Press "Enter" to skip to content

Tag: Reverse

[CSAW2017] – tablEZ

Published September 18, 2017 by SaBeLa

Solution The first step is to decompile the given binary. Main

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
int __cdecl main(int argc, const char **argv, const char **envp)
{
  int result; // [email protected]
  __int64 v4; // [email protected]
  size_t i; // [sp+0h] [bp-D0h]@1
  size_t v6; // [sp+8h] [bp-C8h]@1
  char s2[8]; // [sp+10h] [bp-C0h]@1
  char s[136]; // [sp+40h] [bp-90h]@1
  __int64 v9; // [sp+C8h] [bp-8h]@1
 
  v9 = *MK_FP(__FS__, 40LL);
  strcpy(s2, "'連\x11蝐鳥═\x1Bq#ee\x11\x11x05e);
  puts("Please enter the flag:");
  fgets(s, 128, stdin);
  s[strlen(s) - 1] = 0;
  v6 = strlen(s);
  for ( i = 0LL; i < v6; ++i )
    s[i] = get_tbl_entry((unsigned int)s[i]);
  if ( v6 == 37 )
  {
    if ( !strncmp(s, s2, 0x26uLL) )
    {
      puts("CORRECT <3");
      result = 0;
    }
    else
    {
      puts("WRONG");
      result = 1;
    }
  }
  else
  {
    puts("WRONG");
    result = 1;
  }

