[WriteUp] UIUCTF 2018 Writeup
오랜만에 CFT나 해야겠다.
ROT180 ● oʇdʎɹƆ ● 1 Points ● Solved
위의 Crypto를 180도 돌려놓은 문자표시가 보이는가....
어떻게 이런걸 찾앗는지 ㄷㄷ;
영어는 알아서 해석하자 !
중요한건 중간에 보이는 저 {uoɔǝɹ‾ʇou‾sʇᴉ‾ʇsɐǝl‾ʇɐ}ƃɐlɟ 이다 처음에는 진짜.. 외계어인줄 알았다 ;; 어느 나라에서 쓰는 언어인가 싶었는데;
180도 돌려보니 플래그가 보였다.
돌려보자!
굿!
irc ● other ● 1 Points
https://ko.wikipedia.org/wiki/%EC%9C%84%ED%82%A4%EB%B0%B1%EA%B3%BC:IRC_%EB%8C%80%ED%99%94%EB%B0%A9
키위IRC 를 이용했음
1점... 그럼에도 꽤 헷갈림 ㅠ
위와같이 irc로 접속하면 클리어됨
Hastad ● Crypto ● 200 Points
sorry wrong chat라고 하고..
ciphertexts.txt 와 moduli.txt가 주어진다.
일단 한번 보자.
이게 ciphertexts.txt이고 아래가 moduli.txt이다.
RSA암호화로 ciphertexts.txt를 보낸것이라 생각한다. 여기서 e=3이라고 하는데...
e값이 매우 작고 평문이 길이가 짧을 경우, n(=p*q)값이 매우 크기때문에.. 암호화된 평문 C=P^e(% n) 에서 n이 너무커서 C가 모듈러 연산에 몇번 걸리지 않는 경우가 있다. 이 경우 C값을 그냥 e 거듭제곱근을 구해서 평문을 복호화해 낼 수가 있다고 한다. 그래서 일단 e제곱근한 값이 나오나 보기로 했다.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | c_list = [0x10652cdfaa86ddbee1409ac7ac327a0c848081ee6e3b110867085f1074755785b0a5a6a2343b791695c3e91fdb370d5b26be3b6d2fc449c7788bbb1ab67ddc361b4115010618e39c883449b757fc1624369b440236ee65, 0x10652cdfaa8c9ef24fc044b5fed749888632ad132bd412f22d9d905e6ffd27b288c22884b24fe130d83aaab9c2dc6e942418dff89d2b66a66e40900db9456813d70eb63d0c38697f89ff387969d3d40163376416270965, 0x10652cdfaa8ab16290cf92bacf31b23d6a0ea95c2ebd6eb8afe4f038d852a7f17e98f965f299b4d00126611d403c5208a145157ed1d71079fc558eaa888e993360fac35c7a816ad183190867b1b7580a2677cd6871aa65, 0x10652cdfaa86ddbee1409ac7ac327a0c848081ee6e3b110867085f1074755785b0a5a6a2343b791695c3e91fdb370d5b26be3b6d2fc449c7788bbb1ab67ddc361b4115010618e39c883449b757fc1624369b440236ee65, 0x10652cdfaa875a9ac01e472ea5896c1d460410508b9a7c723b5ba904fb5b64d68a1e96254ba04b08c92d51f1fe6c3d6bb426e1ee8c61c8a6ff1eeab9e07f51d8057f2f0c54b27c7006539f7148484ff26a02e4cb1d3165, 0x10652cdfaa8c9ef24fc044b5fed749888632ad132bd412f22d9d905e6ffd27b288c22884b24fe130d83aaab9c2dc6e942418dff89d2b66a66e40900db9456813d70eb63d0c38697f89ff387969d3d40163376416270965, 0x10652cdfaa875a9ac01e472ea5896c1d460410508b9a7c723b5ba904fb5b64d68a1e96254ba04b08c92d51f1fe6c3d6bb426e1ee8c61c8a6ff1eeab9e07f51d8057f2f0c54b27c7006539f7148484ff26a02e4cb1d3165, 0x10652cdfaa8210601d22f4a15aa380233420f9ee9a276d3ac8e05cfc4f6f515f78331e8e74484e8533221e88f78671dd08622e78233e458978a35036680d1c5caaba2fa3bce3b914ad48501a276d6a88adc16db282e065, 0x10652cdfaa8ab16290cf92bacf31b23d6a0ea95c2ebd6eb8afe4f038d852a7f17e98f965f299b4d00126611d403c5208a145157ed1d71079fc558eaa888e993360fac35c7a816ad183190867b1b7580a2677cd6871aa65, 0x10652cdfaa8c2701b8bb7c11fc3218cc2d97cd4707f6de55637bc093f474d231b4d4fe8635261b8e4f772d0e51a25f8e713777a137be6f04e0d28ddd6ec0b852aaf357d33e08aed23e034fcd1ced38542fbeb5aa0eee65, 0x10652cdfaa8210601d22f4a15aa380233420f9ee9a276d3ac8e05cfc4f6f515f78331e8e74484e8533221e88f78671dd08622e78233e458978a35036680d1c5caaba2fa3bce3b914ad48501a276d6a88adc16db282e065, 0x10652cdfaa8c9ef24fc044b5fed749888632ad132bd412f22d9d905e6ffd27b288c22884b24fe130d83aaab9c2dc6e942418dff89d2b66a66e40900db9456813d70eb63d0c38697f89ff387969d3d40163376416270965, 0x10652cdfaa8ab162128a955a58d3b780f2656800796eb70c345c56d7b8523d614ef4ca920471f56493c83ca48500033a0c0b31988ca6e66a76e0ed559b38616688941558b127260cdf70261822929efa0aa6b6d79d1665, 0x10652cdfaa8ab162128a955a58d3b780f2656800796eb70c345c56d7b8523d614ef4ca920471f56493c83ca48500033a0c0b31988ca6e66a76e0ed559b38616688941558b127260cdf70261822929efa0aa6b6d79d1665, 0x10652cdfaa8c2701b8bb7c11fc3218cc2d97cd4707f6de55637bc093f474d231b4d4fe8635261b8e4f772d0e51a25f8e713777a137be6f04e0d28ddd6ec0b852aaf357d33e08aed23e034fcd1ced38542fbeb5aa0eee65] e = 3.00 for idx, c in enumerate(c_list): c_list[idx]=c**(1.00/e) print("%x " % c_list[idx]) for c in c_list: #c = c**(1.00/e) c=format(int(c), 'x') print("%s " % (c.decode("hex"))) | cs |
이런 파이썬 코드를 짜서... 출력해보았다.
