[KKSI 2019] – siapGRAAK – PETIR CYBER SECURITY

Soal ini dapat kalian download disini

Pada kita diberikan soal berupa ELF 64-bit.

root@kali:~# file siapGRAAK 
siapGRAAK: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=a8680e08d2a4cd7f23306ac67459036c1f914f7e, not stripped

1 2	root@kali:~# file siapGRAAK siapGRAAK: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=a8680e08d2a4cd7f23306ac67459036c1f914f7e, not stripped

kita coba jalankan program ini terlebih dahulu,

root@kali:~# ./siapGRAAK 
Flag nya apa nih Kang ?:
iWantThatFLagg
SALAH NIH

root@kali:~# ./siapGRAAK

Flag nya apa nih Kang ?:

iWantThatFLagg

SALAH NIH

kita coba lihat program ini menggunakan IDA pro 64-bit, dan pada mainnya terdapat psudeocode seperti ini,

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int result; // eax
  size_t i; // [rsp+0h] [rbp-C0h]
  size_t v5; // [rsp+8h] [rbp-B8h]
  char s2[8]; // [rsp+10h] [rbp-B0h]
  __int64 v7; // [rsp+18h] [rbp-A8h]
  __int64 v8; // [rsp+20h] [rbp-A0h]
  int v9; // [rsp+28h] [rbp-98h]
  __int16 v10; // [rsp+2Ch] [rbp-94h]
  char s[136]; // [rsp+30h] [rbp-90h]
  unsigned __int64 v12; // [rsp+B8h] [rbp-8h]

  v12 = __readfsqword(0x28u);
  *(_QWORD *)s2 = -821479746076235608LL;
  v7 = -4697167109371201534LL;
  v8 = -6839456764105678448LL;
  v9 = 1520982160;
  v10 = 61;
  puts("Flag nya apa nih Kang ?:");
  fgets(s, 128, stdin);
  s[strlen(s) - 1] = 0;
  v5 = strlen(s);
  for ( i = 0LL; i < v5; ++i )
    s[i] = get_tbl_entry((unsigned int)s[i]);
  if ( v5 == 29 )
  {
    if ( !strncmp(s, s2, 0x1EuLL) )
    {
      puts("YESSS BERHASIL");
      result = 0;
    }
    else
    {
      puts("SALAH NIH");
      result = 1;
    }
  }
  else
  {
    puts("SALAH NIH");
    result = 1;
  }
  return result;
}

int __cdecl main(int argc, const char **argv, const char **envp)

{

int result; // eax

size_t i; // [rsp+0h] [rbp-C0h]

size_t v5; // [rsp+8h] [rbp-B8h]

char s2[8]; // [rsp+10h] [rbp-B0h]

__int64 v7; // [rsp+18h] [rbp-A8h]

__int64 v8; // [rsp+20h] [rbp-A0h]

int v9; // [rsp+28h] [rbp-98h]

__int16 v10; // [rsp+2Ch] [rbp-94h]

char s[136]; // [rsp+30h] [rbp-90h]

unsigned __int64 v12; // [rsp+B8h] [rbp-8h]

v12 = __readfsqword(0x28u);

*(_QWORD *)s2 = -821479746076235608LL;

v7 = -4697167109371201534LL;

v8 = -6839456764105678448LL;

v9 = 1520982160;

v10 = 61;

puts("Flag nya apa nih Kang ?:");

fgets(s, 128, stdin);

s[strlen(s) - 1] = 0;

v5 = strlen(s);

for ( i = 0LL; i < v5; ++i )

s[i] = get_tbl_entry((unsigned int)s[i]);

if ( v5 == 29 )

{

if ( !strncmp(s, s2, 0x1EuLL) )

{

puts("YESSS BERHASIL");

result = 0;

}

else

{

puts("SALAH NIH");

result = 1;

}

else

{

puts("SALAH NIH");

result = 1;

}

return result;