  Main_asm

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
.text:00000000000008A0 ; int __cdecl main(int argc, const char **argv, const char **envp)
.text:00000000000008A0                 public main
.text:00000000000008A0 main            proc near               ; DATA XREF: _start+1Do
.text:00000000000008A0
.text:00000000000008A0 var_D0          = qword ptr -0D0h
.text:00000000000008A0 var_C8          = qword ptr -0C8h
.text:00000000000008A0 s2              = byte ptr -0C0h
.text:00000000000008A0 var_B8          = qword ptr -0B8h
.text:00000000000008A0 var_B0          = qword ptr -0B0h
.text:00000000000008A0 var_A8          = qword ptr -0A8h
.text:00000000000008A0 var_A0          = dword ptr -0A0h
.text:00000000000008A0 var_9C          = word ptr -9Ch
.text:00000000000008A0 s               = byte ptr -90h
.text:00000000000008A0 var_8           = qword ptr -8
.text:00000000000008A0
.text:00000000000008A0                 push    rbp
.text:00000000000008A1                 mov     rbp, rsp
.text:00000000000008A4                 sub     rsp, 0D0h
.text:00000000000008AB                 mov     rax, fs:28h
.text:00000000000008B4                 mov     [rbp+var_8], rax
.text:00000000000008B8                 xor     eax, eax
.text:00000000000008BA                 mov     rax, 0B1E711F59D73B327h
.text:00000000000008C4                 mov     rdx, 30F4F9F9B399BEB3h
.text:00000000000008CE                 mov     qword ptr [rbp+s2], rax
.text:00000000000008D5                 mov     [rbp+var_B8], rdx
.text:00000000000008DC                 mov     rax, 0B19965237399711Bh
.text:00000000000008E6                 mov     rdx, 0F9279923BE111165h
.text:00000000000008F0                 mov     [rbp+var_B0], rax
.text:00000000000008F7                 mov     [rbp+var_A8], rdx
.text:00000000000008FE                 mov     [rbp+var_A0], 65059923h
.text:0000000000000908                 mov     [rbp+var_9C], 0CEh
.text:0000000000000911                 lea     rdi, s          ; "Please enter the flag:"
.text:0000000000000918                 call    _puts
.text:000000000000091D                 mov     rdx, cs:stdin@@GLIBC_2_2_5 ; stream
.text:0000000000000924                 lea     rax, [rbp+s]
.text:000000000000092B                 mov     esi, 80h        ; n
.text:0000000000000930                 mov     rdi, rax        ; s
.text:0000000000000933                 call    _fgets
.text:0000000000000938                 lea     rax, [rbp+s]
.text:000000000000093F                 mov     rdi, rax        ; s
.text:0000000000000942                 call    _strlen
.text:0000000000000947                 sub     rax, 1
.text:000000000000094B                 mov     [rbp+rax+s], 0
.text:0000000000000953                 lea     rax, [rbp+s]
.text:000000000000095A                 mov     rdi, rax        ; s
.text:000000000000095D                 call    _strlen
.text:0000000000000962                 mov     [rbp+var_C8], rax
.text:0000000000000969                 mov     [rbp+var_D0], 0
.text:0000000000000974                 jmp     short loc_9B1
.text:0000000000000976 ; ---------------------------------------------------------------------------
.text:0000000000000976
.text:0000000000000976 loc_976:                                ; CODE XREF: main+11Fj
.text:0000000000000976                 lea     rdx, [rbp+s]
.text:000000000000097D                 mov     rax, [rbp+var_D0]
.text:0000000000000984                 add     rax, rdx
.text:0000000000000987                 movzx   eax, byte ptr [rax]
.text:000000000000098A                 movsx   eax, al
.text:000000000000098D                 mov     edi, eax
.text:000000000000098F                 call    get_tbl_entry
.text:0000000000000994                 mov     ecx, eax
.text:0000000000000996                 lea     rdx, [rbp+s]
.text:000000000000099D                 mov     rax, [rbp+var_D0]
.text:00000000000009A4                 add     rax, rdx
.text:00000000000009A7                 mov     [rax], cl
.text:00000000000009A9                 add     [rbp+var_D0], 1
.text:00000000000009B1
.text:00000000000009B1 loc_9B1:                                ; CODE XREF: main+D4j
.text:00000000000009B1                 mov     rax, [rbp+var_D0]
.text:00000000000009B8                 cmp     rax, [rbp+var_C8]
.text:00000000000009BF                 jb      short loc_976
.text:00000000000009C1                 cmp     [rbp+var_C8], 25h
.text:00000000000009C9                 jz      short loc_9DE
.text:00000000000009CB                 lea     rdi, aWrong     ; "WRONG"
.text:00000000000009D2                 call    _puts
.text:00000000000009D7                 mov     eax, 1
.text:00000000000009DC                 jmp     short loc_A24
.text:00000000000009DE ; ---------------------------------------------------------------------------
.text:00000000000009DE
.text:00000000000009DE loc_9DE:                                ; CODE XREF: main+129j
.text:00000000000009DE                 lea     rcx, [rbp+s2]
.text:00000000000009E5                 lea     rax, [rbp+s]
.text:00000000000009EC                 mov     edx, 26h        ; n
.text:00000000000009F1                 mov     rsi, rcx        ; s2
.text:00000000000009F4                 mov     rdi, rax        ; s1
.text:00000000000009F7                 call    _strncmp
.text:00000000000009FC                 test    eax, eax
.text:00000000000009FE                 jnz     short loc_A13
.text:0000000000000A00                 lea     rdi, aCorrect3  ; "CORRECT <3"
.text:0000000000000A07                 call    _puts
.text:0000000000000A0C                 mov     eax, 0
.text:0000000000000A11                 jmp     short loc_A24
.text:0000000000000A13 ; ---------------------------------------------------------------------------
.text:0000000000000A13
.text:0000000000000A13 loc_A13:                                ; CODE XREF: main+15Ej
.text:0000000000000A13                 lea     rdi, aWrong     ; "WRONG"
.text:0000000000000A1A                 call    _puts
.text:0000000000000A1F                 mov     eax, 1
.text:0000000000000A24
.text:0000000000000A24 loc_A24:                                ; CODE XREF: main+13Cj
.text:0000000000000A24                                         ; main+171j
.text:0000000000000A24                 mov     rsi, [rbp+var_8]
.text:0000000000000A28                 xor     rsi, fs:28h
.text:0000000000000A31                 jz      short locret_A38
.text:0000000000000A33                 call    ___stack_chk_fail
.text:0000000000000A38 ; ---------------------------------------------------------------------------
.text:0000000000000A38
.text:0000000000000A38 locret_A38:                             ; CODE XREF: main+191j
.text:0000000000000A38                 leave
.text:0000000000000A39                 retn
.text:0000000000000A39 main            endp

