Pada soal ini, kami diberikan sebuah file pyc maka langsung saja kita gunakan tools decompiler bytecode yaitu Uncompyle6. Hasilnya adalah sebagai berikut: Jika diperhatikan, kodingan tersebut memvalidasi username dengan cara membandingkan indexnya yang harus memenuhi persyaratan tertentu, sedangkan untuk password adalah S3cr3t_Pas5 yang urutannya diacak menggunakan random.shuffle dengan seed time.time(). Untuk menyelesaikan username kita bisa […]
Tag: z3
[Joints2020] – crackme
Diberikan sebuah binary 64 bit not stripped. Pseudocode dari fungsi main adalah sebagai berikut:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
int __cdecl main(int argc, const char **argv, const char **envp) { char v4; // [rsp+0h] [rbp-30h] _BYTE v5[3]; // [rsp+5h] [rbp-2Bh] _BYTE v6[6]; // [rsp+Ah] [rbp-26h] int v7; // [rsp+14h] [rbp-1Ch] char v8; // [rsp+19h] [rbp-17h] unsigned __int64 v9; // [rsp+28h] [rbp-8h] v9 = __readfsqword(0x28u); __isoc99_scanf("%5c-%5c-%5c-%5c-%5c", &v4, v5, v6, &v6[5], &v7); v8 = 0; if ( checker(&v4) ) unlock(); else printf("Invalid serial key"); return 0; } |
Dilihat program meminta input sepanjang 25 karakter dan kemudian input akan diproses oleh fungsi checker() dan bila hasil dari checker() adalah true maka fungsi unlock() akan dipanggil. Berikut pseudocode dari fungsi unlock():
|
1 2 3 4 5 6 7 8 9 10 |
int unlock() { char i; // al FILE *stream; // [rsp+8h] [rbp-8h] stream = fopen("flag.txt", "r"); for ( i = fgetc(stream); i != -1; i = fgetc(stream) ) putchar(i); return fclose(stream); } |
Fungsi tersebut akan membuka file flag.txt pada server nc. Berikut pseudocode dari fungsi checker():
[SlashRoot CTF 2019] – Android
Diberikan sebuah file ‘CrackMe102.apk‘. Namun untuk mengetahui Algoritma dari apk tersebut, ada 2 cara, yaitu extract dengan menggunakan Apktool atau dengan JADX (http://www.javadecompilers.com/apk). Pada kasus ini, saya memilih untuk mengextract apk tersebut menggunakan JADX, agar source code yang dipakai untuk membuat apk tersebut berkemungkinan dapat dibaca. Berbeda ketika kita menggunakan Apktool, maka extract yang yang […]
[Cyber Jawara 2019 Qualification] – Haseul
Kita di berikan sebuah file ELF 64bit yang dapat kalian download disini Kita coba buka file tersebut dengan IDA Pro 64bit
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
signed __int64 __fastcall main(int a1, char **a2, char **a3) { int v4; // eax int v5; // [rsp+1Ch] [rbp-14h] signed int i; // [rsp+20h] [rbp-10h] signed int j; // [rsp+24h] [rbp-Ch] char *s; // [rsp+28h] [rbp-8h] if ( a1 != 2 ) return 1LL; s = a2[1]; if ( strlen(a2[1]) != 34 ) return 1LL; v5 = 0; for ( i = 0; i < 33; ++i ) { for ( j = 1; j < 34; ++j ) { v4 = v5++; if ( s[i] + s[j] != byte_8A0[v4] ) { puts("nope!"); return 1LL; } } } printf("CJ2019{%s}\n", s, a2); return 0LL; } |
Dari algoritma diatas, string tersebut dibandingkan dengan sesuatu yang ada di dalam byte_8A0
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 |
