Reverse Engineering

ChallengeLink

1125899906842622 (18 solves)

Here

re-cursed (4 solves) 🥇

Here

1125899906842622 (18 solves)

Description

I found this credit card on the floor!

a = int(input())
t = a
b = 1
c = 211403263193325564935177732039311880968900585239198162576891024013795244278301418972476576250867590357558453818398439943850378531849394935408437463406454857158521417008852225672729172355559636113821448436305733721716196982836937454125646725644730318942728101471045037112450682284520951847177283496341601551774254483030077823813188507483073118602703254303097147462068515767717772884466792302813549230305888885204253788392922886375194682180491793001343169832953298914716055094436911057598304954503449174775345984866214515917257380264516918145147739699677733412795896932349404893017733701969358911638491238857741665750286105099248045902976635536517481599121390996091651261500380029994399838070532595869706503571976725974716799639715490513609494565268488194
verified = False
while 1:
	if b == 4:
		verified = True
		break
	d = 2 + (1125899906842622 if a&2 else 0)
	if a&1:
		b //= d
	else:
		b *= d
	b += (b&c)*(1125899906842622)
	a //= 4
if verified:
	t %= (2**300)
	t ^= 1565959740202953194497459354306763253658344353764229118098024096752495734667310309613713367
	print(t)

PoC

From the source code we can see that there is 4 possibility of our input since our input processed each 2 bit. 

xx11 -> (b // 1125899906842624) + ((b // 1125899906842624)&c)*1125899906842622 
xx10 -> (b * 1125899906842624) + ((b * 1125899906842624)&c)*1125899906842622
xx01 -> (b // 2) + ((b // 2)&c)*1125899906842622
xx00 -> (b * 2) + ((b * 2)&c)*1125899906842622

Possible first 2 bits should be 10 and 00 cause if we use 01 and 11 it should produce b == 0 . After struggling to find the base case or constraint for recursive function i try to find the relation of b and c variable. We can see that the first possible value are 10 and 00 , it looks like an entry corner to a maze since we can go right and down if we start from top left corner. Since c is square number (bit_length == 2500), so we try to use this value as the map. For the c value, since it uses and operator , the bit processed should be from the last bit so we need to reverse the binary to start the maze from initial position (0, 0). Last step, just implement Depth First Search (DFS) algorithm to find the correct path. Here is my implementation on python.

from Crypto.Util.number import *

def check(coor):
	if(mapp[coor[0]][coor[1]] == 1):
		return False
	if(coor[0] < 0 or coor[0] > 49 or coor[1] < 0 or coor[1] > 49):
		return False
	return True

def parse(path):
	res = ""
	for i in range(1,len(path)):
		tmp = (path[i][0] - path[i-1][0], path[i][1] - path[i-1][1] )
		if(tmp == (1, 0)):
			res = "10" + res
		elif(tmp == (0, 1)):
			res = "00" + res
		elif(tmp == (0, -1)):
			res = "01" + res
		elif(tmp == (-1, 0)):
			res = "11" + res
		else:
			print("???")
	return int(res,2)

def dfs(coor):
	
	if(coor == finish):
		t = parse(visited)
		t %= (2**300)
		t ^= 1565959740202953194497459354306763253658344353764229118098024096752495734667310309613713367
		print(long_to_bytes(t))
		exit()

	up = (coor[0], coor[1] - 1)
	down = (coor[0], coor[1] + 1)
	right = (coor[0] + 1, coor[1])
	left = (coor[0] - 1, coor[1])
	
	if(check(up) and up not in visited):
		visited.append(up)
		if(dfs(up)):
			return True
		visited.pop()
	
	if(check(down) and down not in visited):
		visited.append(down)
		if(dfs(down)):
			return True
		visited.pop()
	
	if(check(right) and right not in visited):
		visited.append(right)
		if(dfs(right)):
			return True
		visited.pop()
	
	if(check(left) and left not in visited):
		visited.append(left)
		if(dfs(left)):
			return True
		visited.pop()

	return False

c = 211403263193325564935177732039311880968900585239198162576891024013795244278301418972476576250867590357558453818398439943850378531849394935408437463406454857158521417008852225672729172355559636113821448436305733721716196982836937454125646725644730318942728101471045037112450682284520951847177283496341601551774254483030077823813188507483073118602703254303097147462068515767717772884466792302813549230305888885204253788392922886375194682180491793001343169832953298914716055094436911057598304954503449174775345984866214515917257380264516918145147739699677733412795896932349404893017733701969358911638491238857741665750286105099248045902976635536517481599121390996091651261500380029994399838070532595869706503571976725974716799639715490513609494565268488194
mapp = []
a = bin(c)[2:][::-1]

assert(len(a) == 2500)

for i in range(0,len(a),50):
	tmp = []
	for j in range(50):
		tmp.append(int(a[i+j]))
	mapp.append(tmp)

visited = [(0,0)]
coor = (0,0)
finish = (49,49)

mapp[finish[0]][finish[1]] = 0

dfs(coor)

Flag : flag{l4byr1nth_9abe79d712e6dd52c4597}

re-cursed (4 solves)

Description

Scotland forever!