get_tbl_entry

1
2
3
4
5
6
7
8
9
10
11
__int64 __fastcall get_tbl_entry(char a1)
{
  unsigned __int64 i; // [sp+Ch] [bp-8h]@1
 
  for ( i = 0LL; i <= 254; ++i )
  {
    if ( a1 == *((_BYTE *)&trans_tbl + 2 * i) )
      return byte_201281[2 * i];
  }
  return 0LL;
}

byte_201281

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
.data:0000000000201281 byte_201281     db 0BBh, 2, 9Bh, 3, 0C4h, 4, 6Ch, 5, 4Ah, 6, 2Eh, 7, 22h
.data:0000000000201281                                         ; DATA XREF: get_tbl_entry+33o
.data:0000000000201281                 db 8, 45h, 9, 33h, 0Ah, 0B8h, 0Bh, 0D5h, 0Ch, 6, 0Dh, 0Ah
.data:0000000000201281                 db 0Eh, 0BCh, 0Fh, 0FAh, 10h, 79h, 11h, 24h, 12h, 0E1h
.data:0000000000201281                 db 13h, 0B2h, 14h, 0BFh, 15h, 2Ch, 16h, 0ADh, 17h, 86h
.data:0000000000201281                 db 18h, 60h, 19h, 0A4h, 1Ah, 0B6h, 1Bh, 0D8h, 1Ch, 59h
.data:0000000000201281                 db 1Dh, 87h, 1Eh, 41h, 1Fh, 94h, 20h, 77h, 21h, 0F0h, 22h
.data:0000000000201281                 db 4Fh, 23h, 0CBh, 24h, 61h, 2 dup(25h), 26h, 0C0h, 27h
.data:0000000000201281                 db 97h, 28h, 2Ah, 29h, 5Ch, 2Ah, 8, 2Bh, 0C9h, 2Ch, 9Fh
.data:0000000000201281                 db 2Dh, 43h, 2Eh, 4Eh, 2Fh, 0CFh, 30h, 0F9h, 31h, 3Eh
.data:0000000000201281                 db 32h, 6Fh, 33h, 65h, 34h, 0E7h, 35h, 0C5h, 36h, 39h
.data:0000000000201281                 db 37h, 0B7h, 38h, 0EFh, 39h, 0D0h, 3Ah, 0C8h, 3Bh, 2Fh
.data:0000000000201281                 db 3Ch, 0AAh, 3Dh, 0C7h, 3Eh, 47h, 3Fh, 3Ch, 40h, 81h
.data:0000000000201281                 db 41h, 32h, 42h, 49h, 43h, 0D3h, 44h, 0A6h, 45h, 96h
.data:0000000000201281                 db 46h, 2Bh, 47h, 58h, 48h, 40h, 49h, 0F1h, 4Ah, 9Ch, 4Bh
.data:0000000000201281                 db 0EEh, 4Ch, 1Ah, 4Dh, 5Bh, 4Eh, 0C6h, 4Fh, 0D6h, 50h
.data:0000000000201281                 db 80h, 51h, 2Dh, 52h, 6Dh, 53h, 9Ah, 54h, 3Dh, 55h, 0A7h
.data:0000000000201281                 db 56h, 93h, 57h, 84h, 58h, 0E0h, 59h, 12h, 5Ah, 3Bh, 5Bh
.data:0000000000201281                 db 0B9h, 5Ch, 9, 5Dh, 69h, 5Eh, 0BAh, 5Fh, 99h, 60h, 48h
.data:0000000000201281                 db 61h, 73h, 62h, 0B1h, 63h, 7Ch, 64h, 82h, 65h, 0BEh
.data:0000000000201281                 db 66h, 27h, 67h, 9Dh, 68h, 0FBh, 69h, 67h, 6Ah, 7Eh, 6Bh
.data:0000000000201281                 db 0F4h, 6Ch, 0B3h, 6Dh, 5, 6Eh, 0C2h, 6Fh, 5Fh, 70h, 1Bh
.data:0000000000201281                 db 71h, 54h, 72h, 23h, 73h, 71h, 74h, 11h, 75h, 30h, 76h
.data:0000000000201281                 db 0D2h, 77h, 0A5h, 78h, 68h, 79h, 9Eh, 7Ah, 3Fh, 7Bh