}

dapat dipahami bahwa inputan kita dilakukan pengolahan pada fungsi get_tbl_entry() pada setiap char inputan kita. Mari kita lihat isi dari fungsi tersebut,

__int64 __fastcall get_tbl_entry(char a1)
{
  unsigned __int64 i; // [rsp+Ch] [rbp-8h]

  for ( i = 0LL; i <= 0xFE; ++i )
  {
    if ( a1 == *((_BYTE *)&trans_tbl + 2 * i) )
      return byte_201021[2 * i];
  }
  return 0LL;
}

__int64 __fastcall get_tbl_entry(char a1)

{

unsigned __int64 i; // [rsp+Ch] [rbp-8h]

for ( i = 0LL; i <= 0xFE; ++i )

{

if ( a1 == *((_BYTE *)&trans_tbl + 2 * i) )

return byte_201021[2 * i];

}

return 0LL;

}

ternyata inputan kita di bandingkan dengan sesuatu yang terdapat pada byte_201021, Coba kita lihat juga apa yang ada di sana

.data:0000000000201021 ; unsigned __int8 byte_201021[508]
.data:0000000000201021 byte_201021     db 0C0h, 2, 0FCh, 3, 42h, 4, 0B2h, 5, 0A0h, 6, 0Ah, 7
.data:0000000000201021                                         ; DATA XREF: get_tbl_entry+33↑o
.data:0000000000201021                 db 4Ch, 8, 13h, 9, 3, 0Ah, 4Eh, 0Bh, 0AAh, 0Ch, 0F9h, 0Dh
.data:0000000000201021                 db 55h, 0Eh, 0E9h, 0Fh, 6Bh, 10h, 86h, 11h, 60h, 12h, 0CFh
.data:0000000000201021                 db 13h, 94h, 14h, 31h, 15h, 0A6h, 16h, 9Bh, 17h, 10h, 18h
.data:0000000000201021                 db 0F6h, 19h, 0AEh, 1Ah, 78h, 1Bh, 0DDh, 1Ch, 53h, 1Dh
.data:0000000000201021                 db 0D8h, 1Eh, 0DEh, 1Fh, 0DAh, 20h, 8Fh, 21h, 0CEh, 22h
.data:0000000000201021                 db 7Ah, 23h, 9Fh, 24h, 22h, 25h, 8, 26h, 0FBh, 27h, 7Fh
.data:0000000000201021                 db 28h, 25h, 29h, 1Bh, 2Ah, 68h, 2Bh, 0A3h, 2Ch, 9, 2Dh
.data:0000000000201021                 db 0D9h, 2Eh, 0A5h, 2Fh, 5Dh, 30h, 84h, 31h, 99h, 32h
.data:0000000000201021                 db 85h, 33h, 0A2h, 34h, 9Eh, 35h, 0ADh, 36h, 2Ch, 37h
.data:0000000000201021                 db 0B4h, 38h, 0B7h, 39h, 0F4h, 3Ah, 9Ch, 3Bh, 0B5h, 3Ch
.data:0000000000201021                 db 87h, 3Dh, 41h, 3Eh, 96h, 3Fh, 0EBh, 40h, 0C5h, 41h
.data:0000000000201021                 db 0A1h, 42h, 48h, 43h, 2Bh, 44h, 8Ch, 45h, 20h, 46h, 0FEh
.data:0000000000201021                 db 47h, 6Ah, 48h, 3Ah, 49h, 0F8h, 4Ah, 0CBh, 4Bh, 0A8h
.data:0000000000201021                 db 4Ch, 1Ah, 4Dh, 0Ch, 4Eh, 47h, 4Fh, 73h, 50h, 0E7h, 51h
.data:0000000000201021                 db 28h, 52h, 0Dh, 53h, 0F2h, 54h, 0D6h, 55h, 5Ah, 56h
.data:0000000000201021                 db 0BBh, 57h, 0D4h, 58h, 5Bh, 59h, 0EEh, 5Ah, 1, 5Bh, 0D3h
.data:0000000000201021                 db 5Ch, 29h, 5Dh, 67h, 5Eh, 3Fh, 5Fh, 0CDh, 60h, 12h, 61h
.data:0000000000201021                 db 5Eh, 62h, 4Dh, 63h, 81h, 64h, 93h, 65h, 0D0h, 66h, 1Dh
.data:0000000000201021                 db 67h, 35h, 68h, 15h, 69h, 90h, 6Ah, 64h, 6Bh, 0C4h, 6Ch
.data:0000000000201021                 db 0E4h, 6Dh, 91h, 6Eh, 4Fh, 6Fh, 66h, 70h, 69h, 71h, 30h
