learned python, the first thing I heard about Python was that Python is an explanatory language. I believed it until I found it Existence of pyc file. If it is an interpretative language, it is generated What is a pyc file? c should be the abbreviation of compiled!

In order to prevent other Python learners from being misunderstood by this sentence, let's clarify this problem and clarify some basic concepts in the article.

2. Interpretive language and compiled language

Computers cannot recognize high-level languages, so when we run a high-level language program, we need a "translator" to engage in the process of transforming high-level languages into machine languages that computers can understand. This process is divided into two categories: the first is compilation and the second is interpretation.

Before the program is executed, the compiled language will first perform a compilation process through the compiler to convert the program into machine language. The runtime does not need translation, but can be executed directly. The most typical example is C language.

Interpretative languages do not have this compilation process. Instead, when the program is running, the interpreter interprets the program line by line and then runs it directly. The most typical example is Ruby.

Through the above examples, we can summarize the advantages and disadvantages of interpretive language and compiled language, because compiled language has "translated" the program before the program runs, so the process of "translation" is less at run time, so the efficiency is relatively high. However, we can not generalize. Some interpretative languages can also optimize the whole program when translating the program through the optimization of the interpreter, so as to surpass the compiled language in efficiency.

In addition, with the rise of virtual machine based languages such as Java, we can't simply divide languages into interpretation and compilation.

Take Java as an example. Java is first compiled into bytecode files through the compiler, and then interpreted into machine files through the interpreter at run time. So we say that Java is a language that compiles first and then interprets.

3. What is Python

In fact, python, like Java/C #, is also a language based on virtual machine. Let's briefly understand the running process of Python program from the surface.

When we type Python hello. On the command line Py actually activates Python's "interpreter" and tells the "interpreter": you're going to start working. However, before "explanation", the first work to be performed, like Java, is compilation.

Students who are familiar with Java can think about how to execute a java program on the command line:

javac hello.java

java hello

It's just that when we use ides such as Eclipse, we integrate the two into one. In fact, Python is the same when we execute Python hello Py, it also performs such a process, so we should describe Python in this way. Python is a language compiled before interpreted.

4. Briefly describe the running process of Python

Before talking about this problem, let's talk about two concepts, PyCodeObject and pyc file.

It's needless to say that pyc we see on the hard disk, but PyCodeObject is actually compiled by the Python compiler. Let's simply know first and keep looking down.

When the python program runs, the compiled result is saved in the PyCodeObject in memory. When the python program runs, the Python interpreter writes the PyCodeObject back to the pyc file.

When the python program runs for the second time, the program will first look for the pyc file in the hard disk. If it is found, it will be loaded directly. Otherwise, the above process will be repeated.

Therefore, we should locate PyCodeObject and pyc file in this way. We say that pyc file is actually a persistent storage method of PyCodeObject.

Also refer to Official documents

RxEncode

150points

In order to prevent the software from being easily cracked, Revier took great pains to write a password verification program But is such a simple program really useful? As a reverse God, you should be able to solve this problem easily

I won't do it. I don't have enough time to do it

When the official problem is solved and made, it will be better

_(:з」∠)_

EasyCommonLISP

150points

Revier bought two pedals

When luoqi@n When asked what he was going to do, he replied, "programming."

  • How to run:

Linux x86_ Install clisp in 64 environment and run the command

clisp ./puzzle.lisp

First look at the question:

(defparameter +alphabet+"AB#DEd@f&hi!klmnLMw3^5678N}PF|HIxyz012JKYZab%Q{S(UVWX-pqrs")(defparameter +len+(length +alphabet+))(defun divmod(number divisor)(values(floor(/ number divisor))(mod number divisor)))(defun encode(str)(let((value 0)(rstr(reverse str))(output(make-string-output-stream))(npad 0))(loop for i from 0 to(1- (length str))do(setf value(+ value(*(char-code(elt rstr i))(expt 256 i)))))(loop while(>= value +len+)do(multiple-value-bind(new-value mod)(divmod value +len+)(setf value new-value)(write-char(elt +alphabet+ mod) output)))(write-char(elt +alphabet+ value)output)(loop for char across str do(if(char-equal char #\Nul)(incf npad)(return)))(concatenate 'string(coerce(loop for i from 1 to npad collecting #\1)'string)(reverse(get-output-stream-string output)))))(print(encode "moectf{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}"))

