Soal ini dapat kalian download disini
Pada kita diberikan soal berupa ELF 64-bit.
1 2 |
root@kali:~# file siapGRAAK siapGRAAK: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=a8680e08d2a4cd7f23306ac67459036c1f914f7e, not stripped |
kita coba jalankan program ini terlebih dahulu,
1 2 3 4 |
root@kali:~# ./siapGRAAK Flag nya apa nih Kang ?: iWantThatFLagg SALAH NIH |
kita coba lihat program ini menggunakan IDA pro 64-bit, dan pada mainnya terdapat psudeocode seperti ini,
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
int __cdecl main(int argc, const char **argv, const char **envp) { int result; // eax size_t i; // [rsp+0h] [rbp-C0h] size_t v5; // [rsp+8h] [rbp-B8h] char s2[8]; // [rsp+10h] [rbp-B0h] __int64 v7; // [rsp+18h] [rbp-A8h] __int64 v8; // [rsp+20h] [rbp-A0h] int v9; // [rsp+28h] [rbp-98h] __int16 v10; // [rsp+2Ch] [rbp-94h] char s[136]; // [rsp+30h] [rbp-90h] unsigned __int64 v12; // [rsp+B8h] [rbp-8h] v12 = __readfsqword(0x28u); *(_QWORD *)s2 = -821479746076235608LL; v7 = -4697167109371201534LL; v8 = -6839456764105678448LL; v9 = 1520982160; v10 = 61; puts("Flag nya apa nih Kang ?:"); fgets(s, 128, stdin); s[strlen(s) - 1] = 0; v5 = strlen(s); for ( i = 0LL; i < v5; ++i ) s[i] = get_tbl_entry((unsigned int)s[i]); if ( v5 == 29 ) { if ( !strncmp(s, s2, 0x1EuLL) ) { puts("YESSS BERHASIL"); result = 0; } else { puts("SALAH NIH"); result = 1; } } else { puts("SALAH NIH"); result = 1; } return result; } |
dapat dipahami bahwa inputan kita dilakukan pengolahan pada fungsi get_tbl_entry() pada setiap char inputan kita. Mari kita lihat isi dari fungsi tersebut,
1 2 3 4 5 6 7 8 9 10 11 |
__int64 __fastcall get_tbl_entry(char a1) { unsigned __int64 i; // [rsp+Ch] [rbp-8h] for ( i = 0LL; i <= 0xFE; ++i ) { if ( a1 == *((_BYTE *)&trans_tbl + 2 * i) ) return byte_201021[2 * i]; } return 0LL; } |
ternyata inputan kita di bandingkan dengan sesuatu yang terdapat pada byte_201021, Coba kita lihat juga apa yang ada di sana
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 |
.data:0000000000201021 ; unsigned __int8 byte_201021[508] .data:0000000000201021 byte_201021 db 0C0h, 2, 0FCh, 3, 42h, 4, 0B2h, 5, 0A0h, 6, 0Ah, 7 .data:0000000000201021 ; DATA XREF: get_tbl_entry+33↑o .data:0000000000201021 db 4Ch, 8, 13h, 9, 3, 0Ah, 4Eh, 0Bh, 0AAh, 0Ch, 0F9h, 0Dh .data:0000000000201021 db 55h, 0Eh, 0E9h, 0Fh, 6Bh, 10h, 86h, 11h, 60h, 12h, 0CFh .data:0000000000201021 db 13h, 94h, 14h, 31h, 