Press "Enter" to skip to content

Category: VXCTF2017

[VXCTF2017] RPG World

Although i didn’t solve the challenge, but still share my work here.

Leave a Comment

[VXCTF2017] BLueBLood

Solution My solution is extract the archive.rpa first.

BLueBLood-98

get options.rpy define gui.about = “vxctf{{1stBL00d_w1th_hi-hi_5p33d}” Before doing following question, extract all the rpyc first.

  BLueBLood-55 , 56 ,  33 , 0f , f9 , a2 , 4c Just simply open script.rpy and you will see something like that

Just find out the value of the variable, and fill in into the formula. Such as

BLueBLood-1c

Leave a Comment

[VXCTF2017] Real Random

Question

Solution It use system current time as the seed to generate random number. Maybe we are just brute force it?

Leave a Comment

[VXCTF2017] Flag Checking Oracle 2

Question:

Solution Firstly, we have to check the length of the flag

I found that there has 0.5 second are stopped in offset 27. So maybe the length of the flag are 27? Also, if the length is true the program will wait for 0.5 second and then start to compare each character of input with the flag. If the character is correct, it will wait 0.5 second. So, we can calculate the time to brute force the flag.

vxctf{3nj0y_4nd_w417_a10ne}

Leave a Comment

[VXCTF2017] Doom

Question Let’s play DOOM! Hint: Kill the boss, no one plays 🙁 Solution It seems only DOOM.WAD and DEFAULT.CFG are modified? My idea is extact DOOM.WAD to find out what has been added or modified. The hint said that kill the boss. Maybe the resources are related to the boss? Finally, i found a tools which is named SLADE to extract the WAD file.

Leave a Comment

[VXCTF2017] One Native Pad

Question Given an python script and two images. ONP.py

outimg1.png outimg2.png Solution To xor two images. I found that one of the image are cry frog. So, i found the original image in google. Now is the time to study how the script do the encryption

Formula: encPixel = curPixel xor k Now we have encPixel and curPixel. So we can recover K with this formula: k[index] = encPixel(x,y) ^ curPixel(x,y).

After execute this script i get two image. It seems there are some wire pixel inside these two image. My idea is to use the original image compare with outimg1Solve.png to extract the only wire pixel. Then i can use the wire pixel to compare with outimg2Solve.png wirePixel: compare result:

Leave a Comment

[VXCTF2017] EasyPWN1

Solution It seems not_called function never execute. So my idea is to override the return address of main to address of not_called function. Generate pattern pattern create 200 > input r < input Find Padding offset by using pattern There are two way to find the offset: x/wx $rsp pattern offset 0x41514141 or pattern search Find not_called address: Final solution script

Leave a Comment