;;;; eof
;;;; flag is "&Dx16Y!x3((xYDlShWbQ5hmzWf3EZly6h8UwD#d-1-&#WlDHJaxM5qAzlPP"

errr is another one line program

Format it a little:

(defparameter +alphabet+"AB#DEd@f&hi!klmnLMw3^5678N}PF|HIxyz012JKYZab%Q{S(UVWX-pqrs")
(defparameter +len+(length +alphabet+))
(defun divmod(number divisor)(values(floor(/ number divisor))(mod number divisor)))
(defun encode(str)
    (let ((value 0)(rstr (reverse str ))( output ( make-string-output-stream ) )( npad 0))
        (loop for i from 0 to(1- (length str)) do 
            (setf value(+ value(*(char-code(elt rstr i))(expt 256 i))))
        )
        (loop while(>= value +len+)do
            (multiple-value-bind(new-value mod)(divmod value +len+)(setf value new-value)(write-char(elt +alphabet+ mod) output))
        )
        (write-char(elt +alphabet+ value)output)
        (loop for char across str do
            (if(char-equal char #\Nul)(incf npad)(return))
        )
        (concatenate 'string(coerce(loop for i from 1 to npad collecting #\1)'string)
            (reverse(get-output-stream-string output))
        )
    )
)
(print(encode "moectf{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}"))

;;;; eof
;;;; flag is "&Dx16Y!x3((xYDlShWbQ5hmzWf3EZly6h8UwD#d-1-&#WlDHJaxM5qAzlPP"

Errrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr

Suddenly I really want to learn lisp. The grammatical structures of other languages are unified in LISP with parentheses (›´) ω`‹ ) It's wonderful

Since it is the language of God, how can we ordinary people understand it? So I wrote a script (hey hey):

import os

oFlag = 'woO0Oow_Y0u-ar3_th3_g0D_0f_LIIIISP!}"))'   //Hand tear part
for Ichr in range(35,127):
    lisp = r"""
    (defparameter +alphabet+"AB#DEd@f&hi!klmnLMw3^5678N}PF|HIxyz012JKYZab%Q{S(UVWX-pqrs")
    (defparameter +len+(length +alphabet+))
    (defun divmod(number divisor)(values(floor(/ number divisor))(mod number divisor)))
    (defun encode(str)
        (let ((value 0)(rstr (reverse str ))( output ( make-string-output-stream ) )( npad 0))
            (loop for i from 0 to(1- (length str)) do (setf value(+ value(*(char-code(elt rstr i))(expt 256 i)))))
            (loop while(>= value +len+)do(multiple-value-bind(new-value mod)(divmod value +len+)(setf value new-value)(write-char(elt +alphabet+ mod) output)))
            (write-char(elt +alphabet+ value)output)
            (loop for char across str do(if(char-equal char #\Nul)(incf npad)(return)))
            (concatenate 'string(coerce(loop for i from 1 to npad collecting #\1)'string)(reverse(get-output-stream-string output)))
        )
    )
    (print(encode "moectf{"""

    charE = chr(Ichr) #32~126
    IcharE = 34

    o = list(oFlag)
    o[IcharE] = charE
    oFlag = ''.join(o)

    lisp = lisp + oFlag

    f_write = open("hackfile.lisp", mode='w')
    f_write.writelines(lisp)
    f_write.close()

    flag = "&Dx16Y!x3((xYDlShWbQ5hmzWf3EZly6h8UwD#d-1-&#WlDHJaxM5qAzlPP"
    val = os.popen('clisp hackfile.lisp')
    val.readline()
    out = val.readline()
    out = out[1:-2]
    for i in range(len(flag)):
        # print(out[i] , flag[i])
        if(out[i] != flag[i]):
            break
    print(i,oFlag)

It's just a broken method. I don't want to talk about it in detail. The general principle is that when I run lisp encryption flag, the ciphertext is encrypted section by section, but the adjacent characters will still have a little impact on the encryption results. Therefore, the original text can be solved by depth first / breadth first search method, but it's lazy. Just write it a little, and then tear it by hand. Depth first search. In addition, flag is a meaningful string, so it's very convenient to tear it by hand.

flag: moectf{woO0Oow_Y0u-ar3_th3_g0D_0f_LIIIISP!}

This part will be updated after the official writeup comes out

EzJava

200points

Deliver coffee to the boss~

  • Link:

What is Java? Can you drink?