PoC

First step, we should extract the original elf executed in recursed binary. This should be done by set breakpoint on write function and dump the memory

dump binary memory result.bin 0x00007fffffbd5450 0x00007fffffbd5450+0x0000000000428f10

After that we should facing the real cursed binary, compiled using ghc and of course it made using haskell. In this case we can't use https://github.com/gereeter/hsdecomp or another modified hsdecomp. So my initial approach by enumerating what instruction that processed our input. It can be done by doing hardware breakpoint on our input.

From image above we can see that our input stored at 0x7fffffffe701. Next step is doing hardware breakpoint on that address by using command below

rwatch *0x7fffffffe701

After some enumeration i found that there is something like argument processing and we can skip that by setting up breakpoint on 0x4afbae

After hitting breakpoint, search value for our argument. In this case i used RYUK12345 as argument

There are some value found on memory, we can enumerate 1 by 1. In this challenge, i found that 0x507b70 used for next process. The next step is changing the hardware breakpoint each the value moved or processed by the instruction, here is for example

Do the same process until you find something interesting. In this case we found interesting function that process our input at first time, it is ghczmbignum_GHCziNumziInteger_integerXor_info .

Take a look on decompiler it contains so much code just for "xor" operation. But again we can validate which instruction process our value. It is relative simple since the code that doing xor for different value only on line 159 or address 0x49FB98

The function name has pattern, so we can try set breakpoint on function that maybe process our input.

For example we can just do command like below

b *ghczmbignum_GHCziNumziInteger_integerAdd_info
c

For finding the exact instruction it is same, just debug and validate that there is your input processed by the instruction (if it is hard to find through decompiler). At the end i found the following address that processed our input

0x49fb98 -> ghczmbignum_GHCziNumziInteger_integerXor_info
0x499929 -> ghczmbignum_GHCziNumziInteger_integerAdd_info
0x49839b -> ghczmbignum_GHCziNumziInteger_integerSub_info
0x4978f0 -> ghczmbignum_GHCziNumziInteger_integerEqzh_info

Okay next we just need to create automation to get all value processed by those instruction. Here is the script i used for gdb automation

#!/usr/bin/python3
import string

data = []
class SolverEquation(gdb.Command):
    def __init__ (self):
        super (SolverEquation, self).__init__ ("solve-equation",gdb.COMMAND_OBSCURE)
    
    def invoke (self, arg, from_tty):
        global data
        gdb.execute("del")
        gdb.execute("start")
        gdb.execute("b *0x49fb98")
        gdb.execute("b *0x499929")
        gdb.execute("b *0x49839b")
        gdb.execute("b *0x4978f0")
        # gdb.execute("r 0123456789abcdefghijklmnopq") # cmp1
        # gdb.execute("r ABCDEFGHIJKLMNOPQRSTUVWXYZa") # cmp2
        # gdb.execute("r aaaaaaaaaaaaaaaaaaaaaaaaaaa") # cmp3
        # gdb.execute("r AAAAAAAAAAAAAAAAAAAAAAAAAAA") # cmp4
        gdb.execute("r qponmlkjihgfedcba9876543210") # cmp5
        arch = gdb.selected_frame().architecture()
        while True:
            try:
                current_pc = addr2num(gdb.selected_frame().read_register("pc"))
                disa = arch.disassemble(current_pc)[0]
                if("xor" in disa["asm"]):
                    rax = addr2num(gdb.selected_frame().read_register("rax"))&0xff
                    rbx = addr2num(gdb.selected_frame().read_register("rbx"))&0xff
                    fmt = f"{rax} ^ {rbx} = {rax^rbx}"
                    data.append(fmt)
                elif("add" in disa["asm"]):
                    rax = parse(gdb.execute("x/bx $rax",to_string=True))[0]&0xff
                    rbx = addr2num(gdb.selected_frame().read_register("rbx"))&0xff
                    fmt = f"{rax} + {rbx} = {rax+rbx}"
                    data.append(fmt)
                elif("sub" in disa["asm"]):
                    rbx = parse(gdb.execute("x/bx $rbx",to_string=True))[0]&0xff
                    rax = addr2num(gdb.selected_frame().read_register("rax"))&0xff
                    fmt = f"{rax} - {rbx} = {(rax-rbx)&0xff}"
                    data.append(fmt)
                elif("cmp" in disa["asm"]):
                    rbx = parse(gdb.execute("x/bx $rbx+0x7",to_string=True))[0]&0xff
                    rax = addr2num(gdb.selected_frame().read_register("rax"))&0xff
                    fmt = f"{rax} ==  {rbx} = {(rax == rbx)}"
                    data.append(fmt)
                else:
                    data.append("???")
                gdb.execute("c")
            except Exception as e:
                for i in data:
                    print(i)
                print(e)
                break