.data:0000000000201281                 db 0F5h, 7Ch, 7Ah, 7Dh, 0CEh, 7Eh, 0Bh, 7Fh, 0Ch, 80h
.data:0000000000201281                 db 85h, 81h, 0DEh, 82h, 63h, 83h, 5Eh, 84h, 8Eh, 85h, 0BDh
.data:0000000000201281                 db 86h, 0FEh, 87h, 6Ah, 88h, 0DAh, 89h, 26h, 8Ah, 88h
.data:0000000000201281                 db 8Bh, 0E8h, 8Ch, 0ACh, 8Dh, 3, 8Eh, 62h, 8Fh, 0A8h, 90h
.data:0000000000201281                 db 0F6h, 91h, 0F7h, 92h, 75h, 93h, 6Bh, 94h, 0C3h, 95h
.data:0000000000201281                 db 46h, 96h, 51h, 97h, 0E6h, 98h, 8Fh, 99h, 28h, 9Ah, 76h
.data:0000000000201281                 db 9Bh, 5Ah, 9Ch, 91h, 9Dh, 0ECh, 9Eh, 1Fh, 9Fh, 44h, 0A0h
.data:0000000000201281                 db 52h, 0A1h, 1, 0A2h, 0FCh, 0A3h, 8Bh, 0A4h, 3Ah, 0A5h
.data:0000000000201281                 db 0A1h, 0A6h, 0A3h, 0A7h, 16h, 0A8h, 10h, 0A9h, 14h, 0AAh
.data:0000000000201281                 db 50h, 0ABh, 0CAh, 0ACh, 95h, 0ADh, 92h, 0AEh, 4Bh, 0AFh
.data:0000000000201281                 db 35h, 0B0h, 0Eh, 0B1h, 0B5h, 0B2h, 20h, 0B3h, 1Dh, 0B4h
.data:0000000000201281                 db 5Dh, 0B5h, 0C1h, 0B6h, 0E2h, 0B7h, 6Eh, 0B8h, 0Fh, 0B9h
.data:0000000000201281                 db 0EDh, 0BAh, 90h, 0BBh, 0D4h, 0BCh, 0D9h, 0BDh, 42h
.data:0000000000201281                 db 0BEh, 0DDh, 0BFh, 98h, 0C0h, 57h, 0C1h, 37h, 0C2h, 19h
.data:0000000000201281                 db 0C3h, 78h, 0C4h, 56h, 0C5h, 0AFh, 0C6h, 74h, 0C7h, 0D1h
.data:0000000000201281                 db 0C8h, 4, 0C9h, 29h, 0CAh, 55h, 0CBh, 0E5h, 0CCh, 4Ch
.data:0000000000201281                 db 0CDh, 0A0h, 0CEh, 0F2h, 0CFh, 89h, 0D0h, 0DBh, 0D1h
.data:0000000000201281                 db 0E4h, 0D2h, 38h, 0D3h, 83h, 0D4h, 0EAh, 0D5h, 17h, 0D6h
.data:0000000000201281                 db 7, 0D7h, 0DCh, 0D8h, 8Ch, 0D9h, 8Ah, 0DAh, 0B4h, 0DBh
.data:0000000000201281                 db 7Bh, 0DCh, 0E9h, 0DDh, 0FFh, 0DEh, 0EBh, 0DFh, 15h
.data:0000000000201281                 db 0E0h, 0Dh, 0E1h, 2, 0E2h, 0A2h, 0E3h, 0F3h, 0E4h, 34h
.data:0000000000201281                 db 0E5h, 0CCh, 0E6h, 18h, 0E7h, 0F8h, 0E8h, 13h, 0E9h
.data:0000000000201281                 db 8Dh, 0EAh, 7Fh, 0EBh, 0AEh, 0ECh, 21h, 0EDh, 0E3h, 0EEh
.data:0000000000201281                 db 0CDh, 0EFh, 4Dh, 0F0h, 70h, 0F1h, 53h, 0F2h, 0FDh, 0F3h
.data:0000000000201281                 db 0ABh, 0F4h, 72h, 0F5h, 64h, 0F6h, 1Ch, 0F7h, 66h, 0F8h
.data:0000000000201281                 db 0A9h, 0F9h, 0B0h, 0FAh, 1Eh, 0FBh, 0D7h, 0FCh, 0DFh
.data:0000000000201281                 db 0FDh, 36h, 0FEh, 7Dh, 0FFh
.data:000000000020147D                 db  31h ; 1
.data:000000000020147D _data           ends