.rodata:00000000000008A0 byte_8A0 db 0A9h, 0EEh, 0D8h, 0DCh, 0DAh, 0E7h, 0D8h, 0ECh, 0A9h .rodata:00000000000008A0 ; DATA XREF: main+9E↑o .rodata:00000000000008A0 db 0E5h, 0EFh, 0DEh, 0D8h, 0EDh, 0E1h, 0E2h, 0AEh, 0D8h .rodata:00000000000008A0 db 0DEh, 0DAh, 0AEh, 0E2h, 0E5h, 0F2h, 0D8h, 0EEh, 0ECh .rodata:00000000000008A0 db 0E2h, 0E7h, 0B2h, 0D8h, 0D3h, 0ACh, 60h, 0A5h, 8Fh .rodata:00000000000008A0 db 93h, 91h, 9Eh, 8Fh, 0A3h, 60h, 9Ch, 0A6h, 95h, 8Fh .rodata:00000000000008A0 db 0A4h, 98h, 99h, 65h, 8Fh, 95h, 91h, 65h, 99h, 9Ch, 0A9h .rodata:00000000000008A0 db 8Fh, 0A5h, 0A3h, 99h, 9Eh, 69h, 8Fh, 8Ah, 63h, 0A5h .rodata:00000000000008A0 db 0EAh, 0D4h, 0D8h, 0D6h, 0E3h, 0D4h, 0E8h, 0A5h, 0E1h .rodata:00000000000008A0 db 0EBh, 0DAh, 0D4h, 0E9h, 0DDh, 0DEh, 0AAh, 0D4h, 0DAh .rodata:00000000000008A0 db 0D6h, 0AAh, 0DEh, 0E1h, 0EEh, 0D4h, 0EAh, 0E8h, 0DEh .rodata:00000000000008A0 db 0E3h, 0AEh, 0D4h, 0CFh, 0A8h, 8Fh, 0D4h, 0BEh, 0C2h .rodata:00000000000008A0 db 0C0h, 0CDh, 0BEh, 0D2h, 8Fh, 0CBh, 0D5h, 0C4h, 0BEh .rodata:00000000000008A0 db 0D3h, 0C7h, 0C8h, 94h, 0BEh, 0C4h, 0C0h, 94h, 0C8h .rodata:00000000000008A0 db 0CBh, 0D8h, 0BEh, 0D4h, 0D2h, 0C8h, 0CDh, 98h, 0BEh .rodata:00000000000008A0 db 0B9h, 92h, 93h, 0D8h, 0C2h, 0C6h, 0C4h, 0D1h, 0C2h .rodata:00000000000008A0 db 0D6h, 93h, 0CFh, 0D9h, 0C8h, 0C2h, 0D7h, 0CBh, 0CCh .rodata:00000000000008A0 db 98h, 0C2h, 0C8h, 0C4h, 98h, 0CCh, 0CFh, 0DCh, 0C2h .rodata:00000000000008A0 db 0D8h, 0D6h, 0CCh, 0D1h, 9Ch, 0C2h, 0BDh, 96h, 91h, 0D6h .rodata:00000000000008A0 db 0C0h, 0C4h, 0C2h, 0CFh, 0C0h, 0D4h, 91h, 0CDh, 0D7h .rodata:00000000000008A0 db 0C6h, 0C0h, 0D5h, 0C9h, 0CAh, 96h, 0C0h, 0C6h, 0C2h .rodata:00000000000008A0 db 96h, 0CAh, 0CDh, 0DAh, 0C0h, 0D6h, 0D4h, 0CAh, 0CFh .rodata:00000000000008A0 db 9Ah, 0C0h, 0BBh, 94h, 9Eh, 0E3h, 0CDh, 0D1h, 0CFh, 0DCh .rodata:00000000000008A0 db 0CDh, 0E1h, 9Eh, 0DAh, 0E4h, 0D3h, 0CDh, 0E2h, 0D6h .rodata:00000000000008A0 db 0D7h, 0A3h, 0CDh, 0D3h, 0CFh, 0A3h, 0D7h, 0DAh, 0E7h .rodata:00000000000008A0 db 0CDh, 0E3h, 0E1h, 0D7h, 0DCh, 0A7h, 0CDh, 0C8h, 0A1h .rodata:00000000000008A0 db 8Fh, 0D4h, 0BEh, 0C2h, 0C0h, 0CDh, 0BEh, 0D2h, 8Fh .rodata:00000000000008A0 db 0CBh, 0D5h, 0C4h, 0BEh, 0D3h, 0C7h, 0C8h, 94h, 0BEh .rodata:00000000000008A0 db 0C4h, 0C0h, 94h, 0C8h, 0CBh, 0D8h, 0BEh, 0D4h, 0D2h .rodata:00000000000008A0 db 0C8h, 0CDh, 98h, 0BEh, 0B9h, 92h, 0A3h, 0E8h, 0D2h .rodata:00000000000008A0 db 0D6h, 0D4h, 0E1h, 0D2h, 0E6h, 0A3h, 0DFh, 0E9h, 0D8h .rodata:00000000000008A0 db 0D2h, 0E7h, 0DBh, 0DCh, 0A8h, 0D2h, 0D8h, 0D4h, 0A8h .rodata:00000000000008A0 db 0DCh, 0DFh, 0ECh, 0D2h, 0E8h, 0E6h, 0DCh, 0E1h, 0ACh .rodata:00000000000008A0 db 0D2h, 0CDh, 0A6h, 60h, 0A5h, 8Fh, 93h, 91h, 9Eh, 8Fh .rodata:00000000000008A0 db 0A3h, 60h, 9Ch, 0A6h, 95h, 8Fh, 0A4h, 98h, 99h, 65h .rodata:00000000000008A0 db 8Fh, 95h, 91h, 65h, 99h, 9Ch, 0A9h, 8Fh, 0A5h, 0A3h .rodata:00000000000008A0 db 99h, 9Eh, 69h, 8Fh, 8Ah, 63h, 9Ch, 0E1h, 0CBh, 0CFh .rodata:00000000000008A0 db 0CDh, 0DAh, 0CBh, 0DFh, 9Ch, 0D8h, 0E2h, 