.data:0000000000201021                 db 72h, 58h, 73h, 0BEh, 74h, 0A7h, 75h, 82h, 76h, 0FAh
.data:0000000000201021                 db 2 dup(77h), 78h, 2Ah, 79h, 97h, 7Ah, 0F1h, 7Bh, 2, 7Ch
.data:0000000000201021                 db 4Ah, 7Dh, 3Dh, 7Eh, 8Dh, 7Fh, 50h, 80h, 0EDh, 81h, 40h
.data:0000000000201021                 db 82h, 0DBh, 83h, 6Dh, 84h, 0B8h, 85h, 74h, 86h, 3Ch
.data:0000000000201021                 db 87h, 0D7h, 88h, 0C6h, 89h, 19h, 8Ah, 62h, 8Bh, 0B3h
.data:0000000000201021                 db 8Ch, 0BCh, 8Dh, 0DCh, 8Eh, 0E8h, 8Fh, 89h, 90h, 5, 91h
.data:0000000000201021                 db 56h, 92h, 9Dh, 93h, 72h, 94h, 0A9h, 95h, 0EAh, 96h
.data:0000000000201021                 db 0AFh, 97h, 70h, 98h, 0E1h, 99h, 0C7h, 9Ah, 0F0h, 9Bh
.data:0000000000201021                 db 3Eh, 9Ch, 0DFh, 9Dh, 4Bh, 9Eh, 7Bh, 9Fh, 11h, 0A0h
.data:0000000000201021                 db 0BDh, 0A1h, 0E5h, 0A2h, 0C3h, 0A3h, 0D1h, 0A4h, 0Bh
.data:0000000000201021                 db 0A5h, 38h, 0A6h, 80h, 0A7h, 32h, 0A8h, 7Ch, 0A9h, 83h
.data:0000000000201021                 db 0AAh, 0C1h, 0ABh, 36h, 0ACh, 51h, 0ADh, 2Fh, 0AEh, 23h
.data:0000000000201021                 db 0AFh, 63h, 0B0h, 0EFh, 0B1h, 1Ch, 0B2h, 18h, 0B3h, 0A4h
.data:0000000000201021                 db 0B4h, 14h, 0B5h, 0FFh, 0B6h, 0E6h, 0B7h, 0CCh, 0B8h
.data:0000000000201021                 db 0B0h, 0B9h, 0F7h, 0BAh, 7Dh, 0BBh, 0ECh, 0BCh, 26h
.data:0000000000201021                 db 0BDh, 0E0h, 0BEh, 8Bh, 0BFh, 61h, 0C0h, 0C8h, 0C1h
.data:0000000000201021                 db 0B6h, 0C2h, 54h, 0C3h, 6Ch, 0C4h, 5Ch, 0C5h, 75h, 0C6h
.data:0000000000201021                 db 0FDh, 0C7h, 0F3h, 0C8h, 88h, 0C9h, 0Fh, 0CAh, 0C2h
.data:0000000000201021                 db 0CBh, 34h, 0CCh, 4, 0CDh, 21h, 0CEh, 0Eh, 0CFh, 2Eh
.data:0000000000201021                 db 0D0h, 79h, 0D1h, 0E3h, 0D2h, 43h, 0D3h, 0D2h, 0D4h
.data:0000000000201021                 db 5Fh, 0D5h, 7, 0D6h, 0F5h, 0D7h, 8Eh, 0D8h, 59h, 0D9h
.data:0000000000201021                 db 17h, 0DAh, 27h, 0DBh, 6, 0DCh, 7Eh, 0DDh, 0BFh, 0DEh
.data:0000000000201021                 db 3Bh, 0DFh, 0ACh, 0E0h, 0BAh, 0E1h, 95h, 0E2h, 0CAh
.data:0000000000201021                 db 0E3h, 6Fh, 0E4h, 2Dh, 0E5h, 0B1h, 0E6h, 98h, 0E7h, 37h
.data:0000000000201021                 db 0E8h, 44h, 0E9h, 92h, 0EAh, 9Ah, 0EBh, 33h, 0ECh, 0E2h
.data:0000000000201021                 db 0EDh, 1Fh, 0EEh, 24h, 0EFh, 57h, 0F0h, 8Ah, 0F1h, 46h
.data:0000000000201021                 db 0F2h, 45h, 0F3h, 0D5h, 0F4h, 39h, 0F5h, 52h, 0F6h, 49h
.data:0000000000201021                 db 0F7h, 1Eh, 0F8h, 76h, 0F9h, 6Eh, 0FAh, 65h, 0FBh, 71h
.data:0000000000201021                 db 0FCh, 16h, 0FDh, 0B9h, 0FEh, 0C9h, 0FFh
.data:000000000020121D                 db 0ABh
.data:000000000020121D _data           ends
.data:000000000020121D