def parse(f):
    f = f.split("\n")
    result = []
    for i in f:
        tmp = i.split("\t")
        for j in range(1,len(tmp)):
            result.append(int(tmp[j],16))
    return result
        
def addr2num(addr):
    try:
        return int(addr)  # Python 3
    except:
        return long(addr) # Python 2
SolverEquation()

Since there are many values are same, so i use different value as our input for 5 times to get 5 different output. Each output i saved it to file and named it as cmp{i} . Here is example for cmp5 file, output from input qponmlkjihgfedcba9876543210

113 ^ 57 = 72
112 ^ 72 = 56
111 ^ 56 = 87
110 ^ 87 = 57
109 ^ 57 = 84
108 ^ 84 = 56
107 ^ 56 = 83
106 ^ 83 = 57
105 ^ 57 = 80
104 ^ 80 = 56
103 ^ 56 = 95
102 ^ 95 = 57
101 ^ 57 = 92
100 ^ 92 = 56
99 ^ 56 = 91
98 ^ 91 = 57
97 ^ 57 = 88
57 ^ 88 = 97
56 ^ 97 = 89
55 ^ 89 = 110
54 ^ 110 = 88
53 ^ 88 = 109
52 ^ 109 = 89
51 ^ 89 = 106
50 ^ 106 = 88
49 ^ 88 = 105
48 ^ 105 = 89
87 - 24 = 63
63 ^ 43 = 20
5 + 20 = 25
22 - 25 = 253
3 + 72 = 75
75 ^ 43 = 96
5 + 96 = 101
78 - 101 = 233
253 ^ 233 = 20
56 ^ 43 = 19
5 + 19 = 24
29 - 24 = 5
20 ^ 5 = 17
56 - 24 = 32
32 ^ 43 = 11
5 + 11 = 16
37 - 16 = 21
17 ^ 21 = 4
3 + 57 = 60
60 ^ 43 = 23
5 + 23 = 28
24 - 28 = 252
4 ^ 252 = 248
84 ^ 43 = 127
5 + 127 = 132
106 - 132 = 230
248 ^ 230 = 30
80 - 24 = 56
56 ^ 43 = 19
5 + 19 = 24
5 - 24 = 237
30 ^ 237 = 243
3 + 83 = 86
86 ^ 43 = 125
5 + 125 = 130
105 - 130 = 231
243 ^ 231 = 20
57 ^ 43 = 18
5 + 18 = 23
14 - 23 = 247
20 ^ 247 = 227
57 - 24 = 33
33 ^ 43 = 10
5 + 10 = 15
0 - 35 = 221
221 - 15 = 206
227 ^ 206 = 45
3 + 56 = 59
59 ^ 43 = 16
5 + 16 = 21
6 - 21 = 241
45 ^ 241 = 220
95 ^ 43 = 116
5 + 116 = 121
127 + 5 = 132
132 - 121 = 11
220 ^ 11 = 215
91 - 24 = 67
67 ^ 43 = 104
5 + 104 = 109
83 - 109 = 230
215 ^ 230 = 49
3 + 92 = 95
95 ^ 43 = 116
5 + 116 = 121
75 - 121 = 210
49 ^ 210 = 227
56 ^ 43 = 19
5 + 19 = 24
56 - 24 = 32
227 ^ 32 = 195
97 - 24 = 73
73 ^ 43 = 98
5 + 98 = 103
41 - 103 = 194
195 ^ 194 = 1
3 + 57 = 60
60 ^ 43 = 23
5 + 23 = 28
19 - 28 = 247
1 ^ 247 = 246
88 ^ 43 = 115
5 + 115 = 120
106 - 120 = 242
246 ^ 242 = 4
88 - 24 = 64
64 ^ 43 = 107
5 + 107 = 112
122 - 112 = 10
4 ^ 10 = 14
3 + 89 = 92
92 ^ 43 = 119
5 + 119 = 124
105 - 124 = 237
14 ^ 237 = 227
110 ^ 43 = 69
5 + 69 = 74
7 - 74 = 189
227 ^ 189 = 94
106 - 24 = 82
82 ^ 43 = 121
5 + 121 = 126
51 - 126 = 181
94 ^ 181 = 235
3 + 109 = 112
112 ^ 43 = 91
5 + 91 = 96
61 - 96 = 221
235 ^ 221 = 54
89 ^ 43 = 114
5 + 114 = 119
92 - 119 = 229
54 ^ 229 = 211
89 - 24 = 65
65 ^ 43 = 106
5 + 106 = 111
124 - 111 = 13
211 ^ 13 = 222
3 + 88 = 91
91 ^ 43 = 112
5 + 112 = 117
91 - 117 = 230
222 ^ 230 = 56
105 ^ 43 = 66
5 + 66 = 71
39 - 71 = 224
56 ^ 224 = 216
216 ==  0 = False