0D1h, 0CBh .rodata:00000000000008A0 db 0E0h, 0D4h, 0D5h, 0A1h, 0CBh, 0D1h, 0CDh, 0A1h, 0D5h .rodata:00000000000008A0 db 0D8h, 0E5h, 0CBh, 0E1h, 0DFh, 0D5h, 0DAh, 0A5h, 0CBh .rodata:00000000000008A0 db 0C6h, 9Fh, 0A6h, 0EBh, 0D5h, 0D9h, 0D7h, 0E4h, 0D5h .rodata:00000000000008A0 db 0E9h, 0A6h, 0E2h, 0ECh, 0DBh, 0D5h, 0EAh, 0DEh, 0DFh .rodata:00000000000008A0 db 0ABh, 0D5h, 0DBh, 0D7h, 0ABh, 0DFh, 0E2h, 0EFh, 0D5h .rodata:00000000000008A0 db 0EBh, 0E9h, 0DFh, 0E4h, 0AFh, 0D5h, 0D0h, 0A9h, 95h .rodata:00000000000008A0 db 0DAh, 0C4h, 0C8h, 0C6h, 0D3h, 0C4h, 0D8h, 95h, 0D1h .rodata:00000000000008A0 db 0DBh, 0CAh, 0C4h, 0D9h, 0CDh, 0CEh, 9Ah, 0C4h, 0CAh .rodata:00000000000008A0 db 0C6h, 9Ah, 0CEh, 0D1h, 0DEh, 0C4h, 0DAh, 0D8h, 0CEh .rodata:00000000000008A0 db 0D3h, 9Eh, 0C4h, 0BFh, 98h, 8Fh, 0D4h, 0BEh, 0C2h, 0C0h .rodata:00000000000008A0 db 0CDh, 0BEh, 0D2h, 8Fh, 0CBh, 0D5h, 0C4h, 0BEh, 0D3h .rodata:00000000000008A0 db 0C7h, 0C8h, 94h, 0BEh, 0C4h, 0C0h, 94h, 0C8h, 0CBh .rodata:00000000000008A0 db 0D8h, 0BEh, 0D4h, 0D2h, 0C8h, 0CDh, 98h, 0BEh, 0B9h .rodata:00000000000008A0 db 92h, 0A4h, 0E9h, 0D3h, 0D7h, 0D5h, 0E2h, 0D3h, 0E7h .rodata:00000000000008A0 db 0A4h, 0E0h, 0EAh, 0D9h, 0D3h, 0E8h, 0DCh, 0DDh, 0A9h .rodata:00000000000008A0 db 0D3h, 0D9h, 0D5h, 0A9h, 0DDh, 0E0h, 0EDh, 0D3h, 0E9h .rodata:00000000000008A0 db 0E7h, 0DDh, 0E2h, 0ADh, 0D3h, 0CEh, 0A7h, 98h, 0DDh .rodata:00000000000008A0 db 0C7h, 0CBh, 0C9h, 0D6h, 0C7h, 0DBh, 98h, 0D4h, 0DEh .rodata:00000000000008A0 db 0CDh, 0C7h, 0DCh, 0D0h, 0D1h, 9Dh, 0C7h, 0CDh, 0C9h .rodata:00000000000008A0 db 9Dh, 0D1h, 0D4h, 0E1h, 0C7h, 0DDh, 0DBh, 0D1h, 0D6h .rodata:00000000000008A0 db 0A1h, 0C7h, 0C2h, 9Bh, 99h, 0DEh, 0C8h, 0CCh, 0CAh .rodata:00000000000008A0 db 0D7h, 0C8h, 0DCh, 99h, 0D5h, 0DFh, 0CEh, 0C8h, 0DDh .rodata:00000000000008A0 db 0D1h, 0D2h, 9Eh, 0C8h, 0CEh, 0CAh, 9Eh, 0D2h, 0D5h .rodata:00000000000008A0 db 0E2h, 0C8h, 0DEh, 0DCh, 0D2h, 0D7h, 0A2h, 0C8h, 0C3h .rodata:00000000000008A0 db 9Ch, 65h, 0AAh, 94h, 98h, 96h, 0A3h, 94h, 0A8h, 65h .rodata:00000000000008A0 db 0A1h, 0ABh, 9Ah, 94h, 0A9h, 9Dh, 9Eh, 6Ah, 94h, 9Ah .rodata:00000000000008A0 db 96h, 6Ah, 9Eh, 0A1h, 0AEh, 94h, 0AAh, 0A8h, 9Eh, 0A3h .rodata:00000000000008A0 db 6Eh, 94h, 8Fh, 68h, 8Fh, 0D4h, 0BEh, 0C2h, 0C0h, 0CDh .rodata:00000000000008A0 db 0BEh, 0D2h, 8Fh, 0CBh, 0D5h, 0C4h, 0BEh, 0D3h, 0C7h .rodata:00000000000008A0 db 0C8h, 94h, 0BEh, 0C4h, 0C0h, 94h, 0C8h, 0CBh, 0D8h .rodata:00000000000008A0 db 0BEh, 0D4h, 0D2h, 0C8h, 0CDh, 98h, 0BEh, 0B9h, 92h .rodata:00000000000008A0 db 95h, 0DAh, 0C4h, 0C8h, 0C6h, 0D3h, 0C4h, 0D8h, 95h .rodata:00000000000008A0 db 0D1h, 0DBh, 0CAh, 0C4h, 0D9h, 0CDh, 0CEh, 9Ah, 0C4h .rodata:00000000000008A0 db 0CAh, 0C6h, 9Ah, 0CEh, 0D1h, 0DEh, 0C4h, 0DAh, 0D8h .rodata:00000000000008A0 db 0CEh, 0D3h, 9Eh, 0C4h, 0BFh, 98h, 91h, 0D6h, 0C0h, 0C4h .rodata:00000000000008A0 db 0C2h, 0CFh, 0C0h, 0D4h, 91h, 0CDh, 0D7h, 0C6h, 0C0h .rodata:00000000000008A0 db 0D5h, 0C9h, 0CAh, 96h, 0C0h, 0C6h, 0C2h, 96h, 0CAh .rodata:00000000000008A0 db 0CDh, 0DAh, 0C0h, 0D6h, 0D4h, 0CAh, 0CFh, 9Ah, 0C0h .rodata:00000000000008A0 db 0BBh, 94h, 65h, 0AAh, 94h, 98h, 96h, 0A3h, 94h, 0A8h .rodata:00000000000008A0 db 65h, 0A1h, 0ABh, 9Ah, 94h, 0A9h, 9Dh, 9Eh, 6Ah, 94h .rodata:00000000000008A0 db 9Ah, 96h, 6Ah, 9Eh, 0A1h, 0AEh, 94h, 0AAh, 0A8h, 9Eh .rodata:00000000000008A0 db 0A3h, 6Eh, 94h, 8Fh, 68h, 99h, 0DEh, 0C8h, 0CCh, 0CAh .rodata:00000000000008A0 db 0D7h, 0C8h, 0DCh, 99h, 0D5h, 0DFh, 0CEh, 0C8h, 0DDh .rodata:00000000000008A0 db 0D1h, 0D2h, 9Eh, 0C8h, 0CEh, 0CAh, 9Eh, 0D2h, 0D5h .rodata:00000000000008A0 db 0E2h, 0C8h, 0DEh, 0DCh, 0D2h, 0D7h, 0A2h, 0C8h, 0C3h .rodata:00000000000008A0 db 2 dup(9Ch), 0E1h, 0CBh, 0CFh, 0CDh, 0DAh, 0CBh, 0DFh .rodata:00000000000008A0 db 9Ch, 0D8h, 0E2h, 0D1h, 0CBh, 0E0h, 0D4h, 0D5h, 0A1h .rodata:00000000000008A0 db 0CBh, 0D1h, 0CDh, 0A1h, 0D5h, 0D8h, 0E5h, 0CBh, 0E1h .rodata:00000000000008A0 db 0DFh, 0D5h, 0DAh, 0A5h, 0CBh, 0C6h, 9Fh, 0A9h, 0EEh .rodata:00000000000008A0 db 0D8h, 0DCh, 0DAh, 0E7h, 0D8h, 0ECh, 0A9h, 0E5h, 0EFh .rodata:00000000000008A0 db 0DEh, 0D8h, 0EDh, 0E1h, 0E2h, 0AEh, 0D8h, 0DEh, 0DAh .rodata:00000000000008A0 db 0AEh, 0E2h, 0E5h, 0F2h, 0D8h, 0EEh, 0ECh, 0E2h, 0E7h .rodata:00000000000008A0 db 0B2h, 0D8h, 0D3h, 0ACh, 8Fh, 0D4h, 0BEh, 0C2h, 0C0h .rodata:00000000000008A0 db 0CDh, 0BEh, 0D2h, 8Fh, 0CBh, 0D5h, 0C4h, 0BEh, 0D3h .rodata:00000000000008A0 db 0C7h, 0C8h, 94h, 0BEh, 0C4h, 0C0h, 94h, 0C8h, 0CBh .rodata:00000000000008A0 db 0D8h, 0BEh, 0D4h, 0D2h, 0C8h, 0CDh, 98h, 0BEh, 0B9h .rodata:00000000000008A0 db 92h, 0A5h, 0EAh, 0D4h, 0D8h, 0D6h, 0E3h, 0D4h, 0E8h .rodata:00000000000008A0 db 0A5h, 0E1h, 0EBh, 0DAh, 0D4h, 0E9h, 0DDh, 0DEh, 0AAh .rodata:00000000000008A0 db 0D4h, 0DAh, 0D6h, 0AAh, 0DEh, 0E1h, 0EEh, 0D4h, 0EAh .rodata:00000000000008A0 db 0E8h, 0DEh, 0E3h, 0AEh, 0D4h, 0CFh, 0A8h, 0A3h, 0E8h .rodata:00000000000008A0 db 0D2h, 0D6h, 0D4h, 0E1h, 0D2h, 0E6h, 0A3h, 0DFh, 0E9h .rodata:00000000000008A0 db 0D8h, 0D2h, 0E7h, 0DBh, 0DCh, 0A8h, 0D2h, 0D8h, 0D4h .rodata:00000000000008A0 db 0A8h, 0DCh, 0DFh, 0ECh, 0D2h, 0E8h, 0E6h, 0DCh, 0E1h .rodata:00000000000008A0 db 0ACh, 0D2h, 0CDh, 0A6h, 99h, 0DEh, 0C8h, 0CCh, 0CAh .rodata:00000000000008A0 db 0D7h, 0C8h, 0DCh, 99h, 0D5h, 0DFh, 0CEh, 0C8h, 0DDh .rodata:00000000000008A0 db 0D1h, 0D2h, 9Eh, 0C8h, 0CEh, 0CAh, 9Eh, 0D2h, 0D5h .rodata:00000000000008A0 db 0E2h, 0C8h, 0DEh, 0DCh, 0D2h, 0D7h, 0A2h, 0C8h, 0C3h .rodata:00000000000008A0 db 9Ch, 9Eh, 0E3h, 0CDh, 0D1h, 0CFh, 0DCh, 0CDh, 0E1h .rodata:00000000000008A0 db 9Eh, 0DAh, 0E4h, 0D3h, 0CDh, 0E2h, 0D6h, 0D7h, 0A3h .rodata:00000000000008A0 db 0CDh, 0D3h, 0CFh, 0A3h, 0D7h, 0DAh, 0E7h, 0CDh, 0E3h .rodata:00000000000008A0 db 0E1h, 0D7h, 0DCh, 0A7h, 0CDh, 0C8h, 0A1h, 69h, 0AEh .rodata:00000000000008A0 db 98h, 9Ch, 9Ah, 0A7h, 98h, 0ACh, 69h, 0A5h, 0AFh, 9Eh .rodata:00000000000008A0 db 98h, 0ADh, 0A1h, 0A2h, 6Eh, 98h, 9Eh, 9Ah, 6Eh, 0A2h .rodata:00000000000008A0 db 0A5h, 0B2h, 98h, 0AEh, 0ACh, 0A2h, 0A7h, 72h, 98h, 93h .rodata:00000000000008A0 db 6Ch, 8Fh, 0D4h, 0BEh, 0C2h, 0C0h, 0CDh, 0BEh, 0D2h .rodata:00000000000008A0 db 8Fh, 0CBh, 0D5h, 0C4h, 0BEh, 0D3h, 0C7h, 0C8h, 94h .rodata:00000000000008A0 db 0BEh, 0C4h, 0C0h, 94h, 0C8h, 0CBh, 0D8h, 0BEh, 0D4h .rodata:00000000000008A0 db 0D2h, 0C8h, 0CDh, 98h, 0BEh, 0B9h, 92h, 8Ah, 0CFh, 0B9h .rodata:00000000000008A0 db 0BDh, 0BBh, 0C8h, 0B9h, 0CDh, 8Ah, 0C6h, 0D0h, 0BFh .rodata:00000000000008A0 db 0B9h, 0CEh, 0C2h, 0C3h, 8Fh, 0B9h, 0BFh, 0BBh, 8Fh .rodata:00000000000008A0 db 0C3h, 0C6h, 0D3h, 0B9h, 0CFh, 0CDh, 0C3h, 0C8h, 93h .rodata:00000000000008A0 db 0B9h, 0B4h, 8Dh |
Kemudian kita buat menjadi desimal yang menjadi
|
1 |
169,238,216,220,218,231,216,236,169,229,239,222,216,237,225,226,174,216,222,218,174,226,229,242,216,238,236,226,231,178,216,211,172,96,165,143,147,145,158,143,163,96,156,166,149,143,164,152,153,101,143,149,145,101,153,156,169,143,165,163,153,158,105,143,138,99,165,234,212,216,214,227,212,232,165,225,235,218,212,233,221,222,170,212,218,214,170,222,225,238,212,234,232,222,227,174,212,207,168,143,212,190,194,192,205,190,210,143,203,213,196,190,211,199,200,148,190,196,192,148,200,203,216,190,212,210,200,205,152,190,185,146,147,216,194,198,196,209,194,214,147,207,217,200,194,215,203,204,152,194,200,196,152,204,207,220,194,216,214,204,209,156,194,189,150,145,214,192,196,194,207,192,212,145,205,215,198,192,213,201,202,150,192,198,194,150,202,205,218,192,214,212,202,207,154,192,187,148,158,227,205,209,207,220,205,225,158,218,228,211,205,226,214,215,163,205,211,207,163,215,218,231,205,227,225,215,220,167,205,200,161,143,212,190,194,192,205,190,210,143,203,213,196,190,211,199,200,148,190,196,192,148,200,203,216,190,212,210,200,205,152,190,185,146,163,232,210,214,212,225,210,230,163,223,233,216,210,231,219,220,168,210,216,212,168,220,223,236,210,232,230,220,225,172,210,205,166,96,165,143,147,145,158,143,163,96,156,166,149,143,164,152,153,101,143,149,145,101,153,156,169,143,165,163,153,158,105,143,138,99,156,225,203,207,205,218,203,223,156,216,226,209,203,224,212,213,161,203,209,205,161,213,216,229,203,225,223,213,218,165,203,198,159,166,235,213,217,215,228,213,233,166,226,236,219,213,234,222,223,171,213,219,215,171,223,226,239,213,235,233,223,228,175,213,208,169,149,218,196,200,198,211,196,216,149,209,219,202,196,217,205,206,154,196,202,198,154,206,209,222,196,218,216,206,211,158,196,191,152,143,212,190,194,192,205,190,210,143,203,213,196,190,211,199,200,148,190,196,192,148,200,203,216,190,212,210,200,205,152,190,185,146,164,233,211,215,213,226,211,231,164,224,234,217,211,232,220,221,169,211,217,213,169,221,224,237,211,233,231,221,226,173,211,206,167,152,221,199,203,201,214,199,219,152,212,222,205,199,220,208,209,157,199,205,201,157,209,212,225,199,221,219,209,214,161,199,194,155,153,222,200,204,202,215,200,220,153,213,223,206,200,221,209,210,158,200,206,202,158,210,213,226,200,222,220,210,215,162,200,195,156,101,170,148,152,150,163,148,168,101,161,171,154,148,169,157,158,106,148,154,150,106,158,161,174,