15h, 0A6h, 16h, 9Bh, 17h, 10h, 18h .data:0000000000201021 db 0F6h, 19h, 0AEh, 1Ah, 78h, 1Bh, 0DDh, 1Ch, 53h, 1Dh .data:0000000000201021 db 0D8h, 1Eh, 0DEh, 1Fh, 0DAh, 20h, 8Fh, 21h, 0CEh, 22h .data:0000000000201021 db 7Ah, 23h, 9Fh, 24h, 22h, 25h, 8, 26h, 0FBh, 27h, 7Fh .data:0000000000201021 db 28h, 25h, 29h, 1Bh, 2Ah, 68h, 2Bh, 0A3h, 2Ch, 9, 2Dh .data:0000000000201021 db 0D9h, 2Eh, 0A5h, 2Fh, 5Dh, 30h, 84h, 31h, 99h, 32h .data:0000000000201021 db 85h, 33h, 0A2h, 34h, 9Eh, 35h, 0ADh, 36h, 2Ch, 37h .data:0000000000201021 db 0B4h, 38h, 0B7h, 39h, 0F4h, 3Ah, 9Ch, 3Bh, 0B5h, 3Ch .data:0000000000201021 db 87h, 3Dh, 41h, 3Eh, 96h, 3Fh, 0EBh, 40h, 0C5h, 41h .data:0000000000201021 db 0A1h, 42h, 48h, 43h, 2Bh, 44h, 8Ch, 45h, 20h, 46h, 0FEh .data:0000000000201021 db 47h, 6Ah, 48h, 3Ah, 49h, 0F8h, 4Ah, 0CBh, 4Bh, 0A8h .data:0000000000201021 db 4Ch, 1Ah, 4Dh, 0Ch, 4Eh, 47h, 4Fh, 73h, 50h, 0E7h, 51h .data:0000000000201021 db 28h, 52h, 0Dh, 53h, 0F2h, 54h, 0D6h, 55h, 5Ah, 56h .data:0000000000201021 db 0BBh, 57h, 0D4h, 58h, 5Bh, 59h, 0EEh, 5Ah, 1, 5Bh, 0D3h .data:0000000000201021 db 5Ch, 29h, 5Dh, 67h, 5Eh, 3Fh, 5Fh, 0CDh, 60h, 12h, 61h .data:0000000000201021 db 5Eh, 62h, 4Dh, 63h, 81h, 64h, 93h, 65h, 0D0h, 66h, 1Dh .data:0000000000201021 db 67h, 35h, 68h, 15h, 69h, 90h, 6Ah, 64h, 6Bh, 0C4h, 6Ch .data:0000000000201021 db 0E4h, 6Dh, 91h, 6Eh, 4Fh, 6Fh, 66h, 70h, 69h, 71h, 30h .data:0000000000201021 db 72h, 58h, 73h, 0BEh, 74h, 0A7h, 75h, 82h, 76h, 0FAh .data:0000000000201021 db 2 dup(77h), 78h, 2Ah, 79h, 97h, 7Ah, 0F1h, 7Bh, 2, 7Ch .data:0000000000201021 db 4Ah, 7Dh, 3Dh, 7Eh, 8Dh, 7Fh, 50h, 80h, 0EDh, 81h, 40h .data:0000000000201021 db 82h, 0DBh, 83h, 6Dh, 84h, 0B8h, 85h, 74h, 86h, 3Ch .data:0000000000201021 db 87h, 0D7h, 88h, 0C6h, 89h, 19h, 8Ah, 62h, 8Bh, 0B3h .data:0000000000201021 db 8Ch, 0BCh, 8Dh, 0DCh, 8Eh, 0E8h, 8Fh, 89h, 90h, 5, 91h .data:0000000000201021 db 56h, 92h, 9Dh, 93h, 72h, 94h, 0A9h, 95h, 0EAh, 96h .data:0000000000201021 db 0AFh, 97h, 70h, 98h, 0E1h, 99h, 0C7h, 9Ah, 0F0h, 9Bh .data:0000000000201021 db 3Eh, 9Ch, 0DFh, 9Dh, 4Bh, 9Eh, 7Bh, 9Fh, 11h, 0A0h .data:0000000000201021 db 0BDh, 0A1h, 0E5h, 0A2h, 0C3h, 0A3h, 0D1h, 0A4h, 0Bh .data:0000000000201021 db 0A5h, 38h, 0A6h, 80h, 0A7h, 32h, 0A8h, 7Ch, 0A9h, 83h .data:0000000000201021 db 0AAh, 0C1h, 0ABh, 36h, 0ACh, 51h, 0ADh, 2Fh, 0AEh, 23h .data:0000000000201021 db 0AFh, 63h, 0B0h, 0EFh, 0B1h, 1Ch, 0B2h, 18h, 0B3h, 0A4h .data:0000000000201021 db 0B4h, 14h, 0B5h, 0FFh, 0B6h, 0E6h, 0B7h, 0CCh, 0B8h .data:0000000000201021 db 0B0h, 0B9h, 0F7h, 0BAh, 7Dh, 0BBh, 0ECh, 0BCh, 26h .data:0000000000201021 db 0BDh, 0E0h, 0BEh, 8Bh, 0BFh, 61h, 0C0h, 0C8h, 0C1h .data:0000000000201021 db 0B6h, 0C2h, 54h, 0C3h, 6Ch, 0C4h, 5Ch, 0C5h, 75h, 0C6h .data:0000000000201021 db 0FDh, 0C7h, 0F3h, 0C8h, 88h, 0C9h, 0Fh, 0CAh, 0C2h .data:0000000000201021 db 0CBh, 34h, 0CCh, 4, 0CDh, 21h, 0CEh, 0Eh, 0CFh, 2Eh .data:0000000000201021 db 0D0h, 79h, 0D1h, 0E3h, 0D2h, 43h, 0D3h, 0D2h, 0D4h .data:0000000000201021 db 5Fh, 0D5h, 7, 0D6h, 0F5h, 0D7h, 8Eh, 0D8h, 59h, 0D9h .data:0000000000201021 db 17h, 0DAh, 27h, 0DBh, 6, 0DCh, 7Eh, 0DDh, 0BFh, 0DEh .data:0000000000201021 db 3Bh, 0DFh, 0ACh, 0E0h, 0BAh, 0E1h, 95h, 0E2h, 0CAh .data:0000000000201021 db 0E3h, 6Fh, 0E4h, 2Dh, 0E5h, 0B1h, 0E6h, 98h, 0E7h, 37h .data:0000000000201021 db 0E8h, 44h, 0E9h, 92h, 0EAh, 9Ah, 0EBh, 33h, 0ECh, 0E2h .data:0000000000201021 db 0EDh, 1Fh, 0EEh, 24h, 0EFh, 57h, 0F0h, 8Ah, 0F1h, 46h .data:0000000000201021 db 0F2h, 45h, 0F3h, 0D5h, 0F4h, 39h, 0F5h, 52h, 0F6h, 49h .data:0000000000201021 db 0F7h, 1Eh, 0F8h, 76h, 0F9h, 6Eh, 0FAh, 65h, 0FBh, 71h .data:0000000000201021 db 0FCh, 16h, 0FDh, 0B9h, 0FEh, 0C9h, 0FFh .data:000000000020121D db 0ABh .data:000000000020121D _data ends .data:000000000020121D |
Lalu bagaimana kita tahu inputan yang benar? kita dapat melihatnya pada fungsi main(), dimana inputan kita dibandingkan oleh variable s2 yang menjadi indikator benar tidaknya string inputan kita. Sekarang kita olah pola yang sudah kita dapatkan menjadi solver.py
1 2 3 4 5 6 7 8 9 10 |
a = [192, 2, 252, 3, 66, 4, 178, 5, 160, 6, 10, 7, 76, 8 ,19, 9, 3, 10, 78, 11, 170, 12, 249, 13, 85, 14, 233 ,15, 107, 16, 134, 17, 96, 18, 207, 19, 148, 20, 49 ,21, 166, 22, 155, 23, 16, 24, 246, 25, 174, 26, 120 ,27, 221, 28, 83, 29, 216, 30, 222, 31, 218, 32, 143 ,33, 206, 34, 122, 35, 159, 36, 34, 37, 8, 38, 251, 39 ,127, 40, 37, 41, 27, 42, 104, 43, 163, 44, 9, 45, 217 ,46, 165, 47, 93, 48, 132, 49, 153, 50, 133, 51, 162 ,52, 158, 53, 173, 54, 44, 55, 180, 56, 183, 57, 244 ,58, 156, 59, 181, 60, 135, 61, 65, 62, 150, 63, 235 ,64, 197, 65, 161, 66, 72, 67, 43, 68, 140, 69, 32, 70 ,254, 71, 106, 72, 58, 73, 248, 74, 203, 75, 168, 76 ,26, 77, 12, 78, 71, 79, 115, 80, 231, 81, 40, 82, 13 ,83, 242, 84, 214, 85, 90, 86, 187, 87, 212, 88, 91 ,89, 238, 90, 1, 91, 211, 92, 41, 93, 103, 94, 63, 95 ,205, 96, 18, 97, 94, 98, 77, 99, 129, 100, 147, 101 ,208, 102, 29, 103, 53, 104, 21, 105, 144, 106, 100 ,107, 196, 108, 228, 109, 145, 110, 79, 111, 102, 112 ,105, 113, 48, 114, 88, 115, 190, 116, 167, 117, 130 ,118, 250, 119, 119, 120, 42, 121, 151, 122, 241, 123 ,2, 124, 74, 125, 61, 126, 141, 127, 80, 128, 237, 129 ,64, 130, 219, 131, 109, 132, 184, 133, 116, 134, 60 ,135, 215, 136, 198, 137, 25, 138, 98, 139, 179, 140 ,188, 141, 220, 142, 232, 143, 137, 144, 5, 145, 86 ,146, 157, 147, 114, 148, 169, 149, 234, 150, 175, 151 ,112, 152, 225, 153, 199, 154, 240, 155, 62, 156, 223 ,157, 75, 158, 123, 159, 17, 160, 189, 161, 229, 162 ,195, 163, 209, 164, 11, 165, 56, 166, 128, 167, 50 ,168, 124, 169, 131, 170, 193, 171, 54, 172, 81, 173 ,47, 174, 35, 175, 99, 176, 239, 177, 28, 178, 24, 179 ,164, 180, 20, 181, 255, 182, 230, 183, 204, 184, 176 ,185, 247, 186, 125, 187, 236, 188, 38, 189, 224, 190 ,139, 191, 97, 192, 200, 193, 182, 194, 84, 195, 108 ,196, 92, 197, 117, 198, 253, 199, 243, 200, 136, 201 ,15, 202, 194, 203, 52, 204, 4, 205, 33, 206, 14, 207 ,46, 208, 121, 209, 227, 210, 67, 211, 210, 212, 95 ,213, 7, 214, 245, 215, 142, 216, 89, 217, 23, 218, 39 ,219, 6, 220, 126, 221, 191, 222, 59, 223, 172, 224 ,186, 225, 149, 226, 202, 227, 111, 228, 45, 229, 177 ,230, 152, 231, 55, 232, 68, 233, 146, 234, 154, 235 ,51, 236, 226, 237, 31, 238, 36, 239, 87, 240, 138, 241 ,70, 242, 69, 243, 213, 244, 57, 245, 82, 246, 73, 247 ,30, 248, 118, 249, 110, 250, 101, 251, 113, 252, 22 ,253, 185, 254, 201, 255] s = [["F4","99","84","85","F8","F2","A8","A8"],["BE","D0","4F","66","93","47","F8","02"],["A1","15","5E","4F","5E","D6","A1","90"],["5A","A8","58","90"],["3D"]] for flag in s: for i in reversed(range(0,len(flag))): for j in range(0,254): temp = str(flag[i]) if int(temp,16) == a[j*2]: print(chr(a[(j*2)-1]),end="") |
* untuk mempermudah pengolahan data pada byte_201021, saya mengconvertnya menjadi decimal
** s2 yang awalnya berupa Decimal, saya convert terlebih dahulu menjadi hex, dan karena merupakan little Endian, maka harus di olah dari belakang
*** pola array (j*2)-1 didapatkan dengan melihat pola dari isi byte_201021
dari solver ini kita mendapatkan
1 2 3 4 5 |
Microsoft Windows [Version 10.0.18362.418] (c) 2019 Microsoft Corporation. All rights reserved. D:\Cyber Security Data\Capture The Flag\KKSI19>python solver.py KKSI2019{INdonesiATanahAirKU} |
Flag: KKSI2019{INdonesiATanahAirKU}