{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-harekazectf-2022-en","result":{"data":{"markdownRemark":{"id":"a7ef91f5-5e2d-5f17-b114-e8abffb1f78f","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-harekazectf-2022\">original page</a>.</p>\n</blockquote>\n<p>I took part in <a href=\"https://harekaze.com/ctf/2021.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Harekaze mini CTF 2021</a>, which was held on 12/24.</p>\n<p>I participated as 0neP@adding and finished in 29th place.</p>\n<p>I still could not solve the harder Reversing challenges, so I clearly have more work to do.</p>\n<h2 id=\"crackmerev\" style=\"position:relative;\"><a href=\"#crackmerev\" aria-label=\"crackmerev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Crackme(Rev)</h2>\n<p>Looking at the decompiled output, you can see that it performs a calculation on each input character one by one, and the characters whose result becomes greater than 0 are the characters of the flag.</p>\n<p>It looked possible to reverse it and work backward as well, but since it seemed like a brute-force attack would identify the flag within a few minutes, I used the following script to automate GDB analysis and recover the flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> gdb\n\nBINDIR <span class=\"token operator\">=</span> <span class=\"token string\">\"~/Downloads\"</span>\nBIN <span class=\"token operator\">=</span> <span class=\"token string\">\"crackme\"</span>\nINPUT <span class=\"token operator\">=</span> <span class=\"token string\">\"./in.txt\"</span>\nBREAK <span class=\"token operator\">=</span> <span class=\"token string\">\"0x55555555523f\"</span>\n\ngdb<span class=\"token punctuation\">.</span>execute<span class=\"token punctuation\">(</span><span class=\"token string\">'file {}/{}'</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span>BINDIR<span class=\"token punctuation\">,</span> BIN<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\ngdb<span class=\"token punctuation\">.</span>execute<span class=\"token punctuation\">(</span><span class=\"token string\">'b *{}'</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span>BREAK<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\nFlag <span class=\"token operator\">=</span> <span class=\"token builtin\">list</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"HarekazeCTF{quadrat1c_3quati0n}\"</span><span class=\"token punctuation\">)</span>\ncounter <span class=\"token operator\">=</span> <span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>Flag<span class=\"token punctuation\">)</span>\nFlag <span class=\"token operator\">+=</span> <span class=\"token punctuation\">[</span><span class=\"token string\">\".\"</span> <span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x1f</span><span class=\"token operator\">-</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>Flag<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span>\n\ntable <span class=\"token operator\">=</span> <span class=\"token string\">\"_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890!#$=}{\"</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">.</span>join<span class=\"token punctuation\">(</span>Flag<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">while</span> <span class=\"token boolean\">True</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"===============================================\"</span><span class=\"token punctuation\">)</span>\n\n    <span class=\"token keyword\">for</span> t <span class=\"token keyword\">in</span> table<span class=\"token punctuation\">:</span>\n        Flag<span class=\"token punctuation\">[</span>counter<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> t\n        gdb<span class=\"token punctuation\">.</span>execute<span class=\"token punctuation\">(</span><span class=\"token string\">'run {}'</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">.</span>join<span class=\"token punctuation\">(</span>Flag<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n        <span class=\"token keyword\">if</span> counter <span class=\"token operator\">></span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span>counter<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n                <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"next\"</span><span class=\"token punctuation\">)</span>\n                gdb<span class=\"token punctuation\">.</span>execute<span class=\"token punctuation\">(</span><span class=\"token string\">'c'</span><span class=\"token punctuation\">)</span>\n        \n        r <span class=\"token operator\">=</span> gdb<span class=\"token punctuation\">.</span>parse_and_eval<span class=\"token punctuation\">(</span><span class=\"token string\">\"$al\"</span><span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>r<span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">if</span> r <span class=\"token operator\">!=</span> <span class=\"token number\">0x0</span><span class=\"token punctuation\">:</span>\n            counter <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n            <span class=\"token comment\"># print(\"\".join(Flag))</span>\n            <span class=\"token keyword\">break</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">.</span>join<span class=\"token punctuation\">(</span>Flag<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\ngdb<span class=\"token punctuation\">.</span>execute<span class=\"token punctuation\">(</span><span class=\"token string\">'quit'</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">.</span>join<span class=\"token punctuation\">(</span>Flag<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>It was the last CTF of the year, but next year I want to study more so that I can solve harder challenges as well.</p>","fields":{"slug":"/ctf-harekazectf-2022-en","tagSlugs":["/tag/ctf-en/","/tag/reversing-en/","/tag/security-en/","/tag/english/"]},"frontmatter":{"date":"2021-12-29","description":"","tags":["CTF (en)","Reversing (en)","Security (en)","English"],"title":"Harekaze mini CTF 2021 Writeup","socialImage":{"publicURL":"/static/09ccb7d9b02690ed61c59ffaf9aa0954/ctf-harekazectf-2022.png"}}}},"pageContext":{"slug":"/ctf-harekazectf-2022-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}