Securinets-CTF-2019, Warmup
Warmup, 960 pt
Greetings, fellow code breakers! Today, we embark on a quest to crack the mysterious passcode and unlock the hidden treasure. Get your thinking caps on and let’s dive into this thrilling challenge!
The journey begins as we delve into the depths of the given binary. Upon opening it, we are greeted with a stern demand for a passcode. Ah, the thrill of the unknown! But fear not, brave souls, for we shall conquer this challenge and emerge victorious!
Our first step is to peer into the inner workings of the binary. Armed with our trusty companion, IDA, we start dissecting the code. As the intricate lines unfold before our eyes, we stumble upon a fascinating variable v7 it’s concating == at the end, looks familiar to you? yes it’s base64 encoding (I renamed function name). Aha!
Familiar territory indeed!
With a sense of excitement, we analyze the decompiled code and discover its secrets. Behold! The flag input undergoes the ancient art of base64 encryption. How cunningly clever! But wait, there’s more to uncover!
_int64 __fastcall base64(__int64 flag_input, unsigned int a2, __int64 s_output)
{
unsigned int v3; // eax
unsigned int i; // [rsp+20h] [rbp-20h]
unsigned int v6; // [rsp+24h] [rbp-1Ch]
unsigned int v7; // [rsp+28h] [rbp-18h]
int v8; // [rsp+2Ch] [rbp-14h]
int v9; // [rsp+30h] [rbp-10h]
int v10; // [rsp+34h] [rbp-Ch]
unsigned __int64 v11; // [rsp+38h] [rbp-8h]
v11 = __readfsqword(0x28u);
v6 = 0;
v7 = 0;
for ( i = 0; i < a2; ++i )
{
v3 = v6++;
*(&v8 + v3) = *(_DWORD *)(4LL * i + flag_input);
if ( v6 == 3 )
{
*(_BYTE *)(s_output + v7) = abcd_string[(unsigned __int8)v8 >> 2];
*(_BYTE *)(s_output + v7 + 1) = abcd_string[((unsigned __int8)v9 >> 4) | 16 * (_BYTE)v8 & 48];
*(_BYTE *)(s_output + v7 + 2) = abcd_string[((unsigned __int8)v10 >> 6) | 4 * (_BYTE)v9 & 60];
*(_BYTE *)(s_output + v7 + 3) = abcd_string[v10 & 63];
v6 = 0;
v7 += 4;
}
}
if ( v6 )
{
if ( v6 == 1 )
v9 = 0;
*(_BYTE *)(s_output + v7) = abcd_string[(unsigned __int8)v8 >> 2];
*(_BYTE *)(s_output + v7 + 1) = abcd_string[((unsigned __int8)v9 >> 4) | 16 * (_BYTE)v8 & 48];
if ( v6 == 2 )
*(_BYTE *)(s_output + v7 + 2) = abcd_string[4 * (_BYTE)v9 & 60];
else
*(_BYTE *)(v7 + 2 + s_output) = '=';
*(_BYTE *)(v7 + 3 + s_output) = '=';
v7 += 4;
}
*(_BYTE *)(v7 + s_output) = 0;
return v7;
}
As we progress through the code, we encounter a series of byte operations and a mysterious character array named abcd_string. Our detective instincts kick in, and we decipher the hidden patterns. The pieces of the puzzle slowly fall into place.
Now, it’s time to put our wit and Python skills to the test. Armed with a script and a dash of mischief, we manually traverse the byte operations, dancing with the characters and embracing the absurdity of it all.
Now after that it checks every byte of base64 passcode and all are easy comparision i do it mannually and write a python script.here it is:
s = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
flag = ["?"]*36
flag[0] = s[28]
flag[1] = s[54]
flag[2] = s[(82 >> 2)+1]
flag[3] = "j"
flag[4] = chr(ord(flag[0])+1)
flag[5] = "X"
flag[6] = chr(ord(flag[3])-32)
flag[7] = chr(112)
flag[8] = chr(ord(s[28])-1)
flag[10] = flag[2]
flag[11] = chr(48)
flag[12] = chr(ord(flag[4])-1)
flag[13] = "3"
flag[14] = chr(ord(flag[7])+4)
flag[15] = chr(ord(flag[7])+3)
flag[17] = "3"
flag[18] = chr(ord(flag[7])-30)
flag[19] = chr(122)
flag[20] = "X"
flag[21] = "3"
flag[22] = chr(ord(flag[4])-1)
flag[23] = chr(48)
flag[24] = chr(ord(flag[4])-1)
flag[26] = chr(49)
flag[27] = chr(ord(flag[4])+2)
flag[29] = "X"
flag[30] = flag[18]
flag[31] = flag[27]
flag[9] = chr(ord(flag[27])+7)
flag[16] = chr(ord(flag[9])-32)
flag[25] = chr(ord(flag[27])+7)
flag[28] = flag[16]
flag[32] = flag[4]
flag[33] = "X"
flag[34] = chr(ord(flag[0])-33)
flag[35] = chr(ord(flag[11]) + 9)
print(flag)
flag = ''.join(flag)
try:
print flag.decode('base64')
except:
print('Nope')
flag : securinets{l3ts_w4rm_1t_up}
Let me know what you think of this article on twitter @0xdr3dd or leave a comment below!