ASIS 2015 Finals: License (rev125)

Reading time ~1 minute

This challenge was solved by and the write up was written by one of my teammates, nguyen

We got x64 ELF binary ‘license’

alt

Decompile result of main function starts with opening a file _a\nb\tc_, since it is inconvenient to create file with such name, we replace the filename with following command

hexdump -ve '1/1 "%.2X"' license | sed 's/5F610A6209635F/6B657966696C65/g' | xxd -r -p > license_patch

now we create a file name “keyfile” and get following error.

alt

from next logic, we can see that size of keyfile should satisfy some equation.

alt

which is

44242*X^5 - 45235*X^4 - 1256*X^3 + 14392*X^2 - 59762*X - 1949670109068 = 0

we solve this using z3 solver and found out that size should be 34 byte. next, the file should contain 5 newlines

alt

the file contents needs to be separated with newline and each line has to contain 6bytes which will be compared after XORing with hardcoded XORed key:

iKWoZLVc4LTyGrCRedPhfEnihgyGxWrCGjvi37pnPGh2f1DJKEcQZMDlVvZpEHHzUfd4VvlMzRDINqBk;1srRfRvvUW

alt

As a result, the following equation should be satisfied.

s.add(l4 == 0x686779477857)
s.add(l1 ^ l2 == 0x694b576f5a4c)
s.add(l2 ^ l4 ^ 0x232323232323 == 0x5663344c5479)
s.add(l3 ^ l4 == 0x477243526564)
s.add(l3 ^ (l4 ^ l5 ^ 0x232323232323) == 0x506866456e69)

solving this equation with z3 yields

l1 = 128008166266177
l2 = 32055189049101
l3 = 51768215280947
l4 = 114793625647191
l5 = 57419521861678

generating keyfile with these keys concatenated with newline we get following result

root@ubuntu:~/tmp# ./license
program successfully registered to ASIS{8d2cc30143831881f94cb05dcf0b83e0}
root@ubuntu:~/tmp#

HITCON CTF 2019 Quals: Reverse - EmojiVM

This challenge was a VM implemented where every instruction was an emoji. For the first part of the challenge we had to reverse a flag ch...… Continue reading

HITCON CTF 2019 Quals: Reverse - CoreDumb

Published on October 19, 2019

HITCON CTF 2019 Quals: Pwn - Crypto in the shell

Published on October 19, 2019