148,170,168,158,163,110,148,143,104,143,212,190,194,192,205,190,210,143,203,213,196,190,211,199,200,148,190,196,192,148,200,203,216,190,212,210,200,205,152,190,185,146,149,218,196,200,198,211,196,216,149,209,219,202,196,217,205,206,154,196,202,198,154,206,209,222,196,218,216,206,211,158,196,191,152,145,214,192,196,194,207,192,212,145,205,215,198,192,213,201,202,150,192,198,194,150,202,205,218,192,214,212,202,207,154,192,187,148,101,170,148,152,150,163,148,168,101,161,171,154,148,169,157,158,106,148,154,150,106,158,161,174,148,170,168,158,163,110,148,143,104,153,222,200,204,202,215,200,220,153,213,223,206,200,221,209,210,158,200,206,202,158,210,213,226,200,222,220,210,215,162,200,195,156,156,225,203,207,205,218,203,223,156,216,226,209,203,224,212,213,161,203,209,205,161,213,216,229,203,225,223,213,218,165,203,198,159,169,238,216,220,218,231,216,236,169,229,239,222,216,237,225,226,174,216,222,218,174,226,229,242,216,238,236,226,231,178,216,211,172,143,212,190,194,192,205,190,210,143,203,213,196,190,211,199,200,148,190,196,192,148,200,203,216,190,212,210,200,205,152,190,185,146,165,234,212,216,214,227,212,232,165,225,235,218,212,233,221,222,170,212,218,214,170,222,225,238,212,234,232,222,227,174,212,207,168,163,232,210,214,212,225,210,230,163,223,233,216,210,231,219,220,168,210,216,212,168,220,223,236,210,232,230,220,225,172,210,205,166,153,222,200,204,202,215,200,220,153,213,223,206,200,221,209,210,158,200,206,202,158,210,213,226,200,222,220,210,215,162,200,195,156,158,227,205,209,207,220,205,225,158,218,228,211,205,226,214,215,163,205,211,207,163,215,218,231,205,227,225,215,220,167,205,200,161,105,174,152,156,154,167,152,172,105,165,175,158,152,173,161,162,110,152,158,154,110,162,165,178,152,174,172,162,167,114,152,147,108,143,212,190,194,192,205,190,210,143,203,213,196,190,211,199,200,148,190,196,192,148,200,203,216,190,212,210,200,205,152,190,185,146,138,207,185,189,187,200,185,205,138,198,208,191,185,206,194,195,143,185,191,187,143,195,198,211,185,207,205,195,200,147,185,180,141 |
Dari main diatas dan isi dari byte_8A0, kita buat solvernya dengan menggunakan […]
[BackdoorCTF 2017] – No Calm
Soal ini diberikan sebuah ELF 64bit file yang bisa kalian download disini Kemudian coba kita buka file tersebut dalam IDA Pro 64 bit, dan kita lihat psudeocodenya.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 |
int __cdecl main(int argc, const char **argv, const char **envp) { int i; // [rsp+1Ch] [rbp-34h] char v5; // [rsp+20h] [rbp-30h] char v6; // [rsp+21h] [rbp-2Fh] char v7; // [rsp+22h] [rbp-2Eh] char v8; // [rsp+23h] [rbp-2Dh] char v9; // [rsp+24h] [rbp-2Ch] char v10; // [rsp+25h] [rbp-2Bh] char v11; // [rsp+26h] [rbp-2Ah] char v12; // [rsp+27h] [rbp-29h] char v13; // [rsp+28h] [rbp-28h] char v14; // [rsp+29h] [rbp-27h] char v15; // [rsp+2Ah] [rbp-26h] char v16; // [rsp+2Bh] [rbp-25h] char v17; // [rsp+2Ch] [rbp-24h] char v18; // [rsp+2Dh] [rbp-23h] char v19; // [rsp+2Eh] [rbp-22h] char v20; // [rsp+2Fh] [rbp-21h] char