코드는 해당 ciphertexts.txt의 값들을 각각 세제곱근한 값을 hex값으로 두고, 이를 decode해 평문으로 출력하는 것이다.
위와 같이 출력되었고... 666c61677b757000000000000000000000000000000000000000000000 와 flag{up 를 볼때...
모듈러연산에 걸려 평문값이 짤려 손실된것으로 보인다.
....
아닛.... 엄청난걸 찾았다. 위키백과 굿
https://en.wikipedia.org/wiki/Coppersmith%27s_attack#RSA_basics
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | import gmpy c_list = [0x10652cdfaa86ddbee1409ac7ac327a0c848081ee6e3b110867085f1074755785b0a5a6a2343b791695c3e91fdb370d5b26be3b6d2fc449c7788bbb1ab67ddc361b4115010618e39c883449b757fc1624369b440236ee65, 0x10652cdfaa8c9ef24fc044b5fed749888632ad132bd412f22d9d905e6ffd27b288c22884b24fe130d83aaab9c2dc6e942418dff89d2b66a66e40900db9456813d70eb63d0c38697f89ff387969d3d40163376416270965, 0x10652cdfaa8ab16290cf92bacf31b23d6a0ea95c2ebd6eb8afe4f038d852a7f17e98f965f299b4d00126611d403c5208a145157ed1d71079fc558eaa888e993360fac35c7a816ad183190867b1b7580a2677cd6871aa65, 0x10652cdfaa86ddbee1409ac7ac327a0c848081ee6e3b110867085f1074755785b0a5a6a2343b791695c3e91fdb370d5b26be3b6d2fc449c7788bbb1ab67ddc361b4115010618e39c883449b757fc1624369b440236ee65, 0x10652cdfaa875a9ac01e472ea5896c1d460410508b9a7c723b5ba904fb5b64d68a1e96254ba04b08c92d51f1fe6c3d6bb426e1ee8c61c8a6ff1eeab9e07f51d8057f2f0c54b27c7006539f7148484ff26a02e4cb1d3165, 0x10652cdfaa8c9ef24fc044b5fed749888632ad132bd412f22d9d905e6ffd27b288c22884b24fe130d83aaab9c2dc6e942418dff89d2b66a66e40900db9456813d70eb63d0c38697f89ff387969d3d40163376416270965, 0x10652cdfaa875a9ac01e472ea5896c1d460410508b9a7c723b5ba904fb5b64d68a1e96254ba04b08c92d51f1fe6c3d6bb426e1ee8c61c8a6ff1eeab9e07f51d8057f2f0c54b27c7006539f7148484ff26a02e4cb1d3165, 0x10652cdfaa8210601d22f4a15aa380233420f9ee9a276d3ac8e05cfc4f6f515f78331e8e74484e8533221e88f78671dd08622e78233e458978a35036680d1c5caaba2fa3bce3b914ad48501a276d6a88adc16db282e065, 0x10652cdfaa8ab16290cf92bacf31b23d6a0ea95c2ebd6eb8afe4f038d852a7f17e98f965f299b4d00126611d403c5208a145157ed1d71079fc558eaa888e993360fac35c7a816ad183190867b1b7580a2677cd6871aa65, 0x10652cdfaa8c2701b8bb7c11fc3218cc2d97cd4707f6de55637bc093f474d231b4d4fe8635261b8e4f772d0e51a25f8e713777a137be6f04e0d28ddd6ec0b852aaf357d33e08aed23e034fcd1ced38542fbeb5aa0eee65, 0x10652cdfaa8210601d22f4a15aa380233420f9ee9a276d3ac8e05cfc4f6f515f78331e8e74484e8533221e88f78671dd08622e78233e458978a35036680d1c5caaba2fa3bce3b914ad48501a276d6a88adc16db282e065, 0x10652cdfaa8c9ef24fc044b5fed749888632ad132bd412f22d9d905e6ffd27b288c22884b24fe130d83aaab9c2dc6e942418dff89d2b66a66e40900db9456813d70eb63d0c38697f89ff387969d3d40163376416270965, 0x10652cdfaa8ab162128a955a58d3b780f2656800796eb70c345c56d7b8523d614ef4ca920471f56493c83ca48500033a0c0b31988ca6e66a76e0ed559b38616688941558b127260cdf70261822929efa0aa6b6d79d1665, 0x10652cdfaa8ab162128a955a58d3b780f2656800796eb70c345c56d7b8523d614ef4ca920471f56493c83ca48500033a0c0b31988ca6e66a76e0ed559b38616688941558b127260cdf70261822929efa0aa6b6d79d1665, 0x10652cdfaa8c2701b8bb7c11fc3218cc2d97cd4707f6de55637bc093f474d231b4d4fe8635261b8e4f772d0e51a25f8e713777a137be6f04e0d28ddd6ec0b852aaf357d33e08aed23e034fcd1ced38542fbeb5aa0eee65] e = 3.00 for idx, c in enumerate(c_list): c_list[idx], perfect = gmpy.root(c, 3) print("%x %d " % (c_list[idx], perfect)) for c in c_list: #c = c**(1.00/e) c=format(int(c), 'x') print("%s " % (c.decode("hex"))) | cs |
하... 이렇게 잘나오는걸 삽질을 그렇게 하다니 ㅡㅡ;
Iterator | Arguments | Results |
|---|---|---|
p, q, … [repeat=1] | cartesian product, equivalent to a nested for-loop | |
p[, r] | r-length tuples, all possible orderings, no repeated elements |
triptych ● Reversing ● 100 Points
리버싱 문제다!
