Description
해당 문제는 Dreamhack CTF Season 5 Round #8 (🌱Div2) 에 출제된 문제입니다.
Back in 1983, when you only had A and B on your controller…
FYI
Flag Format: DH{...}
Timeout: 5s
Decompiled-src
main
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
int i; // [rsp+14h] [rbp-1BCh]
char *lineptr; // [rsp+18h] [rbp-1B8h] BYREF
__int64 ptr; // [rsp+20h] [rbp-1B0h] BYREF
FILE *stream; // [rsp+28h] [rbp-1A8h]
__int64 v8[2]; // [rsp+30h] [rbp-1A0h] BYREF
int v9; // [rsp+40h] [rbp-190h]
__int64 v10; // [rsp+44h] [rbp-18Ch]
__int64 v11; // [rsp+4Ch] [rbp-184h]
int v12; // [rsp+54h] [rbp-17Ch]
__int64 v13; // [rsp+58h] [rbp-178h]
__int64 v14; // [rsp+60h] [rbp-170h]
int v15; // [rsp+68h] [rbp-168h]
__int64 v16; // [rsp+6Ch] [rbp-164h]
__int64 v17; // [rsp+74h] [rbp-15Ch]
int v18; // [rsp+7Ch] [rbp-154h]
__int64 v19; // [rsp+80h] [rbp-150h]
__int64 v20; // [rsp+88h] [rbp-148h]
int v21; // [rsp+90h] [rbp-140h]
__int64 v22; // [rsp+94h] [rbp-13Ch]
__int64 v23; // [rsp+9Ch] [rbp-134h]
int v24; // [rsp+A4h] [rbp-12Ch]
__int64 v25; // [rsp+A8h] [rbp-128h]
__int64 v26; // [rsp+B0h] [rbp-120h]
int v27; // [rsp+B8h] [rbp-118h]
__int64 v28; // [rsp+BCh] [rbp-114h]
__int64 v29; // [rsp+C4h] [rbp-10Ch]
int v30; // [rsp+CCh] [rbp-104h]
__int64 v31; // [rsp+D0h] [rbp-100h]
__int64 v32; // [rsp+D8h] [rbp-F8h]
int v33; // [rsp+E0h] [rbp-F0h]
__int64 v34; // [rsp+E4h] [rbp-ECh]
__int64 v35; // [rsp+ECh] [rbp-E4h]
int v36; // [rsp+F4h] [rbp-DCh]
char s[200]; // [rsp+100h] [rbp-D0h] BYREF
unsigned __int64 v38; // [rsp+1C8h] [rbp-8h]
v38 = __readfsqword(0x28u);
v8[0] = 'ksilisaB';
v8[1] = 0LL;
v9 = 0;
v10 = 'aremihC';
v11 = 0LL;
v12 = 0;
v13 = 'nekarK';
v14 = 0LL;
v15 = 0;
v16 = 'nogroG';
v17 = 0LL;
v18 = 0;
v19 = 'ogidneW';
v20 = 0LL;
v21 = 0;
v22 = 'ruatoniM';
v23 = 0LL;
v24 = 0;
v25 = 'ahtaiveL';
v26 = 110LL;
v27 = 0;
v28 = 'ardyH';
v29 = 0LL;
v30 = 0;
v31 = 'rocitnaM';
v32 = 101LL;
v33 = 0;
v34 = 'coR';
v35 = 0LL;
v36 = 0;
((void (__fastcall *)(__int64))sub_130A)(a1);
stream = fopen("/dev/urandom", "r");
puts("Welcome to the Dungeon!");
puts("You have only two buttons: A and B.");
puts("Each monster requires certain series of key combinations to be defeated, so be careful!");
for ( i = 0; i <= 9; ++i )
{
fread(&ptr, 8uLL, 1uLL, stream);
printf("[STAGE %2d]: %s\n", (unsigned int)(i + 1), (const char *)v8 + 20 * i);
sub_138D(ptr);
printf("Cast your spell!: ");
fgets(s, 200, stdin);
if ( s[strlen(s) - 1] == '\n' )
s[strlen(s) - 1] = 0;
if ( !sub_1407((__int64)s, ptr) )
{
puts("You were defeated. Retreat!");
exit(-1);
}
printf("%s defeated. STAGE %2d cleared!\n", (const char *)v8 + 20 * i, (unsigned int)(i + 1));
}
fclose(stream);
printf("It's dangerous to go alone! Take the flag: ");
