\n\nThis page has been machine-translated from the original page.
\n
I participated in n00bzCTF 2023 as part of 0nePadding, and we placed 79th out of 855 teams.
\nReference: n00bzCTF 2023 - MyPin :: Chocapikk’s blog Place this as Reference: Java import giving error - Stack Overflow Rev is EZ! Author: NoobHacker Decompiling the provided class file yields the following code. After that, you can recover the flag just by writing code that works backwards. Decompiling the ELF file provided as the challenge binary with Ghidra gave the following result. At a glance, it looked like an (Since the challenge name is However, I could not recover the flag with the template above. I suspect that was because I had not specified any constraints in I was not very sure how to run Based on Ghidra’s decompiled output, I created a solver with the following constraints and was able to obtain the flag. This time I participated only lightly. I need to keep practicing.Solve.java in the same directory as Secret.class, then run the following command to recover the flag.javac Solve.java ; java SolveEZrev(Rev)
\n\n
\n/*\n * Decompiled with CFR 0.150.\n */\nimport java.util.Arrays;\n\npublic class EZrev {\n public static void main(String[] arrstring) {\n int n;\n if (arrstring.length != 1) {\n System.out.println(\"L\");\n return;\n }\n String string = arrstring[0];\n if (string.length() != 31) {\n System.out.println(\"L\");\n return;\n }\n int[] arrn = string.chars().toArray();\n for (n = 0; n < arrn.length; ++n) {\n arrn[n] = n % 2 == 0 ? (int)((char)(arrn[n] ^ 0x13)) : (int)((char)(arrn[n] ^ 0x37));\n }\n for (n = 0; n < arrn.length / 2; ++n) {\n if (n % 2 == 0) {\n int n2 = arrn[n] - 10;\n arrn[n] = (char)(arrn[arrn.length - 1 - n] + 20);\n arrn[arrn.length - 1 - n] = (char)n2;\n continue;\n }\n arrn[n] = (char)(arrn[n] + 30);\n }\n int[] arrn2 = new int[]{130, 37, 70, 115, 64, 106, 143, 34, 54, 134, 96, 98, 125, 98, 138, 104, 25, 3, 66, 78, 24, 69, 91, 80, 87, 67, 95, 8, 25, 22, 115};\n if (Arrays.equals(arrn, arrn2)) {\n System.out.println(\"W\");\n } else {\n System.out.println(\"L\");\n }\n }\n}arr2 = [130, 37, 70, 115, 64, 106, 143, 34, 54, 134, 96, 98, 125, 98, 138, 104, 25, 3, 66, 78, 24, 69, 91, 80, 87, 67, 95, 8, 25, 22, 115]\narr = arr2.copy()\n\nfor i in range(len(arr)//2):\n if i % 2 == 0:\n n2 = arr[i]\n arr[i] = arr[len(arr)-1-i]\n arr[len(arr)-1-i] = n2\nprint(arr)\n\nfor i in range(len(arr)//2):\n if i % 2 != 0:\n arr[i] = arr2[i] - 30 \n else:\n arr[i] = arr2[len(arr)-1-i] + 10\n arr[len(arr)-1-i] = arr2[i] - 20\n\nfor i in range(len(arr2)):\n if i % 2 == 0:\n arr[i] = arr[i] ^ 0x13\n else:\n arr[i] = arr[i] ^ 0x37\n\nfor a in arr:\n print(chr(a), end=\"\")zzz(Rev)
\nangr challenge, so I tried the following template.zzz, maybe the intended solution was to solve the constraints with z3?)import angr\nproj = angr.Project(\"chall\", auto_load_libs=False)\ninit_state = proj.factory.entry_state(args = ['chall'])\nsimgr = proj.factory.simgr(init_state)\nsimgr.explore(find=(0x401654), avoid=([0x4016ca,0x4011a9]))\n\n# 出力\nsimgr.found[0].posix.dumps(0)angr.angr with more detailed constraints, so I decided to use Z3Py instead, which was probably closer to the intended solution.from z3 import *\nflag = [BitVec(f\"flag[{i}]\", 8) for i in range(0x1e)]\ns = Solver()\n\n# 独自の制約を追加\ns.add(flag[0] == ord(\"n\"))\ns.add(flag[1] == ord(\"0\"))\ns.add(flag[2] == ord(\"0\"))\ns.add(flag[3] == ord(\"b\"))\ns.add(flag[4] == ord(\"z\"))\ns.add(flag[5] == ord(\"{\"))\ns.add(flag[0x1e-1] == ord(\"}\"))\nfor i in range(0x1e):\n s.add(And(\n (flag[i] >= 0x21),\n (flag[i] <= 0x7e)\n ))\n\n# 問題の制約\ns.add(flag[0] >> 4 == 0x6)\ns.add(flag[1] == flag[2])\ns.add(And(\n ((flag[6] | flag[3]) == 0x7a),\n ((flag[6] & flag[3]) == 0x42)\n ))\ns.add(flag[0x1c] == flag[4]) \ns.add(And(\n (flag[0x1d] * flag[5] == 0x3c0f),\n And(\n (flag[8] + flag[6] + flag[7] == 0x12e),\n (flag[7] * flag[6] - flag[8] == 0x2a8a)\n )\n))\n\ns.add(And(\n And(\n (flag[9] - flag[8] == 5),\n (flag[10] - flag[9] == 0x1b),\n (flag[10] ^ flag[0xb] == 0x20)\n ),\n And(\n (flag[0xc] == flag[0xf]),\n (flag[0xb] + flag[0xc] == 0xb4),\n (flag[0xc] + flag[0xd] == 0xb9)\n )\n))\n\ns.add(And(\n (flag[0xd] + flag[0xe] - flag[0x10] == flag[0xd]),\n And(\n (flag[0x11] + flag[0x10] == 0xd9),\n (flag[0x11] == flag[0xd])\n ),\n And(flag[0xe] + flag[0x10] == flag[0xe] * 2)\n))\n\ns.add(And(\n And(\n (flag[0x12] == ord('Z')),\n (flag[0x12] == flag[0x13]),\n ((flag[0x15] ^ flag[0x13] ^ flag[0x14]) == 0x7f)\n ),\n ((flag[0x14] ^ flag[0x15] ^ flag[0x16]) == flag[0x15]),\n (flag[0x15] == ord('_')),\n (flag[6] + flag[0x18] == 0xb4)\n))\n\ns.add(flag[0x18] + ~flag[0x17] == -0x21)\ns.add(flag[0x19] == flag[9])\ns.add(And(\n (flag[0x1b] + flag[0x1a] == 0xd4),\n (flag[0x1b] == flag[0x1c])\n))\n\nwhile s.check() == sat:\n m = s.model()\n for c in flag:\n print(chr(m[c].as_long()),end=\"\")\n print(\"\")\n breakSummary
\n