triptych 라는 파일을 하나 준다. 일단 hxd로 열어보았다.
함수들이 여러개 보인다.
중요할거 같은 함수로는 main, the_first, the_third가 중요해보인다. 하나하나 살펴보자.
main이다. *MK_FP(__FS__, 40LL)은 뭔지 잘 모르겠으나, 마지막에 가서 원래값과 xor하여 변조됫는지 확인하는 것을 보니 canary 같은 것같다.
코드의 내용으로는 fgets으로 사용자로부터 25만큼 버퍼를 읽어들이고, mprotect를 이용해 0x400000부터 0x401000까지 권한을 rwx(7)로 설정해준다.
0x400000~0x401000은 main과 the_fisrt~the_third의 영역이고... 이 영역에 rwx권한을 모두 주는 것을 보니, 이 영역에 무엇을 할 것인가보다.
그리고 마지막으로 the_first에 사용자로 받은 입력값을 인자로 넣어준다. 이제 the first를 한번 보자.
the_first이다. v3~v7까지의 값을 문자값으로 바꿔보면 이상한 문자열이 나온다. 아마 String값이거나 배열이 저렇게 나온거같다.
C언어라면 원래 이렇게 표현됬을 것 같다. char arr[]="~~문자열~~";
다음으로 for문을 실행해 245만큼 반복하는데, 안의 연산이 좀 이상하다.
&the_second의 주소에 1씩더하면서 그 주소에 있는 값을 위에 있는 배열의 값과 XOR연산해 저장한다.
이렇게하면 the_second 함수에 적힌 명령들이 바뀌게 될것이다.
그럼 한번 the_second함수를 보자.
the_second함수를 보려했으나... 제대로 x-ray되지않는다... C언어로 보고싶엇으나 저렇게 표시되고
명령도 이상하게 보이는걸 보니; the_first의 for문 수행이 the_second의 값을 바꾸어 실행가능하게 해주는 것 같다.
일단 더이상 해석할게 없으니 the_third로 넘어가겠다.
the_third의 값은 또 잘 보인다. 하지만 내용이 제대로 파악이 안된다.
the_second의 내용을 알기위해 gdb로 실행해보겠다.
gdb로 disass해서보니... 엉망인것을 알 수잇다.
역시 for문을 수행하고 나서 정리되는 것 같다.
그래서 the_second함수를 콜하기전에 break를 걸고 disass 해보았다.