After have some analysis we know: 1. The program will based on the input to perform table lookup 2. The table format are 00 xx 01 xx 02 xx 03 xx 3. The main encrypt function are get_tbl_entry So, based on this information, we can write the code to get the flag.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
#include
#include
#include
 
unsigned char ida_chars[] =
{
  0x01, 0xBB, 0x02, 0x9B, 0x03, 0xC4, 0x04, 0x6C, 0x05, 0x4A, 0x06,
  0x2E, 0x07, 0x22, 0x08, 0x45, 0x09, 0x33, 0x0A, 0xB8, 0x0B,
  0xD5, 0x0C, 0x06, 0x0D, 0x0A, 0x0E, 0xBC, 0x0F, 0xFA, 0x10,
  0x79, 0x11, 0x24, 0x12, 0xE1, 0x13, 0xB2, 0x14, 0xBF, 0x15,
  0x2C, 0x16, 0xAD, 0x17, 0x86, 0x18, 0x60, 0x19, 0xA4, 0x1A,
  0xB6, 0x1B, 0xD8, 0x1C, 0x59, 0x1D, 0x87, 0x1E, 0x41, 0x1F,
  0x94, 0x20, 0x77, 0x21, 0xF0, 0x22, 0x4F, 0x23, 0xCB, 0x24,
  0x61, 0x25, 0x25, 0x26, 0xC0, 0x27, 0x97, 0x28, 0x2A, 0x29,
  0x5C, 0x2A, 0x08, 0x2B, 0xC9, 0x2C, 0x9F, 0x2D, 0x43, 0x2E,
  0x4E, 0x2F, 0xCF, 0x30, 0xF9, 0x31, 0x3E, 0x32, 0x6F, 0x33,
  0x65, 0x34, 0xE7, 0x35, 0xC5, 0x36, 0x39, 0x37, 0xB7, 0x38,
  0xEF, 0x39, 0xD0, 0x3A, 0xC8, 0x3B, 0x2F, 0x3C, 0xAA, 0x3D,
  0xC7, 0x3E, 0x47, 0x3F, 0x3C, 0x40, 0x81, 0x41, 0x32, 0x42,
  0x49, 0x43, 0xD3, 0x44, 0xA6, 0x45, 0x96, 0x46, 0x2B, 0x47,
  0x58, 0x48, 0x40, 0x49, 0xF1, 0x4A, 0x9C, 0x4B, 0xEE, 0x4C,
  0x1A, 0x4D, 0x5B, 0x4E, 0xC6, 0x4F, 0xD6, 0x50, 0x80, 0x51,
  0x2D, 0x52, 0x6D, 0x53, 0x9A, 0x54, 0x3D, 0x55, 0xA7, 0x56,
  0x93, 0x57, 0x84, 0x58, 0xE0, 0x59, 0x12, 0x5A, 0x3B, 0x5B,
  0xB9, 0x5C, 0x09, 0x5D, 0x69, 0x5E, 0xBA, 0x5F, 0x99, 0x60,
  0x48, 0x61, 0x73, 0x62, 0xB1, 0x63, 0x7C, 0x64, 0x82, 0x65,
  0xBE, 0x66, 0x27, 0x67, 0x9D, 0x68, 0xFB, 0x69, 0x67, 0x6A,
  0x7E, 0x6B, 0xF4, 0x6C, 0xB3, 0x6D, 0x05, 0x6E, 0xC2, 0x6F,