Then i wrote a script to parse which value are constant and which value are variable. Also i write optimization to format it to equation format at the end.

def parse(a1):
	tmp = a1.split(" ")
	return tmp

def check_ret(a1, a2, res2, res3):
	result = []
	for i in range(len(res2)):
		if((a1 == res2[i]) and (a2 == res3[i])):
			result.append(i)
	return result

def optimize(res, inp):
	tmp = res[27:]
	operator = ['+', '-', '^']
	arr = []
	opt = []
	data = ''
	init = True
	for i in tmp:
		# print(i) # debug
		check = True
		for j in inp:
			if(j in i):
				if(init and len(data) != 0):
					opt.append(data)
					init = False
				data = ' '.join(i[:3])
				check = False
				break
		if(check):
			if("res" in i[0] and "res" in i[2] and "^" == i[1]):
				opt.append(data)
				continue
			else:
				tmp2 = []
				for j in range(3):
					if("res[" not in i[j]):
						tmp2.append(i[j])
				str_tmp2 = ' '.join(tmp2)
				for j in operator:
					if(tmp2[0] == j):
						data = f"({data}) {str_tmp2}"
						break
					if(tmp2[1] == j):
						data = f"{str_tmp2} ({data})"
						break
	return '\n'.join(opt)


def check(f, g):
	res = []
	res2 = []
	res3 = []
	cnt_var = 0
	inp = [f"res[{i}]" for i in range(27)]
	for ind in range(len(g)):
		a1 = parse(f[ind])
		a2 = parse(g[ind])
		if(a1 == a2):
			res.append(a1)
			continue
		tmp_res = []
		for i in range(3):
			if(a1[i] != a2[i]):
				tmp_check = check_ret(a1[i], a2[i], res2, res3)
				length = len(tmp_check)
				if(length > 0):
					if(length > 1):
						val = '_'.join(map(str,tmp_check))
						if(ind < 27):
							inp.append(f"res[{val}]")
						tmp_res.append(f"res[{val}]")
					else:
						tmp_res.append(f"res[{tmp_check[0]}]")
				else:
					tmp_res.append(f"var[{cnt_var}]")
					cnt_var += 1
			else:
				tmp_res.append(a1[i])
		tmp_res.append(a1[3])
		tmp_res.append(f"res[{len(res2)}]")
		res.append(tmp_res)
		res2.append(a1[4])
		res3.append(a2[4])
	
	return optimize(res, inp)

def diff(f,g):
	for i in range(min(len(f),len(g))):
		a1 = parse(f[i])
		a2 = parse(g[i])
		if(a1[1] != a2[1]):
			return i
	return -1

files = [f"cmp{i}" for i in range(1,6)]
for i in range(len(files)):
	for j in range(i+1,len(files)):
		f = open(files[i],"r").read().split("\n")
		g = open(files[j],"r").read().split("\n")
		diff_index = diff(f, g)
		
		if(diff_index != -1):
			if(len(f) > len(g)):
				f.pop(diff_index)
			else:
				g.pop(diff_index)
		if(len(f) != len(g)):
			print("ERR : ",files[i], files[j], diff_index)
		else:
			result = check(f,g)
			out = open(f"{files[i]}_{files[j]}.out","w")
			out.write(result)
			out.close()

