Description
chall 바이너리를 실행하여 플래그를 어떠한 연산을 거쳐 나온 결과를 flag1.txt와 flag2.txt로 저장하였습니다.
사용자는 chall 을 실행하여 sample flag를 연산한 후 rev1.txt와 rev2.txt 파일을 생성할 수 있습니다.
chall 바이너리를 분석하여 원래의 플래그를 찾으세요!
플래그 형식은 flag{} 입니다.
enc.py
chall 파일 재구현
s = "_this_is_sample_flag_"
v8 = "this_is_sample_flag"
v7 = "CC2A750B63821F45AC20839"
v6 = []
def sub_55555555526E(a1):
a1 = ord(a1)
#0x43 -> else if; 0x32 -> if; 0x41 -> else if; 0x37 -> if; 0x35 -> if; 0x30 -> if; 0x79 -> else if; 0x80 -> else if; 0x40 -> if; 0x1 -> if; 0x0 -> if; 0xff -> else if;
ret = 0
if(a1 >= 0 and a1 < 0x41):
ret = a1 - 40
elif (a1 > 0x45):
if(a1 > 0x4f):
if(a1 <= 0x59):
ret = a1 - 80
else:
ret = a1 - 70
else:
ret = a1 - 60
return ret
def sub_5555555551C9(a1, a2):
global s
#swap
s = list(s)
tmp = s[a1]
s[a1] = s[a2]
s[a2] = tmp
s = ''.join(s)
def sub_5555555551C9_2(a1, a2):
global v8
#swap
v8 = list(v8)
tmp = v8[a1]
v8[a1] = v8[a2]
v8[a2] = tmp
v8 = ''.join(v8)
def strlen(a1):
cnt = 0
for i in range(len(a1)):
if(a1[i] == 0x00):
return cnt
cnt = cnt + 1
return cnt
def sub_5555555551FD(a1, a2, a3, a4):
ret = 0
i = 0
while True:
ret = strlen(a4)
if(i >= ret):
break
sub_5555555551C9(0, a4[i])
i = i + 1
return ret
def sub_5555555551FD_2(a1, a2, a3, a4):
ret = 0
i = 0
while True:
ret = strlen(a4)
if(i >= ret):
break
sub_5555555551C9_2(0, a4[i])
i = i + 1
return ret
def sub_5555555552E7(a1, a2):
global s
ret = 0
v4 = strlen(a2) #13
v3 = strlen(a1) #21
if(v3 <= v4):
i = 0
while True:
ret = i
if i >= v3:
break
#xor
s = list(s)
tmp = ord(s[i])
s[i] = chr(tmp ^ a2[i])
s = ''.join(s)
i = i + 1
else:
for j in range(v4):
#xor
s = list(s)
tmp = ord(s[j])
s[j] = chr(tmp ^ a2[j])
s = ''.join(s)
k = v4
while True:
ret = k
if k >= v3:
break
#xor
s = list(s)
tmp = ord(s[k])
s[k] = chr(tmp ^ a2[k % v4])
s = ''.join(s)
k = k + 1
return ret
def sub_5555555552E7_2(a1, a2):
global v8
ret = 0
v4 = strlen(a2) #13
v3 = strlen(a1) #21
if(v3 <= v4):
i = 0
while True:
ret = i
if i >= v3:
break
#xor
v8 = list(v8)
tmp = ord(v8[i])
v8[i] = chr(tmp ^ a2[i])
v8 = ''.join(v8)
i = i + 1
else:
for j in range(v4):
#xor
v8 = list(v8)
tmp = ord(v8[j])
v8[j] = chr(tmp ^ a2[j])
v8 = ''.join(v8)
k = v4
while True:
ret = k
if k >= v3:
break
#xor
v8 = list(v8)
tmp = ord(v8[k])
v8[k] = chr(tmp ^ a2[k % v4])
v8 = ''.join(v8)
k = k + 1
return ret
for i in range(23):
v6.append(sub_55555555526E(v7[i]))
# v6 = 0x07 0x07 0x0a 0x05 0x0f 0x0d 0x08 0x06 0x0e 0x0b 0x10 0x0a 0x09 0x00 0x0c 0x0d 0x05 0x07 0x0a 0x08 0x10 0x0b 0x11
v13 = len(s) #v13 = 21
sub_5555555551FD(s, 0, v13-1, v6)
print(s)
sub_5555555552E7(s, v6)
#rev1.txt contents
print("rev1.txt contents: ")
print(s)
for i in range(len(s)):
print(ord(s[i]) ,end=' ')
print('\n')
#Stage2
v11 = len(v8)
sub_5555555551FD_2(v8, 0, v11-1, v6)
sub_5555555552E7_2(v8, v6)
#rev2.txt contents
print("rev2.txt contents: ")
print(v8)
print(len(v8))
for i in range(len(v8)):
print(ord(v8[i]) ,end=' ')
print('\n')
solve.py
주어진 flag1.txt와 flag2.txt 파일 내용에 대한 복호화