Can you drink Java is a programming language, refer to: link

What special reverse tools does Java have?

Recently, in a Java class, the teacher asked us to use eclipse as the IDE, so I installed the JD Eclipse Plug-in for decompilation, which can be referred to this Of course, there are many other methods.

The source code obtained by decompilation is as follows:

import java.io.PrintStream;

public class EasyJava {
  public static void main(String[] paramArrayOfString) {
    System.out.println("MoeCTF 2020 EasyJava --by Reverier");
    System.out.println("Input your flag and I will check it:");
    java.io.BufferedReader localBufferedReader = new java.io.BufferedReader(new java.io.InputStreamReader(System.in));
    String str1 = null;
    int[] arrayOfInt = { 43, 23, 23, 62, 110, 66, 94, 99, 126, 68, 43, 62, 76, 110, 22, 5, 15, 111, 86, 75, 78, 83, 86, 0, 85, 86 };
    try
    {
      str1 = localBufferedReader.readLine();
    } catch (Exception localException) {
      System.out.println("ERROR: Undefined Exception.");
    }
    if (str1.isEmpty()) {
      System.out.println("Nothing received.");
    } else { if (str1.length() != 35) {
        System.out.println("Rua~~~Wrong!");
        return;
      }
      String str2 = str1.substring(0, 7);
      if (!str2.equals("moectf{")) {
        System.out.println("Rua~~~Wrong!");
        return;
      }
      String str3 = str1.substring(7, str1.length() - 1);
      for (int i = 0; i < str3.length() - 1; i++) {
        int j = str3.charAt(i);
        int k = str3.charAt(i + 1);
        int m = j ^ k;
        if (m != arrayOfInt[i]) {
          System.out.println("Rua~~~Wrong!");
          return;
        }
      }
      System.out.println("Congratulations!");
    }
  }
}

/* Location:           D:\code\Javastudio\tes
 * Qualified Name:     EasyJava
 * Java Class Version: 13 (57.0)
 * JD-Core Version:    0.7.1
 */

Write the corresponding decryption script as follows:

"""
35==moectf{xxxxxxxxxxxxx}
xxxxxxxxxx==35-8=27
int[] arrayOfInt = { 43, 23, 23, 62, 110, 66, 94, 99, 126, 68, 43, 62, 76, 110, 22, 5, 15, 111, 86, 75, 78, 83, 86, 0, 85, 86 };          
  String str3 = str1.substring(7, str1.length() - 1);
/* 28 */       for (int i = 0; i < str3.length() - 1; i++) {
/* 29 */         int j = str3.charAt(i);
/* 30 */         int k = str3.charAt(i + 1);
/* 31 */         int m = j ^ k;
/* 32 */         if (m != arrayOfInt[i]) {
/* 33 */           System.out.println("Rua~~~Wrong!");
/* 34 */           return;
"""
import string

def findit(l,r):
    if (r-l == 1):
        ans = []
        for i in dic:
            for j in dic:
                try:
                    if i ^ j == arrayOfInt[l]:
                        ans.append(bytes(chr(i)+chr(j),encoding='utf-8'))
                except:
                    print(l)    
        return ans
    if(r-1 == 0):
        ans = []
        for i in dic:
            ans.append(bytes(chr(i),encoding='utf-8'))
        return ans
    s1 = findit(l,r-2)
    s2 = findit(r-1,r)
    ans = []
    for ans1 in s1:
        for ans2 in s2:
            if (arrayOfInt[r-2] == ans1[-1] ^ ans2[0]):
                ans.append(ans1+ans2)
    return ans
arrayOfInt = [ 43, 23, 23, 62, 110, 66, 94, 99, 126, 68, 43, 62, 76, 110, 22, 5, 15, 111, 86, 75, 78, 83, 86, 0, 85, 86 ]
print(len(arrayOfInt))
dic = bytes( string.printable,encoding='utf-8')
print(dic)
print(findit(1,26))