.data:0000000000201021 ; unsigned __int8 byte_201021[508]

.data:0000000000201021 byte_201021 db 0C0h, 2, 0FCh, 3, 42h, 4, 0B2h, 5, 0A0h, 6, 0Ah, 7

.data:0000000000201021 ; DATA XREF: get_tbl_entry+33↑o

.data:0000000000201021 db 4Ch, 8, 13h, 9, 3, 0Ah, 4Eh, 0Bh, 0AAh, 0Ch, 0F9h, 0Dh

.data:0000000000201021 db 55h, 0Eh, 0E9h, 0Fh, 6Bh, 10h, 86h, 11h, 60h, 12h, 0CFh

.data:0000000000201021 db 13h, 94h, 14h, 31h, 15h, 0A6h, 16h, 9Bh, 17h, 10h, 18h

.data:0000000000201021 db 0F6h, 19h, 0AEh, 1Ah, 78h, 1Bh, 0DDh, 1Ch, 53h, 1Dh

.data:0000000000201021 db 0D8h, 1Eh, 0DEh, 1Fh, 0DAh, 20h, 8Fh, 21h, 0CEh, 22h

.data:0000000000201021 db 7Ah, 23h, 9Fh, 24h, 22h, 25h, 8, 26h, 0FBh, 27h, 7Fh

.data:0000000000201021 db 28h, 25h, 29h, 1Bh, 2Ah, 68h, 2Bh, 0A3h, 2Ch, 9, 2Dh

.data:0000000000201021 db 0D9h, 2Eh, 0A5h, 2Fh, 5Dh, 30h, 84h, 31h, 99h, 32h

.data:0000000000201021 db 85h, 33h, 0A2h, 34h, 9Eh, 35h, 0ADh, 36h, 2Ch, 37h

.data:0000000000201021 db 0B4h, 38h, 0B7h, 39h, 0F4h, 3Ah, 9Ch, 3Bh, 0B5h, 3Ch

.data:0000000000201021 db 87h, 3Dh, 41h, 3Eh, 96h, 3Fh, 0EBh, 40h, 0C5h, 41h

.data:0000000000201021 db 0A1h, 42h, 48h, 43h, 2Bh, 44h, 8Ch, 45h, 20h, 46h, 0FEh