값이 제대로 보인다.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 | (gdb) disass the_second Dump of assembler code for function the_second: 0x00000000004008fd <+0>: push rbp 0x00000000004008fe <+1>: mov rbp,rsp 0x0000000000400901 <+4>: sub rsp,0x60 0x0000000000400905 <+8>: mov QWORD PTR [rbp-0x58],rdi 0x0000000000400909 <+12>: mov rax,QWORD PTR fs:0x28 0x0000000000400912 <+21>: mov QWORD PTR [rbp-0x8],rax 0x0000000000400916 <+25>: xor eax,eax 0x0000000000400918 <+27>: movabs rax,0x736a647361686868 0x0000000000400922 <+37>: mov QWORD PTR [rbp-0x40],rax 0x0000000000400926 <+41>: movabs rax,0x6873696f6a636f6a 0x0000000000400930 <+51>: mov QWORD PTR [rbp-0x38],rax 0x0000000000400934 <+55>: movabs rax,0x6a7662206b777661 0x000000000040093e <+65>: mov QWORD PTR [rbp-0x30],rax 0x0000000000400942 <+69>: movabs rax,0x76626b647361626b 0x000000000040094c <+79>: mov QWORD PTR [rbp-0x28],rax 0x0000000000400950 <+83>: movabs rax,0x7c7c276638393233 0x000000000040095a <+93>: mov QWORD PTR [rbp-0x20],rax 0x000000000040095e <+97>: mov WORD PTR [rbp-0x18],0x3b3e 0x0000000000400964 <+103>: mov QWORD PTR [rbp-0x48],0x400807 0x000000000040096c <+111>: mov DWORD PTR [rbp-0x4c],0xf5 0x0000000000400973 <+118>: mov DWORD PTR [rbp-0x50],0x0 0x000000000040097a <+125>: jmp 0x4009c8 <the_second+203> 0x000000000040097c <+127>: mov eax,DWORD PTR [rbp-0x50] 0x000000000040097f <+130>: movsxd rdx,eax 0x0000000000400982 <+133>: mov rax,QWORD PTR [rbp-0x48] 0x0000000000400986 <+137>: lea rsi,[rdx+rax*1] 0x000000000040098a <+141>: mov eax,DWORD PTR [rbp-0x50] 0x000000000040098d <+144>: movsxd rdx,eax 0x0000000000400990 <+147>: mov rax,QWORD PTR [rbp-0x48] 0x0000000000400994 <+151>: add rax,rdx 0x0000000000400997 <+154>: movzx edi,BYTE PTR [rax] 0x000000000040099a <+157>: mov ecx,DWORD PTR [rbp-0x50] 0x000000000040099d <+160>: mov edx,0x30c30c31 0x00000000004009a2 <+165>: mov eax,ecx 0x00000000004009a4 <+167>: imul edx 0x00000000004009a6 <+169>: sar edx,0x3 0x00000000004009a9 <+172>: mov eax,ecx 0x00000000004009ab <+174>: sar eax,0x1f 0x00000000004009ae <+177>: sub edx,eax 0x00000000004009b0 <+179>: mov eax,edx 0x00000000004009b2 <+181>: imul eax,eax,0x2a 0x00000000004009b5 <+184>: sub ecx,eax 0x00000000004009b7 <+186>: mov eax,ecx 0x00000000004009b9 <+188>: cdqe 0x00000000004009bb <+190>: movzx eax,BYTE PTR [rbp+rax*1-0x40] 0x00000000004009c0 <+195>: xor eax,edi 0x00000000004009c2 <+197>: mov BYTE PTR [rsi],al 0x00000000004009c4 <+199>: add DWORD PTR [rbp-0x50],0x1 0x00000000004009c8 <+203>: mov eax,DWORD PTR [rbp-0x50] 0x00000000004009cb <+206>: cmp eax,DWORD PTR [rbp-0x4c] 0x00000000004009ce <+209>: jl 0x40097c <the_second+127> 0x00000000004009d0 <+211>: mov rax,QWORD PTR [rbp-0x58] 0x00000000004009d4 <+215>: mov rdi,rax 0x00000000004009d7 <+218>: call 0x400807 <the_third> 0x00000000004009dc <+223>: nop 0x00000000004009dd <+224>: mov rax,QWORD PTR [rbp-0x8] 0x00000000004009e1 <+228>: xor rax,QWORD PTR fs:0x28 0x00000000004009ea <+237>: je 0x4009f1 <the_second+244> 0x00000000004009ec <+239>: call 0x400550 <__stack_chk_fail@plt> 0x00000000004009f1 <+244>: leave 0x00000000004009f2 <+245>: ret End of assembler dump. | cs |
보아하니... the_third의 주소에도 the_second에 수행하는것과 비슷하게 수행하는 것같다.
the_third호출전에 break를 걸고 the_third를 보자.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 | (gdb) disass the_third Dump of assembler code for function the_third: 0x0000000000400807 <+0>: push rbp 0x0000000000400808 <+1>: mov rbp,rsp 0x000000000040080b <+4>: sub rsp,0x60 0x000000000040080f <+8>: mov QWORD PTR [rbp-0x58],rdi 0x0000000000400813 <+12>: mov rax,QWORD PTR fs:0x28 0x000000000040081c <+21>: mov QWORD PTR [rbp-0x8],rax 0x0000000000400820 <+25>: xor eax,eax 0x0000000000400822 <+27>: movabs rax,0x265e245e24736c61 0x000000000040082c <+37>: mov QWORD PTR [rbp-0x40],rax 0x0000000000400830 <+41>: movabs rax,0x69766467736b6720 0x000000000040083a <+51>: mov QWORD PTR [rbp-0x38],rax 0x000000000040083e <+55>: movabs rax,0x3332666972326967 0x0000000000400848 <+65>: mov QWORD PTR [rbp-0x30],rax 0x000000000040084c <+69>: movabs rax,0x6b676b647320282a 0x0000000000400856 <+79>: mov QWORD PTR [rbp-0x28],rax 0x000000000040085a <+83>: movabs rax,0x7a6f70607e202173 0x0000000000400864 <+93>: mov QWORD PTR [rbp-0x20],rax 0x0000000000400868 <+97>: mov WORD PTR [rbp-0x18],0x6961 0x000000000040086e <+103>: mov QWORD PTR [rbp-0x48],0x4006a6 0x0000000000400876 <+111>: mov DWORD PTR [rbp-0x4c],0x160 0x000000000040087d <+118>: mov DWORD PTR [rbp-0x50],0x0 0x0000000000400884 <+125>: jmp 0x4008d2 <the_third+203> 0x0000000000400886 <+127>: mov eax,DWORD PTR [rbp-0x50] 0x0000000000400889 <+130>: movsxd rdx,eax 0x000000000040088c <+133>: mov rax,QWORD PTR [rbp-0x48] 0x0000000000400890 <+137>: lea rsi,[rdx+rax*1] 0x0000000000400894 <+141>: mov eax,DWORD PTR [rbp-0x50] 0x0000000000400897 <+144>: movsxd rdx,eax 0x000000000040089a <+147>: mov rax,QWORD PTR [rbp-0x48] 0x000000000040089e <+151>: add rax,rdx 0x00000000004008a1 <+154>: movzx edi,BYTE PTR [rax] 0x00000000004008a4 <+157>: mov ecx,DWORD PTR [rbp-0x50] 0x00000000004008a7 <+160>: mov edx,0x30c30c31 0x00000000004008ac <+165>: mov eax,ecx 0x00000000004008ae <+167>: imul edx 0x00000000004008b0 <+169>: sar edx,0x3 0x00000000004008b3 <+172>: mov eax,ecx 0x00000000004008b5 <+174>: sar eax,0x1f 0x00000000004008b8 <+177>: sub edx,eax 0x00000000004008ba <+179>: mov eax,edx 0x00000000004008bc <+181>: imul eax,eax,0x2a 0x00000000004008bf <+184>: sub ecx,eax 0x00000000004008c1 <+186>: mov eax,ecx 0x00000000004008c3 <+188>: cdqe 0x00000000004008c5 <+190>: movzx eax,BYTE PTR [rbp+rax*1-0x40] 0x00000000004008ca <+195>: xor eax,edi 0x00000000004008cc <+197>: mov BYTE PTR [rsi],al 0x00000000004008ce <+199>: add DWORD PTR [rbp-0x50],0x1 0x00000000004008d2 <+203>: mov eax,DWORD PTR [rbp-0x50] 0x00000000004008d5 <+206>: cmp eax,DWORD PTR [rbp-0x4c] 0x00000000004008d8 <+209>: jl 0x400886 <the_third+127> 0x00000000004008da <+211>: mov rax,QWORD PTR [rbp-0x58] 0x00000000004008de <+215>: mov rdi,rax 0x00000000004008e1 <+218>: call 0x4006a6 <validate> 0x00000000004008e6 <+223>: nop 0x00000000004008e7 <+224>: mov rax,QWORD PTR [rbp-0x8] 0x00000000004008eb <+228>: xor rax,QWORD PTR fs:0x28 0x00000000004008f4 <+237>: je 0x4008fb <the_third+244> 0x00000000004008f6 <+239>: call 0x400550 <__stack_chk_fail@plt> 0x00000000004008fb <+244>: leave 0x00000000004008fc <+245>: ret | cs |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 | (gdb) disass validate Dump of assembler code for function validate: 0x00000000004006a6 <+0>: push rbp 0x00000000004006a7 <+1>: mov rbp,rsp 0x00000000004006aa <+4>: sub rsp,0x70 0x00000000004006ae <+8>: mov QWORD PTR [rbp-0x68],rdi 0x00000000004006b2 <+12>: mov rax,QWORD PTR fs:0x28 0x00000000004006bb <+21>: mov QWORD PTR [rbp-0x8],rax 0x00000000004006bf <+25>: xor eax,eax 0x00000000004006c1 <+27>: movabs rax,0x797472657771275f 0x00000000004006cb <+37>: mov QWORD PTR [rbp-0x30],rax 0x00000000004006cf <+41>: movabs rax,0x73617d7b706f6975 0x00000000004006d9 <+51>: mov QWORD PTR [rbp-0x28],rax 0x00000000004006dd <+55>: movabs rax,0x7a6c6b6a68676664 0x00000000004006e7 <+65>: mov QWORD PTR [rbp-0x20],rax 0x00000000004006eb <+69>: movabs rax,0x7c6d6e62766378 0x00000000004006f5 <+79>: mov QWORD PTR [rbp-0x18],rax 0x00000000004006f9 <+83>: mov DWORD PTR [rbp-0x5c],0x0 0x0000000000400700 <+90>: jmp 0x400777 <validate+209> 0x0000000000400702 <+92>: mov eax,DWORD PTR [rbp-0x5c] 0x0000000000400705 <+95>: movsxd rdx,eax 0x0000000000400708 <+98>: mov rax,QWORD PTR [rbp-0x68] 0x000000000040070c <+102>: add rax,rdx 0x000000000040070f <+105>: movzx eax,BYTE PTR [rax] 0x0000000000400712 <+108>: cmp al,0x5e 0x0000000000400714 <+110>: jle 0x40072a <validate+132> 0x0000000000400716 <+112>: mov eax,DWORD PTR [rbp-0x5c] 0x0000000000400719 <+115>: movsxd rdx,eax 0x000000000040071c <+118>: mov rax,QWORD PTR [rbp-0x68] ---Type <return> to continue, or q <return> to quit--- 0x0000000000400720 <+122>: add rax,rdx 0x0000000000400723 <+125>: movzx eax,BYTE PTR [rax] 0x0000000000400726 <+128>: cmp al,0x7d 0x0000000000400728 <+130>: jle 0x400734 <validate+142> 