# [b'ava_1s-N0t_a-CUP_0f-c0ff3e', b'bub\\2p.M3w\\b.@VS\\3e.`3ee0f', b'ctc]3q/L2v]c/AWR]2d/a2dd1g', b'dsdZ4v(K5qZd(FPUZ5c(f5cc6`', b'ere[5w)J4p[e)GQT[4b)g4bb7a', b'fqfX6t*I7sXf*DRWX7a*d7aa4b', b'gpgY7u+H6rYg+ESVY6`+e6``5c', b'i~iW9{%F8|Wi%K]XW8n%k8nn;m', b"k|kU;y'D:~Uk'I_ZU:l'i:ll9o", b'l{lR<~ C=yRl NX]R=k n=kk>h', b'nynP>|"A?{Pn"LZ_P?i"l?ii<j', b'oxoQ?}#@>zQo#M[^Q>h#m>hh=k', b'pgpN b<_!eNp<RDAN!w<r!ww"t', b'qfqO!c=^ dOq=SE@O v=s vv#u', b'rerL"`>]#gLr>PFCL#u>p#uu v', b'sdsM#a?\\"fMs?QGBM"t?q"tt!w', b'tctJ$f8[%aJt8V@EJ%s8v%ss&p', b"ubuK%g9Z$`Ku9WADK$r9w$rr'q", b"vavH&d:Y'cHv:TBGH'q:t'qq$r", b"w`wI'e;X&bIw;UCFI&p;u&pp%s", b'ynyG)k5V(lGy5[MHG(~5{(~~+}', b'zmzD*h6U+oDz6XNKD+}6x+}}(~', b'`w`^0r,O1u^`,BTQ^1g,b1gg2d', b'|k|B,n0S-iB|0^HMB-{0~-{{.x', b'~i~@.l2Q/k@~2\\JO@/y2|/yy,z']
# 'moectf{Java_1s-N0t_a-CUP_0f-c0ff3e}'

Note: Here I also foolishly wrote an ugly recursive solution. There is still a problem in the boundary processing of the list. After writing, I found that it can be decrypted directly according to the symmetry of XOR_ (: τ」 ∠)_

Whatever, just have a flag: moectf{Java_1s-N0t_a-CUP_0f-c0ff3e}

Ohhhhh I will Jvav la

RollCall

200points

Sometimes, you can't stick to one point

In the software setting, change the gender of any student to 2, save and restart the software to obtain the flag

If you get the flag through the reverse main program, please be sure to contact the administrator for extra points and accept worship

After the download program opens, it looks like this:

Open the software settings, you can modify the gender, but you can only enter 0 and 1:

Looking at this fancy interface, it's hard to decompile intuitively, so look at the folder where the program is located and see if there is a database:

.
├── CSkin.dll
├── datedata
├── EntityFramework.dll
├── EntityFramework.SqlServer.dll
├── number
├── RandomNames13.0.exe
├── SQLite-net.dll
├── SQLitePCLRaw.batteries_green.dll
├── SQLitePCLRaw.batteries_v2.dll
├── SQLitePCLRaw.core.dll
├── SQLitePCLRaw.provider.e_sqlite3.dll
├── System.Data.SQLite.dll
├── System.Data.SQLite.EF6.dll
├── System.Data.SQLite.Linq.dll
├── UserData.sqlite               		# < -- yes, that's it         
├── x64
│   ├── e_sqlite3.dll
│   ├── sqlite3.dll
│   └── SQLite.Interop.dll
└── x86
    ├── e_sqlite3.dll
    ├── sqlite3.dll
    └── SQLite.Interop.dll

sqlite database. There is a visual tool SQLiteSpy under Windows, which can be easily edited

Arbitrarily modify the gender information of a user, open it again, and jump out of flag

Can't get extra points and accept mubaiyak (o ´ ェ o)

[moeCTF solution-0x01] Android

[moeCTF solution - 0x01] IoT

Unfinished to be continued

Tags: CTF

Posted by Qben on Thu, 12 May 2022 11:51:51 +0300