.data:0000000000201021 db 47h, 6Ah, 48h, 3Ah, 49h, 0F8h, 4Ah, 0CBh, 4Bh, 0A8h

.data:0000000000201021 db 4Ch, 1Ah, 4Dh, 0Ch, 4Eh, 47h, 4Fh, 73h, 50h, 0E7h, 51h

.data:0000000000201021 db 28h, 52h, 0Dh, 53h, 0F2h, 54h, 0D6h, 55h, 5Ah, 56h

.data:0000000000201021 db 0BBh, 57h, 0D4h, 58h, 5Bh, 59h, 0EEh, 5Ah, 1, 5Bh, 0D3h

.data:0000000000201021 db 5Ch, 29h, 5Dh, 67h, 5Eh, 3Fh, 5Fh, 0CDh, 60h, 12h, 61h

.data:0000000000201021 db 5Eh, 62h, 4Dh, 63h, 81h, 64h, 93h, 65h, 0D0h, 66h, 1Dh

.data:0000000000201021 db 67h, 35h, 68h, 15h, 69h, 90h, 6Ah, 64h, 6Bh, 0C4h, 6Ch

.data:0000000000201021 db 0E4h, 6Dh, 91h, 6Eh, 4Fh, 6Fh, 66h, 70h, 69h, 71h, 30h

.data:0000000000201021 db 72h, 58h, 73h, 0BEh, 74h, 0A7h, 75h, 82h, 76h, 0FAh

.data:0000000000201021 db 2 dup(77h), 78h, 2Ah, 79h, 97h, 7Ah, 0F1h, 7Bh, 2, 7Ch

.data:0000000000201021 db 4Ah, 7Dh, 3Dh, 7Eh, 8Dh, 7Fh, 50h, 80h, 0EDh, 81h, 40h

.data:0000000000201021 db 82h, 0DBh, 83h, 6Dh, 84h, 0B8h, 85h, 74h, 86h, 3Ch

.data:0000000000201021 db 87h, 0D7h, 88h, 0C6h, 89h, 19h, 8Ah, 62h, 8Bh, 0B3h

.data:0000000000201021 db 8Ch, 0BCh, 8Dh, 0DCh, 8Eh, 0E8h, 8Fh, 89h, 90h, 5, 91h

.data:0000000000201021 db 56h, 92h, 9Dh, 93h, 72h, 94h, 0A9h, 95h, 0EAh, 96h

.data:0000000000201021 db 0AFh, 97h, 70h, 98h, 0E1h, 99h, 0C7h, 9Ah, 0F0h, 9Bh

.data:0000000000201021 db 3Eh, 9Ch, 0DFh, 9Dh, 4Bh, 9Eh, 7Bh, 9Fh, 11h, 0A0h

.data:0000000000201021 db 0BDh, 0A1h, 0E5h, 0A2h, 0C3h, 0A3h, 0D1h, 0A4h, 0Bh

.data:0000000000201021 db 0A5h, 38h, 0A6h, 80h, 0A7h, 32h, 0A8h, 7Ch, 0A9h, 83h

.data:0000000000201021 db 0AAh, 0C1h, 0ABh, 36h, 0ACh, 51h, 0ADh, 2Fh, 0AEh, 23h

.data:0000000000201021 db 0AFh, 63h, 0B0h, 0EFh, 0B1h, 1Ch, 0B2h, 18h, 0B3h, 0A4h