0x000000000040072a <+132>: mov edi,0x0 0x000000000040072f <+137>: call 0x400590 <exit@plt> 0x0000000000400734 <+142>: mov DWORD PTR [rbp-0x58],0x0 0x000000000040073b <+149>: jmp 0x40076d <validate+199> 0x000000000040073d <+151>: mov eax,DWORD PTR [rbp-0x58] 0x0000000000400740 <+154>: movsxd rdx,eax 0x0000000000400743 <+157>: mov rax,QWORD PTR [rbp-0x68] 0x0000000000400747 <+161>: add rdx,rax 0x000000000040074a <+164>: mov eax,DWORD PTR [rbp-0x58] 0x000000000040074d <+167>: movsxd rcx,eax 0x0000000000400750 <+170>: mov rax,QWORD PTR [rbp-0x68] 0x0000000000400754 <+174>: add rax,rcx 0x0000000000400757 <+177>: movzx eax,BYTE PTR [rax] 0x000000000040075a <+180>: movsx eax,al 0x000000000040075d <+183>: sub eax,0x5f 0x0000000000400760 <+186>: cdqe 0x0000000000400762 <+188>: movzx eax,BYTE PTR [rbp+rax*1-0x30] 0x0000000000400767 <+193>: mov BYTE PTR [rdx],al 0x0000000000400769 <+195>: add DWORD PTR [rbp-0x58],0x1 0x000000000040076d <+199>: cmp DWORD PTR [rbp-0x58],0x17 0x0000000000400771 <+203>: jle 0x40073d <validate+151> 0x0000000000400773 <+205>: add DWORD PTR [rbp-0x5c],0x1 0x0000000000400777 <+209>: cmp DWORD PTR [rbp-0x5c],0x2 0x000000000040077b <+213>: jle 0x400702 <validate+92> ---Type <return> to continue, or q <return> to quit--- 0x000000000040077d <+215>: movabs rax,0x7b646e6a7d756d7a 0x0000000000400787 <+225>: mov QWORD PTR [rbp-0x50],rax 0x000000000040078b <+229>: movabs rax,0x7b6f646e5f667b6f 0x0000000000400795 <+239>: mov QWORD PTR [rbp-0x48],rax 0x0000000000400799 <+243>: movabs rax,0x61677b5f7a685f7b 0x00000000004007a3 <+253>: mov QWORD PTR [rbp-0x40],rax 0x00000000004007a7 <+257>: mov BYTE PTR [rbp-0x38],0x0 0x00000000004007ab <+261>: mov DWORD PTR [rbp-0x54],0x0 0x00000000004007b2 <+268>: jmp 0x4007e0 <validate+314> 0x00000000004007b4 <+270>: mov eax,DWORD PTR [rbp-0x54] 0x00000000004007b7 <+273>: movsxd rdx,eax 0x00000000004007ba <+276>: mov rax,QWORD PTR [rbp-0x68] 0x00000000004007be <+280>: add rax,rdx 0x00000000004007c1 <+283>: movzx edx,BYTE PTR [rax] 0x00000000004007c4 <+286>: mov eax,DWORD PTR [rbp-0x54] 0x00000000004007c7 <+289>: cdqe 0x00000000004007c9 <+291>: movzx eax,BYTE PTR [rbp+rax*1-0x50] 0x00000000004007ce <+296>: cmp dl,al 0x00000000004007d0 <+298>: je 0x4007dc <validate+310> 0x00000000004007d2 <+300>: mov edi,0x0 0x00000000004007d7 <+305>: call 0x400590 <exit@plt> 0x00000000004007dc <+310>: add DWORD PTR [rbp-0x54],0x1 0x00000000004007e0 <+314>: cmp DWORD PTR [rbp-0x54],0x18 0x00000000004007e4 <+318>: jle 0x4007b4 <validate+270> 0x00000000004007e6 <+320>: mov edi,0x400be4 0x00000000004007eb <+325>: call 0x400540 <puts@plt> 0x00000000004007f0 <+330>: nop 0x00000000004007f1 <+331>: mov rax,QWORD PTR [rbp-0x8] ---Type <return> to continue, or q <return> to quit--- 0x00000000004007f5 <+335>: xor rax,QWORD PTR fs:0x28 0x00000000004007fe <+344>: je 0x400805 <validate+351> 0x0000000000400800 <+346>: call 0x400550 <__stack_chk_fail@plt> 0x0000000000400805 <+351>: leave 0x0000000000400806 <+352>: ret End of assembler dump. | cs |
10. 64-Bit Mode Instructions (64비트 모드 명령)
다음 명령은 64비트 모드에서 소개된 명령이다. 이 모드는 IA-32e 모드의 서브 모드이다.
CDQE - Convert doubleword to quadword
CMPSQ - Compare string operands
CMPXCHG16B - Compare RDX:RAX with m128
LODSQ - Load qword at address (R)SI into RAX
MOVSQ - Move qword from address (R)SI to (R)DI
MOVZX (64-bits) - Move doubleword to quadword, zero-extension
STOSQ - Store RAX at address RDI
SWAPGS - Exchanges current GS base register value with value in MSR address C0000102H
SYSCALL - Fast call to privilege level 0 system procedures
SYSRET - Return from fast system call
굿
C코드로 바꿔보았다.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | #include <stdio.h> int validate(char* s) { char str[]="_\'qwertyuiop{}asdfghjklzxcvbnm|"; char str2[]="zmu}jnd{o{f_ndo{{_hz_{ga"; int i,j; for(i=0; i<=2; i++) { if(s[i]<=94 || s[i]>125) // exit(0); for(j=0; j<=23; j++) { s[j]=str[s[j]-95]; } } for(i=0; i<=24; i++) { if(s[i] != str2[i]) exit(0); } printf("haha nice!"); } | cs |
분석은 알아서 하시게... 이제 풀면된다. 참 긴 여정이였다.