  0x5F, 0x70, 0x1B, 0x71, 0x54, 0x72, 0x23, 0x73, 0x71, 0x74,
  0x11, 0x75, 0x30, 0x76, 0xD2, 0x77, 0xA5, 0x78, 0x68, 0x79,
  0x9E, 0x7A, 0x3F, 0x7B, 0xF5, 0x7C, 0x7A, 0x7D, 0xCE, 0x7E,
  0x0B, 0x7F, 0x0C, 0x80, 0x85, 0x81, 0xDE, 0x82, 0x63, 0x83,
  0x5E, 0x84, 0x8E, 0x85, 0xBD, 0x86, 0xFE, 0x87, 0x6A, 0x88,
  0xDA, 0x89, 0x26, 0x8A, 0x88, 0x8B, 0xE8, 0x8C, 0xAC, 0x8D,
  0x03, 0x8E, 0x62, 0x8F, 0xA8, 0x90, 0xF6, 0x91, 0xF7, 0x92,
  0x75, 0x93, 0x6B, 0x94, 0xC3, 0x95, 0x46, 0x96, 0x51, 0x97,
  0xE6, 0x98, 0x8F, 0x99, 0x28, 0x9A, 0x76, 0x9B, 0x5A, 0x9C,
  0x91, 0x9D, 0xEC, 0x9E, 0x1F, 0x9F, 0x44, 0xA0, 0x52, 0xA1,
  0x01, 0xA2, 0xFC, 0xA3, 0x8B, 0xA4, 0x3A, 0xA5, 0xA1, 0xA6,
  0xA3, 0xA7, 0x16, 0xA8, 0x10, 0xA9, 0x14, 0xAA, 0x50, 0xAB,
  0xCA, 0xAC, 0x95, 0xAD, 0x92, 0xAE, 0x4B, 0xAF, 0x35, 0xB0,
  0x0E, 0xB1, 0xB5, 0xB2, 0x20, 0xB3, 0x1D, 0xB4, 0x5D, 0xB5,
  0xC1, 0xB6, 0xE2, 0xB7, 0x6E, 0xB8, 0x0F, 0xB9, 0xED, 0xBA,
  0x90, 0xBB, 0xD4, 0xBC, 0xD9, 0xBD, 0x42, 0xBE, 0xDD, 0xBF,
  0x98, 0xC0, 0x57, 0xC1, 0x37, 0xC2, 0x19, 0xC3, 0x78, 0xC4,
  0x56, 0xC5, 0xAF, 0xC6, 0x74, 0xC7, 0xD1, 0xC8, 0x04, 0xC9,
  0x29, 0xCA, 0x55, 0xCB, 0xE5, 0xCC, 0x4C, 0xCD, 0xA0, 0xCE,
  0xF2, 0xCF, 0x89, 0xD0, 0xDB, 0xD1, 0xE4, 0xD2, 0x38, 0xD3,
  0x83, 0xD4, 0xEA, 0xD5, 0x17, 0xD6, 0x07, 0xD7, 0xDC, 0xD8,
  0x8C, 0xD9, 0x8A, 0xDA, 0xB4, 0xDB, 0x7B, 0xDC, 0xE9, 0xDD,
  0xFF, 0xDE, 0xEB, 0xDF, 0x15, 0xE0, 0x0D, 0xE1, 0x02, 0xE2,
  0xA2, 0xE3, 0xF3, 0xE4, 0x34, 0xE5, 0xCC, 0xE6, 0x18, 0xE7,
  0xF8, 0xE8, 0x13, 0xE9, 0x8D, 0xEA, 0x7F, 0xEB, 0xAE, 0xEC,
  0x21, 0xED, 0xE3, 0xEE, 0xCD, 0xEF, 0x4D, 0xF0, 0x70, 0xF1,
  0x53, 0xF2, 0xFD, 0xF3, 0xAB, 0xF4, 0x72, 0xF5, 0x64, 0xF6,
  0x1C, 0xF7, 0x66, 0xF8, 0xA9, 0xF9, 0xB0, 0xFA, 0x1E, 0xFB,
  0xD7, 0xFC, 0xDF, 0xFD, 0x36, 0xFE, 0x7D, 0xFF, 0x31
};
 