.data:0000000000201021 db 0B4h, 14h, 0B5h, 0FFh, 0B6h, 0E6h, 0B7h, 0CCh, 0B8h

.data:0000000000201021 db 0B0h, 0B9h, 0F7h, 0BAh, 7Dh, 0BBh, 0ECh, 0BCh, 26h

.data:0000000000201021 db 0BDh, 0E0h, 0BEh, 8Bh, 0BFh, 61h, 0C0h, 0C8h, 0C1h

.data:0000000000201021 db 0B6h, 0C2h, 54h, 0C3h, 6Ch, 0C4h, 5Ch, 0C5h, 75h, 0C6h

.data:0000000000201021 db 0FDh, 0C7h, 0F3h, 0C8h, 88h, 0C9h, 0Fh, 0CAh, 0C2h

.data:0000000000201021 db 0CBh, 34h, 0CCh, 4, 0CDh, 21h, 0CEh, 0Eh, 0CFh, 2Eh

.data:0000000000201021 db 0D0h, 79h, 0D1h, 0E3h, 0D2h, 43h, 0D3h, 0D2h, 0D4h

.data:0000000000201021 db 5Fh, 0D5h, 7, 0D6h, 0F5h, 0D7h, 8Eh, 0D8h, 59h, 0D9h

.data:0000000000201021 db 17h, 0DAh, 27h, 0DBh, 6, 0DCh, 7Eh, 0DDh, 0BFh, 0DEh

.data:0000000000201021 db 3Bh, 0DFh, 0ACh, 0E0h, 0BAh, 0E1h, 95h, 0E2h, 0CAh

.data:0000000000201021 db 0E3h, 6Fh, 0E4h, 2Dh, 0E5h, 0B1h, 0E6h, 98h, 0E7h, 37h

.data:0000000000201021 db 0E8h, 44h, 0E9h, 92h, 0EAh, 9Ah, 0EBh, 33h, 0ECh, 0E2h

.data:0000000000201021 db 0EDh, 1Fh, 0EEh, 24h, 0EFh, 57h, 0F0h, 8Ah, 0F1h, 46h

.data:0000000000201021 db 0F2h, 45h, 0F3h, 0D5h, 0F4h, 39h, 0F5h, 52h, 0F6h, 49h

.data:0000000000201021 db 0F7h, 1Eh, 0F8h, 76h, 0F9h, 6Eh, 0FAh, 65h, 0FBh, 71h

.data:0000000000201021 db 0FCh, 16h, 0FDh, 0B9h, 0FEh, 0C9h, 0FFh

.data:000000000020121D db 0ABh

.data:000000000020121D _data ends

.data:000000000020121D

Lalu bagaimana kita tahu inputan yang benar? kita dapat melihatnya pada fungsi main(), dimana inputan kita dibandingkan oleh variable s2 yang menjadi indikator benar tidaknya string inputan kita. Sekarang kita olah pola yang sudah kita dapatkan menjadi solver.py