v21; // [rsp+30h] [rbp-20h] char v22; // [rsp+31h] [rbp-1Fh] char v23; // [rsp+32h] [rbp-1Eh] char v24; // [rsp+33h] [rbp-1Dh] char v25; // [rsp+34h] [rbp-1Ch] char v26; // [rsp+35h] [rbp-1Bh] char v27; // [rsp+36h] [rbp-1Ah] char v28; // [rsp+37h] [rbp-19h] char v29; // [rsp+38h] [rbp-18h] char v30; // [rsp+39h] [rbp-17h] char v31; // [rsp+3Ah] [rbp-16h] char v32; // [rsp+3Bh] [rbp-15h] char v33; // [rsp+3Ch] [rbp-14h] char v34; // [rsp+3Dh] [rbp-13h] unsigned __int64 v35; // [rsp+48h] [rbp-8h] v35 = __readfsqword(0x28u); if ( argc != 31 ) { printf("Usage ./challenge <each byte of flag seperated by spaces>", argv, envp, argv); exit(1); } for ( i = 0; argc - 1 > i; ++i ) *(&v5 + i) = *argv[i + 1LL]; if ( v6 + v5 - v7 == 81 ) { if ( v5 - v6 + v7 == 53 ) { if ( v6 - v5 + v7 == 87 ) { if ( v9 + v8 - v10 == 90 ) { if ( v8 - v9 + v10 == 156 ) { if ( v9 - v8 + v10 == 66 ) { if ( v12 + v11 - v13 == 98 ) { if ( v11 - v12 + v13 == 140 ) { if ( v12 - v11 + v13 == 92 ) { if ( v15 + v14 - v16 == 38 ) { if ( v14 - v15 + v16 == 170 ) { if ( v15 - v14 + v16 == 60 ) { if ( v18 + v17 - v19 == 29 ) { if ( v17 - v18 + v19 == 161 ) { if ( v18 - v17 + v19 == 69 ) { if ( v21 + v20 - v22 == 163 ) { if ( v20 - v21 + v22 == 27 ) { if ( v21 - v20 + v22 == 69 ) { if ( v24 + v23 - v25 == 147 ) { if ( v23 - v24 + v25 == 43 ) { if ( v24 - v23 + v25 == 59 ) { if ( v27 + v26 - v28 == 146 ) { if ( v26 - v27 + v28 == 86 ) { if ( v27 - v26 + v28 == 44 ) { if ( v30 + v29 - v31 == 67 ) { if ( v29 - v30 + v31 == 89 ) { if ( v30 - v29 + v31 == 75 ) { if ( v33 + v32 - v34 == 117 ) { if ( v32 - v33 + v34 == 125 ) { if ( v33 - v32 + v34 == 125 ) success(); else fail(); } else { fail(); } } else { fail(); } } else { fail(); } } else { fail(); } } else { fail(); } } else { fail(); } } else { fail(); } } else { fail(); } } else { fail(); } } else { fail(); } } else { fail(); } } else { fail(); } } else { fail(); } } else { fail(); } } else { fail(); } } else { fail(); } } else { fail(); } } else { fail(); } } else { fail(); } } else { fail(); } } else { fail(); } } else { fail(); } } else { fail(); } } else { fail(); } } else { fail(); } } else { fail(); } } else { fail(); } } else { fail(); } } else { fail(); } return 0; } |
Kemudian dari hasil Psudeocode ini kita mendapati banyak sekali constraint yang diterapkan pada soal, sehingga ada 2 cara untuk mengerjakannya yakni dengan Angr atau dengan Z3 solver. […]
[EasyCTF IV]- ez_rev – 140
Original Writeup : https://github.com/KosBeg/ctf-writeups/blob/master/EasyCTF_IV/ez_rev/README.md Download : https://drive.google.com/file/d/1U4dJfiVBo01tXRCPV8lqYBdudIPjD1rc/view?usp=sharing File yang diberikan merupakan file ELF 64bit, dynamically linked, not stripped.
|
1 2 3 |
$ file ez_rev ez_rev: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=eb7a47c52c657a17b5ae730826c4640de86b0dcf, not stripped |
Ketika dijalankan program akan meminta password sebagai argumen. Jika kita memasukan password yang salah, program akan menghapus dirinya sendiri.