Here is the example output for cmp1_cmp2.out file

22 - (5 + ((res[2] - 24) ^ 43))
78 - (5 + ((3 + res[0]) ^ 43))
29 - (5 + (res[1] ^ 43))
37 - (5 + ((res[5] - 24) ^ 43))
24 - (5 + ((3 + res[3]) ^ 43))
106 - (5 + (res[4] ^ 43))
5 - (5 + ((res[8] - 24) ^ 43))
105 - (5 + ((3 + res[6]) ^ 43))
14 - (5 + (res[7] ^ 43))
221 - (0 - 35 (5 + ((res[11] - 24) ^ 43)))
6 - (5 + ((3 + res[9]) ^ 43))
132 - (127 + 5 (5 + (res[10_14_18_22] ^ 43)))
83 - (5 + ((res[10_14_18_22] - 24) ^ 43))
75 - (5 + ((3 + res[12_16_20_24]) ^ 43))
56 - (5 + (res[13] ^ 43))
41 - (5 + ((res[17] - 24) ^ 43))
19 - (5 + ((3 + res[15]) ^ 43))
106 - (5 + (res[12_16_20_24] ^ 43))
122 - (5 + ((res[12_16_20_24] - 24) ^ 43))
105 - (5 + ((3 + res[10_14_18_22]) ^ 43))
7 - (5 + (res[19] ^ 43))
51 - (5 + ((res[23] - 24) ^ 43))
61 - (5 + ((3 + res[21]) ^ 43))
92 - (5 + (res[10_14_18_22] ^ 43))
124 - var[27] ((res[26] - 24) ^ 43)
91 - (5 + ((3 + res[12_16_20_24]) ^ 43))
39 - (5 + (res[25] ^ 43))

Because there is still the same value, i fixed it manually by checking on each output with knowledge of the pattern used. Last, because i'm too lazy to reverse the process i just put the equation on z3 and got the flag also first blood :> . 

from z3 import *

var = [BitVec("x{}".format(i), 8) for i in range(27)]

res = [0 for _  in range(27)]

res[0] = var[0] ^ 57
for i in range(1,27):
	res[i] = var[i] ^ res[i-1]

s = Solver()
s.add(22 - (5 + ((res[2] - 24) ^ 43)) == 0)
s.add(78 - (5 + ((3 + res[0]) ^ 43)) == 0)
s.add(29 - (5 + (res[1] ^ 43))== 0)
s.add(37 - (5 + ((res[5] - 24) ^ 43)) == 0)
s.add(24 - (5 + ((3 + res[3]) ^ 43)) == 0)
s.add(106 - (5 + (res[4] ^ 43)) == 0)
s.add(5 - (5 + ((res[8] - 24) ^ 43)) == 0)
s.add(105 - (5 + ((3 + res[6]) ^ 43)) == 0)
s.add(14 - (5 + (res[7] ^ 43)) == 0)
s.add(221 - (5 + ((res[11] - 24) ^ 43)) == 0)
s.add(6 - (5 + ((3 + res[9]) ^ 43)) == 0)
s.add(132 - (5 + (res[10] ^ 43)) == 0)
s.add(83 - (5 + ((res[14] - 24) ^ 43)) == 0)
s.add(75 - (5 + ((3 + res[12]) ^ 43)) == 0)
s.add(56 - (5 + (res[13] ^ 43)) == 0)
s.add(41 - (5 + ((res[17] - 24) ^ 43)) == 0)
s.add(19 - (5 + ((3 + res[15]) ^ 43)) == 0)
s.add(106 - (5 + (res[16] ^ 43)) == 0)
s.add(122 - (5 + ((res[20] - 24) ^ 43)) == 0)
s.add(105 - (5 + ((3 + res[18]) ^ 43)) == 0)
s.add(7 - (5 + (res[19] ^ 43)) == 0)
s.add(51 - (5 + ((res[23] - 24) ^ 43)) == 0)
s.add(61 - (5 + ((3 + res[21]) ^ 43)) == 0)
s.add(92 - (5 + (res[22] ^ 43)) == 0)
s.add(124 - (5 + ((res[26] - 24) ^ 43)) == 0)
s.add(91 - (5 + ((3 + res[24]) ^ 43)) == 0)
s.add(39 - (5 + (res[25] ^ 43)) == 0)

print(s.check())

model = s.model()
flag = ""
for i in var:
    flag += chr(model[i].as_long())
print(flag)

Flag : flag{monads_are_like_flags}

PreviousHSCTFNextCryptography

Last updated