a = [192, 2, 252, 3, 66, 4, 178, 5, 160, 6, 10, 7, 76, 8 ,19, 9, 3, 10, 78, 11, 170, 12, 249, 13, 85, 14, 233 ,15, 107, 16, 134, 17, 96, 18, 207, 19, 148, 20, 49 ,21, 166, 22, 155, 23, 16, 24, 246, 25, 174, 26, 120 ,27, 221, 28, 83, 29, 216, 30, 222, 31, 218, 32, 143 ,33, 206, 34, 122, 35, 159, 36, 34, 37, 8, 38, 251, 39 ,127, 40, 37, 41, 27, 42, 104, 43, 163, 44, 9, 45, 217 ,46, 165, 47, 93, 48, 132, 49, 153, 50, 133, 51, 162 ,52, 158, 53, 173, 54, 44, 55, 180, 56, 183, 57, 244 ,58, 156, 59, 181, 60, 135, 61, 65, 62, 150, 63, 235 ,64, 197, 65, 161, 66, 72, 67, 43, 68, 140, 69, 32, 70 ,254, 71, 106, 72, 58, 73, 248, 74, 203, 75, 168, 76 ,26, 77, 12, 78, 71, 79, 115, 80, 231, 81, 40, 82, 13 ,83, 242, 84, 214, 85, 90, 86, 187, 87, 212, 88, 91 ,89, 238, 90, 1, 91, 211, 92, 41, 93, 103, 94, 63, 95 ,205, 96, 18, 97, 94, 98, 77, 99, 129, 100, 147, 101 ,208, 102, 29, 103, 53, 104, 21, 105, 144, 106, 100 ,107, 196, 108, 228, 109, 145, 110, 79, 111, 102, 112 ,105, 113, 48, 114, 88, 115, 190, 116, 167, 117, 130 ,118, 250, 119, 119, 120, 42, 121, 151, 122, 241, 123 ,2, 124, 74, 125, 61, 126, 141, 127, 80, 128, 237, 129 ,64, 130, 219, 131, 109, 132, 184, 133, 116, 134, 60 ,135, 215, 136, 198, 137, 25, 138, 98, 139, 179, 140 ,188, 141, 220, 142, 232, 143, 137, 144, 5, 145, 86 ,146, 157, 147, 114, 148, 169, 149, 234, 150, 175, 151 ,112, 152, 225, 153, 199, 154, 240, 155, 62, 156, 223 ,157, 75, 158, 123, 159, 17, 160, 189, 161, 229, 162 ,195, 163, 209, 164, 11, 165, 56, 166, 128, 167, 50 ,168, 124, 169, 131, 170, 193, 171, 54, 172, 81, 173 ,47, 174, 35, 175, 99, 176, 239, 177, 28, 178, 24, 179 ,164, 180, 20, 181, 255, 182, 230, 183, 204, 184, 176 ,185, 247, 186, 125, 187, 236, 188, 38, 189, 224, 190 ,139, 191, 97, 192, 200, 193, 182, 194, 84, 195, 108 ,196, 92, 197, 117, 198, 253, 199, 243, 200, 136, 201 ,15, 202, 194, 203, 52, 204, 4, 205, 33, 206, 14, 207 ,46, 208, 121, 209, 227, 210, 67, 211, 210, 212, 95 ,213, 7, 214, 245, 215, 142, 216, 89, 217, 23, 218, 39 ,219, 6, 220, 126, 221, 191, 222, 59, 223, 172, 224 ,186, 225, 149, 226, 202, 227, 111, 228, 45, 229, 177 ,230, 152, 231, 55, 232, 68, 233, 146, 234, 154, 235 ,51, 236, 226, 237, 31, 238, 36, 239, 87, 240, 138, 241 ,70, 242, 69, 243, 213, 244, 57, 245, 82, 246, 73, 247 ,30, 248, 118, 249, 110, 250, 101, 251, 113, 252, 22 ,253, 185, 254, 201, 255]

s = [["F4","99","84","85","F8","F2","A8","A8"],["BE","D0","4F","66","93","47","F8","02"],["A1","15","5E","4F","5E","D6","A1","90"],["5A","A8","58","90"],["3D"]]

for flag in s:
    for i in reversed(range(0,len(flag))):
        for j in range(0,254):
            temp = str(flag[i])
            if int(temp,16) == a[j*2]:
                print(chr(a[(j*2)-1]),end="")