|
1 2 3 |
$ ./ez_rev_1 test successfully deleted! |
Kemudian kita membuka programnya di IDA, mari kita lihat pseudo nya.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
int __cdecl main(int argc, const char **argv, const char **envp) { int result; // eax int v4; // [rsp+10h] [rbp-20h] int v5; // [rsp+14h] [rbp-1Ch] int v6; // [rsp+18h] [rbp-18h] int v7; // [rsp+1Ch] [rbp-14h] int v8; // [rsp+20h] [rbp-10h] const char *v9; // [rsp+28h] [rbp-8h] signal(2, sigintHandler); target = (char *)*argv; if ( argc != 2 ) return 2; v9 = argv[1]; v4 = 1; v5 = 2; v6 = 3; v7 = 4; v8 = 5; v4 = *v9 + 1; v5 = v9[1] + 2; v6 = v9[2] + 3; v7 = v9[3] + 4; v8 = v9[4] + 5; if ( v7 != 111 || v6 != 125 || v4 != v8 - 10 || v5 != 53 || v8 != v7 + 3 ) { sleep(2u); remove(*argv); puts("successfully deleted!"); result = 2; } else { printf("Now here is your flag: ", sigintHandler, argv); print_5(&v4); result = 1; } return result; } |
Setelah itu kita dapat […]
[DEFCONCTF Quals 2016]: baby-re – Static Analysis + z3
Challenge: Get to reversing. File. Pertama, kita mulai dengan menjalankan file.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
nacl@ubuntu:~/Downloads$ ./baby-re Var[0]: 1 Var[1]: 1 Var[2]: 1 Var[3]: 1 Var[4]: 1 Var[5]: 1 Var[6]: 1 Var[7]: 1 Var[8]: 1 Var[9]: 1 Var[10]: 1 Var[11]: 1 Var[12]: 1 Wrong |
Terlihat bahwa program meminta 13 variabel. Selanjutnya saya mendekompilasi program tersebut dengan menggunakan IDA:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 |
int __cdecl main(int argc, const char **argv, const char **envp) { unsigned int v4; // [rsp+0h] [rbp-60h] unsigned int v5; // [rsp+4h] [rbp-5Ch] unsigned int v6; // [rsp+8h] [rbp-58h] unsigned int v7; // [rsp+Ch] [rbp-54h] unsigned int v8; // [rsp+10h] [rbp-50h] unsigned int v9; // [rsp+14h] [rbp-4Ch] unsigned int v10; // [rsp+18h] [rbp-48h] unsigned int v11; // [rsp+1Ch] [rbp-44h] unsigned int v12; // [rsp+20h] [rbp-40h] unsigned int v13; // [rsp+24h] [rbp-3Ch] unsigned int v14; // [rsp+28h] [rbp-38h] unsigned int v15; // [rsp+2Ch] [rbp-34h] unsigned int v16; // [rsp+30h] [rbp-30h] unsigned __int64 v17; // [rsp+38h] [rbp-28h] v17 = __readfsqword(0x28u); printf("Var[0]: ", argv, envp); fflush(_bss_start); __isoc99_scanf("%d", &v4); printf("Var[1]: "); fflush(_bss_start); __isoc99_scanf("%d", &v5); printf("Var[2]: "); fflush(_bss_start); __isoc99_scanf("%d", &v6); printf("Var[3]: "); fflush(_bss_start); __isoc99_scanf("%d", &v7); printf("Var[4]: "); fflush(_bss_start); __isoc99_scanf("%d", &v8); printf("Var[5]: "); fflush(_bss_start); __isoc99_scanf("%d", &v9); printf("Var[6]: "); fflush(_bss_start); __isoc99_scanf("%d", &v10); printf("Var[7]: "); fflush(_bss_start); __isoc99_scanf("%d", &v11); printf("Var[8]: "); fflush(_bss_start); __isoc99_scanf("%d", &v12); printf("Var[9]: "); fflush(_bss_start); __isoc99_scanf("%d", &v13); printf("Var[10]: "); fflush(_bss_start); __isoc99_scanf("%d", &v14); printf("Var[11]: "); fflush(_bss_start); __isoc99_scanf("%d", &v15); printf("Var[12]: "); fflush(_bss_start); __isoc99_scanf("%d", &v16); if ( (unsigned __int8)CheckSolution(&v4) ) printf("The flag is: %c%c%c%c%c%c%c%c%c%c%c%c%c\n", v4, v5, v6, v7, v8, v9, v10, v11, v12, v13, v14, v15, v16); else puts("Wrong"); return 0; } |
Disitu terlihat ada function CheckSolution yang tidak dapat didekompilasi secara lengkap. Hal ini disebabkan karena return address yang hilang/ tidak ada dalam frame. Kita dapat memperbaiki ini dengan meng-undefine function tersebut (klik kanan > undefine): Lalu […]