lineptr = 0LL;
ptr = 0LL;
stream = fopen("./flag", "r");
getline(&lineptr, (size_t *)&ptr, stream);
printf("%s", lineptr);
free(lineptr);
fclose(stream);
return 0LL;
}
sub_138D
int __fastcall sub_138D(__int64 a1)
{
return printf(
"[INFO] HP: %5hu, STR: %5hhu, AGI: %5hhu, VIT: %5hhu, INT: %5hhu, END: %5hhu, DEX: %5hhu\n",
HIWORD(a1),
(unsigned __int8)a1,
BYTE1(a1),
BYTE2(a1),
BYTE3(a1),
BYTE4(a1),
BYTE5(a1));
}
Solution
from pwn import *
#context.log_level = 'debug'
context(arch='amd64',os='linux')
warnings.filterwarnings('ignore')
p = remote('host3.dreamhack.games', 14036)
#p = process('./prob')
for i in range(10):
p.recvuntil("[INFO]")
info = p.recvline()
_hp = info.split(b":")[1].split(b",")[0].strip()
_str = info.split(b":")[2].split(b",")[0].strip()
_agi = info.split(b":")[3].split(b",")[0].strip()
_vit = info.split(b":")[4].split(b",")[0].strip()
_int = info.split(b":")[5].split(b",")[0].strip()
_end = info.split(b":")[6].split(b",")[0].strip()
_dex = info.split(b":")[7].split(b"\n")[0].strip()
_hp = "0x{:02x}".format(int(_hp))
_str = "0x{:02x}".format(int(_str))
_agi = "0x{:02x}".format(int(_agi))
_vit = "0x{:02x}".format(int(_vit))
_int = "0x{:02x}".format(int(_int))
_end = "0x{:02x}".format(int(_end))
_dex = "0x{:02x}".format(int(_dex))
#print(f"_hp: {_hp}, _str: {_str}, _agi: {_agi}, _vit: {_vit}, _int: {_int}, _end: {_end}, _dex: {_dex}")
random_val = ''
random_val += _hp
random_val += _dex
random_val += _end
random_val += _int
random_val += _vit
random_val += _agi
random_val += _str
random_val = random_val.replace("0x", "")
random_val = int(random_val, 16)
print(f"random_val: {hex(random_val)}")
val = random_val
_pattern = ''
while True:
if val == 1:
_pattern = "A" + _pattern
break
if val % 2 == 1:
val = val - 1
_pattern = "A" + _pattern
continue
val = val // 2
_pattern = "B" + _pattern
#print(_pattern)
p.sendlineafter("Cast your spell!: ", _pattern)
p.interactive()
Result
ubuntu@wh1te4ever-main:~/Desktop/dreamhack-CTF/dungeon-in-1983$ python3 solve.py
[+] Opening connection to host3.dreamhack.games on port 14036: Done
random_val: 0xa4061985c50cfe3e
random_val: 0x1ba3a5802a7ed17
random_val: 0xf2e1d9d858b41b16
random_val: 0xab093dd1fe9ac28b
random_val: 0x140d91e3641adec
random_val: 0xead8e07deee1753a
random_val: 0x1e15ead778b4c55d
random_val: 0x42615069ca925013
random_val: 0xfa93152a956ff2a4
random_val: 0xaa212fbb6a04e4fa
[*] Switching to interactive mode
Roc defeated. STAGE 10 cleared!
It's dangerous to go alone! Take the flag: DH{ddfd394275e80d059f04cee16667ad40e81820a0b105e2f80f0d17544a274a62}
[*] Got EOF while reading in interactive
$
[*] Interrupted
[*] Closed connection to host3.dreamhack.games port 14036