a = [192, 2, 252, 3, 66, 4, 178, 5, 160, 6, 10, 7, 76, 8 ,19, 9, 3, 10, 78, 11, 170, 12, 249, 13, 85, 14, 233 ,15, 107, 16, 134, 17, 96, 18, 207, 19, 148, 20, 49 ,21, 166, 22, 155, 23, 16, 24, 246, 25, 174, 26, 120 ,27, 221, 28, 83, 29, 216, 30, 222, 31, 218, 32, 143 ,33, 206, 34, 122, 35, 159, 36, 34, 37, 8, 38, 251, 39 ,127, 40, 37, 41, 27, 42, 104, 43, 163, 44, 9, 45, 217 ,46, 165, 47, 93, 48, 132, 49, 153, 50, 133, 51, 162 ,52, 158, 53, 173, 54, 44, 55, 180, 56, 183, 57, 244 ,58, 156, 59, 181, 60, 135, 61, 65, 62, 150, 63, 235 ,64, 197, 65, 161, 66, 72, 67, 43, 68, 140, 69, 32, 70 ,254, 71, 106, 72, 58, 73, 248, 74, 203, 75, 168, 76 ,26, 77, 12, 78, 71, 79, 115, 80, 231, 81, 40, 82, 13 ,83, 242, 84, 214, 85, 90, 86, 187, 87, 212, 88, 91 ,89, 238, 90, 1, 91, 211, 92, 41, 93, 103, 94, 63, 95 ,205, 96, 18, 97, 94, 98, 77, 99, 129, 100, 147, 101 ,208, 102, 29, 103, 53, 104, 21, 105, 144, 106, 100 ,107, 196, 108, 228, 109, 145, 110, 79, 111, 102, 112 ,105, 113, 48, 114, 88, 115, 190, 116, 167, 117, 130 ,118, 250, 119, 119, 120, 42, 121, 151, 122, 241, 123 ,2, 124, 74, 125, 61, 126, 141, 127, 80, 128, 237, 129 ,64, 130, 219, 131, 109, 132, 184, 133, 116, 134, 60 ,135, 215, 136, 198, 137, 25, 138, 98, 139, 179, 140 ,188, 141, 220, 142, 232, 143, 137, 144, 5, 145, 86 ,146, 157, 147, 114, 148, 169, 149, 234, 150, 175, 151 ,112, 152, 225, 153, 199, 154, 240, 155, 62, 156, 223 ,157, 75, 158, 123, 159, 17, 160, 189, 161, 229, 162 ,195, 163, 209, 164, 11, 165, 56, 166, 128, 167, 50 ,168, 124, 169, 131, 170, 193, 171, 54, 172, 81, 173 ,47, 174, 35, 175, 99, 176, 239, 177, 28, 178, 24, 179 ,164, 180, 20, 181, 255, 182, 230, 183, 204, 184, 176 ,185, 247, 186, 125, 187, 236, 188, 38, 189, 224, 190 ,139, 191, 97, 192, 200, 193, 182, 194, 84, 195, 108 ,196, 92, 197, 117, 198, 253, 199, 243, 200, 136, 201 ,15, 202, 194, 203, 52, 204, 4, 205, 33, 206, 14, 207 ,46, 208, 121, 209, 227, 210, 67, 211, 210, 212, 95 ,213, 7, 214, 245, 215, 142, 216, 89, 217, 23, 218, 39 ,219, 6, 220, 126, 221, 191, 222, 59, 223, 172, 224 ,186, 225, 149, 226, 202, 227, 111, 228, 45, 229, 177 ,230, 152, 231, 55, 232, 68, 233, 146, 234, 154, 235 ,51, 236, 226, 237, 31, 238, 36, 239, 87, 240, 138, 241 ,70, 242, 69, 243, 213, 244, 57, 245, 82, 246, 73, 247 ,30, 248, 118, 249, 110, 250, 101, 251, 113, 252, 22 ,253, 185, 254, 201, 255]

s = [["F4","99","84","85","F8","F2","A8","A8"],["BE","D0","4F","66","93","47","F8","02"],["A1","15","5E","4F","5E","D6","A1","90"],["5A","A8","58","90"],["3D"]]

for flag in s:

for i in reversed(range(0,len(flag))):

for j in range(0,254):

temp = str(flag[i])

if int(temp,16) == a[j*2]:

print(chr(a[(j*2)-1]),end="")

* untuk mempermudah pengolahan data pada byte_201021, saya mengconvertnya menjadi decimal

** s2 yang awalnya berupa Decimal, saya convert terlebih dahulu menjadi hex, dan karena merupakan little Endian, maka harus di olah dari belakang

*** pola array (j*2)-1 didapatkan dengan melihat pola dari isi byte_201021

dari solver ini kita mendapatkan

Microsoft Windows [Version 10.0.18362.418]
(c) 2019 Microsoft Corporation. All rights reserved.

D:\Cyber Security Data\Capture The Flag\KKSI19>python solver.py
KKSI2019{INdonesiATanahAirKU}

Microsoft Windows [Version 10.0.18362.418]

D:\Cyber Security Data\Capture The Flag\KKSI19>python solver.py

KKSI2019{INdonesiATanahAirKU}

Flag: KKSI2019{INdonesiATanahAirKU}

Leave a Reply Cancel reply