이제 역으로 돌려서 무엇을 넣어야 haha nice! 가 출력되는 지 알아보자...
쉽게하기위해 str2를 역으로 돌리는 코드를 짜보겟다.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | #include <stdio.h> #include <string.h> int main() { char str[]="_\'qwertyuiop{}asdfghjklzxcvbnm|"; char str2[]="zmu}jnd{o{f_ndo{{_hz_{ga"; int i,j,cnt; for(cnt=0; cnt<3; cnt++){ for(i=0; i<strlen(str2); i++) { for(j=0; j<strlen(str); j++){ if(str2[i]==str[j]){ str2[i]=j+95; break; } } } } printf("%s\n",str2); return 0; } | cs |
후... 굿굿!
titan ● Reversing ● 200 Points
HxD로 열어본 모습
Bin > ASC로 바꾸어본것.. 하지만 아무런 성과가 없다.
참고한 사이트 : https://www.hpcalc.org/hp48/docs/faq/48faq-6.html
Kermit의 일부 버전은 ASCII 파일과 이진 파일을 구별하기 때문에 연결의 양쪽 끝 (HP48 SX 끝과 컴퓨터 끝)에서 전송 모드에 대해 걱정해야합니다. 예를 들어, ASCII 파일을받을 때 Unix Kermit은 CR / LF 쌍을 LF로 변환해야합니다. HP48 SX가 이진 파일을 전송하지만 Unix Kermit이 ASCII를 예상하면 이진 파일의 모든 CR / LF 쌍이 LF로 변환되어 이진 파일이 손상됩니다. 불행히도, 당신은 단순히 전송을 되돌리고 Kermit이 LF를 CR / LF로 번역 할 것을 기대함으로써 손상된 이진 파일을 "uncorrupt"할 수 없습니다. 이것은 바이너리 파일이 원래 CR / LF 시퀀스의 일부가 아닌 LF의 발생을 포함 할 수 있기 때문입니다. 이진 파일이 손상되면 스택에 문자 "HPHP48-"로 시작하여 문자열로 표시되고 잔뜩 쓰레기가 계속됩니다. |
열심히 썻는데 다 날라갔네;; 하;;.... 이것도 5~6시간썻는데 결국 못품
나중에 writeup봐야겠다.
xoracle ● Crypto ● 250 Points
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | #!/usr/bin/env python3 from random import randint from base64 import b64encode def xor(data, key): out = b'' for n in range(len(data)): out += bytes([data[n] ^ key[n % len(key)]]) return out def randkey(): key = b'' for n in range(randint(128, 255)): key += bytes([randint(0, 255)]) return key if __name__ == "__main__": with open('flag', 'rb') as f: data = f.read() print(b64encode(xor(data, randkey())).decode("utf-8")) | cs |
어케 푸는지 모르겠다ㅏㅏㅏㅏ
쉘스크립트를 통해 암호문을 모은다.
꽤 많이 모였다. 이제 저 중에 같은 키길이를 가지는 두 암호문을 찾아보자.
코딩은 알아서 해서... 찾았다.
1.enc와 44,90,95가 같은 키 길이를 가진다.
1.enc의 키의 길이는 172이다. 이제 키 길이는 알았으니, 비제네르 암호와 동일한 방법으로 공격하면 될 것같다.
aKwtO9ED+Dy09GtEGA5l27YN87s4zm9uPasp76tCwqOCF1HO/G5QwqCQ6Cksq0x76ZZTQi4ACrlUzoeKqQ8a/NnyJLHfXLBqD1XiXMjrtp4Kt62nbbJCcrCZ9Rtf8El4e7fg9k+4BUoUHPyFRT6dPuUmLyryrV3BMUS53+gthXvUE7526VNQ3lyXo8L9Ic0WpEZgtTwaVZ2XfKG6pPT1QrTajtIfz9JrO70Z+fUqIyHbHQDOTnYybo+5mSemHeM7mG5P6rkvDMOXTrWc8Uo5lyzo2hKKnL5YqAmGHngC9wtco5aL6XDycBTeePQguJOTA5S/n/1ZimWyOioODsrBvrDhlid/qxYWg//x+KD5ZUCEbDlqc2GSiGpj2HMog2Q5tfYrJPkvawQeYbP3cK5ui9eedf16fXdQCLPAESq5/31dzzbcrGK9V9oRXufxsf0iXR+BAz14WptnWFAP9zFyjQ3F8a3MJQ+xvD7AiMwhsHHbTcpfC/IkKEVfJ5e84tFTwRJ4cEA9wFhYM+Iu1aofKTTPPabfkvCZhWHLjSMhlp+RIbZSedn7v5ZBjbc6ad7lJB2ioe0i/UrXlqZ0l1Q4e1G9cWkLp+XfF8Aneq3mO0wAgm+0jrzccr62VAHD3xCWkcTQwuSe1qcMgqwJvyp7nK/39KSwDn7B88TDkoHLCWZuiIhqnifp+MK9ToIkzsjLJgj+3YkyzPen8HJdW2fsIyJxleY2Vu0FmXkjtgoRbgM52nlQ1E7MkGf5zNFhZdlmSrtv3w7kKxok22GjK1mj2Ldsmbe3AiYuRawcsY3X60QnUb7NWTJw3aTtzJIapfexiJeHm7aMh2P+iy7pShdFHMQptrA1q7EjhlUL5yX6dYhxnMBHgMY5I9r9yu7YGyx1rw3bLq1qX3PlypK8del4uoWc2R3tK/jHShl+H32+dMeqgfC8Ni6Pr76TWAerTLuzbFlmFUSKgfP+pl6ixPQpAPulHU+czqEXTD+tKcOrvsfbf6FCpj8FWjgF0bi189H1JxwU+4BHGcde6ZLpfADOCjG8WplMA997mt0Qf3NZFjgoeWzUl/QpBpCnJLlkGyEMRUDJkkJ6w0BHQigzBz1DMjmTjEn3WQiv8X/S3d12rX3pmxP4kCxR9ngzM6uql8nx2N9NR6sDUzzDNxfpWNJMND/BcY7caKuXT6q1k98Erbzr/HB149X9JXQupeknEsk18rOGGwWqR3u1fNqfg6f98MIWVAl8ds4o/xM4HDzb06yLVT0z0GITwZd6R5SvopYWU1z042B+vKQG62DLSo9o5aIzXswRoSnUSjTNik9VU38/J3Hz9MFc2tXcitOo9b7JO7fmgZ+UMqhxL54cptTY5Pe9udXdiyuzMrN4aWepWjZpIWhJKewkttsgGVHSnjAxsi2q6ce5UoBt96zzzggSI7XjupuGGQ0xGZ3Ulte1VRoYUCPNwS8GB+7Rl8knnnvijMAniO2nljECr72YS3yFVMYlQA9n28NFKsRVknOI9kINp50Xeiaw6AdmtXuRlGdb0lMj/h8gay9Z0imttWkABOkvFFZ4j0Zbfx38ZigDVYr1YUc2OLmay+QpWL9VUexd5YtrvL0RLXhSEQ0G/q6ru8Mq3999h6GsigMN542hK4N61PQS0BCl88b+SAsgc6nzgrIVRMFMEeMDaSd0nw8cMrbFfAm7dS7ZmOQJgQhV4cgRQi26EV6OoQKQyo8Lo7kDmcXZQgvAlys8EpMtPi+OREn2Z04+Fm7pnhZM7R12Mp94hlv4CR/xLKflwvzhrciW6vU4kaytrzmSQ2RganxPo78opxFn0bUrtMWG6UoBxY1yLkmMrrVK+g1GR22NNMjvp6lFqwcJLuonrLW1Wng2Q61GiSrEMmYHe7i/E6ahVisO7ELCw1sbxBhiWPU+R51IJy5zk4SGDWyRcAZrH7xLRsa5XtCNLb5qml6oFbckHrpjqZ8nw5HRLotw6Mf/oFNGCgkW8FmumGqnIH/ekAZxIBiJBtIkV+olQT9gpJ4lPTmM+d1NNcmk9T6xnP6UyKtV1FQjzOreYwQ6oem7HcLtGumeKBr1L2lsecRf78WLhfgl0agPsvYVjsdOFUCfVGHpgWqhjY2CCzK1lwTtO47Waw8EzJsmEcsaibnUIbYPNAW1viKCit+4BY7S14enqHdWsjoNBaipLfpEdelbhij/MPFrdtI29oSmKq/zbC5G/F703SEPFzuGZN8ep6beQ088klOOdhpJF5xcLaZ2Y681A9Ur+73CEDlsxmPdWBTHnOCSZTIlnClgW05PF0q5P0KbN4XfubDlA/P/kuNUGGg6Q/s5BYlHq9il5gdIoAbCRsiWmc9BMf3RaIfNBPjYq8dPU7ZEhFfOvQ1ymqYZH6t9EUGTk2MsTW1srbfvQcCan+l12MuVckFVRh7kXu7Au2i2OzpZbqLV8blQcUT6eRLaS5YHPF5N0W3aN9ghCw728+YizQi1Rhm3vOTyHp6gzejGnXZZNmrVJtSxr9oHN4RhspKnZIhXvB+FfHxXJ58glA89yBD9Z/WylHFHFtIt7N7Ea6IwctY2NXhbZQkvJedMxbrsRsXvinybCKdtKDnVo3NclWMcSm0oeME5rPuRPXzrAXo8A0eiVXLzoM0yohBkUQDhzCgTniporgY/vNw/wtpezwisaoJoZRXO526WiTjs75q7sTWt0/AgGdNaXPbD5Ki8ahw3pOI=
ctf가 끝나버려서.. writeup을 참고
- Repeated XOR - 70 (Cryptography)
- Cracking repeating XOR key crypto
나 나름대로 정리해보겠다...고 생각하였으나; 개념은 이해가 가는데 코드짜기가 어렵다 + (이미 종료된 문제여서 더이상 암호문을 얻을수가 없다)
또... C의 길이가 1536이라는데에서 의문이 생기는데 이걸 이해할수가 없다.
'Write-up > CTF _ Write UP' 카테고리의 다른 글
| [HITCON-Training] lab12 : secretgarden (0) | 2019.07.13 |
|---|---|
| RCTF 2018 Writeup (cpushop / babyre / Misc+) (0) | 2018.05.21 |
| DEFCON CTF Quals 2018 Writeup (0) | 2018.05.14 |
| [WriteUP] Byte Bandits CTF 2018 (0) | 2018.04.10 |