#rev1 = [116, 115, 98, 108, 124, 108, 87, 117, 98, 84, 118, 111, 121, 88, 110, 85, 104, 99, 108, 111, 89] #tsbl|lWubTvoyXnUhcloY
rev1 = [102, 111, 62, 107, 104, 52, 100, 96, 103, 104, 79, 61, 126, 111, 88, 57, 90, 60, 108, 61, 127]
#rev2 = [102, 111, 99, 118, 80, 96, 123, 89, 107, 127, 124, 85, 101, 97, 116, 99, 117, 110, 106] #'focvP`{Yk|Ueatcunj'
rev2 = [52, 50, 99, 104, 127, 127, 120, 89, 122, 84, 121, 107, 124, 115, 52, 102, 104, 63, 99]
v7 = "CC2A750B63821F45AC20839"
v6 = [0x07, 0x07, 0x0a, 0x05, 0x0f, 0x0d, 0x08, 0x06, 0x0e, 0x0b, 0x10, 0x0a, 0x09, 0x00, 0x0c, 0x0d, 0x05, 0x07, 0x0a, 0x08, 0x10, 0x0b, 0x11]
def strlen(a1):
cnt = 0
for i in range(len(a1)):
if(a1[i] == 0x00):
return cnt
cnt = cnt + 1
return cnt
def solve_sub_5555555552E7(a1, a2):
global rev1
ret = 0
v4 = strlen(a2)
v3 = strlen(a1)
k = v4
while True:
ret = k
if k >= v3:
break
#xor
tmp = rev1[k]
rev1[k] = chr(tmp ^ a2[(k % v4)])
k = k + 1
for j in range(v4):
#xor
tmp = rev1[j]
rev1[j] = chr(tmp ^ a2[j])
return ret
def solve_sub_5555555552E7_2(a1, a2):
global rev2
ret = 0
v4 = strlen(a2)
v3 = strlen(a1)
k = v4
while True:
ret = k
if k >= v3:
break
#xor
tmp = rev2[k]
rev2[k] = chr(tmp ^ a2[(k % v4)])
k = k + 1
for j in range(v4):
#xor
tmp = rev2[j]
rev2[j] = chr(tmp ^ a2[j])
return ret
def sub_5555555551C9_2(a1, a2):
global rev2
#swap
tmp = rev2[a1]
rev2[a1] = rev2[a2]
rev2[a2] = tmp
#swap
# tmp = rev2[a2]
# rev2[a2] = rev2[a1]
# rev2[a1] = tmp
def solve_sub_5555555551FD_2(a1, a2, a3, a4):
ret = 0
i = strlen(a4)
while True:
if(i < 0):
break
sub_5555555551C9_2(0, a4[i])
i = i - 1
return ret
def sub_5555555551C9(a1, a2):
global rev1
#swap
tmp = rev1[a1]
rev1[a1] = rev1[a2]
rev1[a2] = tmp
def solve_sub_5555555551FD(a1, a2, a3, a4):
ret = 0
i = strlen(a4)
while True:
if(i < 0):
break
sub_5555555551C9(0, a4[i])
i = i - 1
return ret
#Solve Stage2
solve_sub_5555555552E7_2(rev2, v6)
print(rev2) # focvP`{Yk|Ueatcunj -> ahis_ms_etl_lfsipag
v11 = len(rev2)
solve_sub_5555555551FD_2(rev2, 0, v11-1, v6) # ahis_ms_etl_lfsipag -> this_is_sample_flag
print(rev2)
for i in range(len(rev2)):
print(rev2[i], end='')
print('\n')
#Solve Stage1
solve_sub_5555555552E7(rev1, v6) # tsbl|lWubTvoyXnUhcloY -> sthisa_sl_fep_i_mlag_
print(rev1)
v13 = len(rev2)
solve_sub_5555555551FD(rev2, 0, v13-1, v6)
print(rev1)
for i in range(len(rev1)):
print(rev1[i], end='')
print('\n')
Result
PS C:\Users\Seo Hyun-gyu\Downloads\b352bb23-a7b9-4593-abba-22ed525e17a4> python3 solve.py ['3', '5', 'i', 'm', 'p', 'r', 'p', '_', 't', '_', 'i', 'a', 'u', 't', '3', 'l', 'm', '0', 'n'] ['_', '5', 'i', 'm', 'p', 'l', '3', '_', 'p', '3', 'r', 'm', 'u', 't', 'a', 't', 'i', '0', 'n'] _5impl3_p3rmutati0n ['a', 'h', '4', 'n', 'g', '9', 'l', 'f', 'i', 'c', '_', '7', 'w', 'h', '_', '3', '_', '3', 'a', '5', 'y'] ['c', 'h', '4', 'n', 'g', '3', '_', 'f', 'l', 'a', '9', '_', 'w', 'i', '7', 'h', '_', '3', 'a', '5', 'y'] ch4ng3_fla9_wi7h_3a5y
FLAG
flag{ch4ng3_fla9_wi7h_3a5y_5impl3_p3rmutati0n}