unsigned char encFlag[] =
{
  0x27, 0xb3, 0x73, 0x9d, 0xf5, 0x11, 0xe7, 0xb1, 0xb3, 0xbe, 0x99, 0xb3, 0xf9, 0xf9, 0xf4, 0x30, 0x1b, 0x71, 0x99, 0x73, 0x23, 0x65, 0x99, 0xb1, 0x65, 0x11, 0x11, 0xbe, 0x23, 0x99, 0x27, 0xf9, 0x23, 0x99, 0x05, 0x65, 0xce
};
 
 
int main(int argc, char** argv) {
for(int i = 0;i < sizeof(encFlag); i++){
for(int j = 0;j < sizeof(ida_chars); j++){
if(encFlag[i] == ida_chars[2*j + 1]){
printf("%c",ida_chars[2*j]);
break;
}
}
}
return 0;
}

Output: flag{t4ble_l00kups_ar3_b3tter_f0r_m3}

Leave a Comment

[Bugs Bunny] rev100 – 100pt

Published July 31, 2017 by SaBeLa

Solution: Key point:

C
1
*(_BYTE *)(i + C) = *(_BYTE *)(C + i) + (*(&A + i) ^ *(&B + i));

c = a xor b , maybe c is the flag?

Python
1
2
3
4
5
import binascii
a = 0x4140376d77342c5f41426007347d12577a22254f28
b = 0x342744323541423138393837462223242544502155
c = a^b
binascii.unhexlify(hex(c).rstrip('L')[2:])

Bugs_Bunny{X0r_1s_fun}

Leave a Comment

[Bugs Bunny] mysterious ! – 75pts

Published July 31, 2017 by SaBeLa

Solution: We guess all of these value are base64 string. So our plan is extract it out and decode it. Base64 Data:

1
iVBORw0KGgoAAAANSUhEUgAAAoAAAAGQCAYAAAA+89ElAAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAB3RJTUUH4QcPFScXuHT4+AAAABl0RVh0Q29tbWVudABDcmVhdGVkIHdpdGggR0lNUFeBDhcAABwOSURBVHja7d19kFVl4cDxZ5dlEUxxERBRQAlIQAhfKFHRUUQzETNRGY0kR9QMpanMt8yfTpnomGJORoZImPFiWSO+DaL4kja+lYKAggg6ArLxJu/sy/P7wzjtwu7eu3Dv3Xvh85nZcWXPOffsOee557v35dyiGGMMAADsNYptAgAAAQgAgAAEAEAAAgAgAAEAEIAAAAhAAAAEIAAAAhAAAAEIAIAABABAAAIAIAABABCAAAACEAAAAAQgAAACEAAABABAAAIACEAABAAQgAAACEAAAhAAAAEIACAAAQAQgAAACEAAAhAAQAACACAAAQAQgECWxRjDtGnTwvDhw0Pv3r1DWVlZKC0tDUVFRU2yPkVFRckX5OqYctzZFtvvDx999NFw5plnhg4dOiT3hQ197Wn7vrS0NJSVlYXevXuHCy+8MEyZMiVUV1dn7jZijDGdFUmlZcuW4YADDghf+cpXwoABA8JFF10UjjzySPd4WT5A7Jc9Q1VVVRgyZEh45pln6r0z3JX9vyt3unUtP427iUZZuXJlmDt3bpgzZ07y3/feey9s2LAha7dZSNauXRsmT54c/vKXv4RFixaF8vLy0K5du9CtW7dw3nnnhe9+97uhdevWTbqOQ4cODU888UTK47S+Y7a+abN53DXFfXC+jsElS5aE2bNnhzfeeCO8++674aOPPgqrV68OFRUVoXXr1qFbt27hxBNPDCNHjsz5OSPGGIYPHx6mTZu2y9suF8dzUxxbgwcPDk8//XRo1qxZRjZ0SiGERn8VFRXFESNGxPXr10eyw37Zc0ycOLHB/Zap/Z/qq77lN8Wxu6eMzcaaOXNmPOSQQxrcNoceemicNWtW1telPg8//PAu7bN0pi2kY2BPH4PbzxmXX3553Lx5c8626+TJk3d72+XieG6qY2vixImZuY1sH+THH398rKiocIbPszsf+yW/DBkyJNk3RxxxRHzyySfjypUrY2Vl5V578tkbA/DFF1+MpaWlaW2fFi1axFdeeSXnAfjJJ5/E1q1bxxBCPO644wTgHh6A27/OPPPMWF1dnZPtevrppye3O2jQoPjuu+/WG6C7u41253jOtsrKylheXh6feeaZ2KtXr2S9zjrrrKYJwLpUV1fHjRs3xvfffz9OnDgxHn300bXmuffee53hm+AkY78Ujs6dOyf75bnnnsuLR6KyeUfYtm3bePLJJ8errroq3n///fGFF16IK1eu3KsDcO3atbFt27bJfG3atInjxo2LS5cujVu2bIkfffRRvPfee2NZWVkyTfv27ePnn3+e0/14xhlnJAE6b968vToAC3kMdu3aNV5++eVxwoQJ8Y033ojl5eWxoqIibtq0KS5cuDBOmDAh9u7du9Y6PPTQQznZZu3atUtuc968eVndRrtzPOfSrFmzkvXq0qVL/gTgjioqKuK5556bzNO/f39n+Dy4Y7Ff8lerVq2S/bJu3bo9/uSzp5/8d+X3uPHGG5N52rZtGz/88MM6p1u0aFGtUPz5z3+es206fvz4ZFl33HFHo5cvAAtrPGzZsiUJpBBCHDhwYE5ut6SkJLnNbdu2ZW0b7e7xnEtr165N1utLX/pSRpbZ6DeBxDRfFDl//vzQq1evEEII+++/f1i3bp1X+mfxRaL2y56zL6urqzP24vLdeRF5U7wYv5DeAJDJ36OysjIcdNBBYfXq1SGEEKZOnRouuOCCeqefOnVqGD58eAghhHbt2oXly5fX+6LwTG3TJUuWhL59+4b169eH/v37h9deey00a9asUcvf094EsieOwR3NmTMn9O3bN4QQwgEHHBDWrFmTV9tsV7dRJo7nXL8xpri4OPmdM/Fu4KxdBqZr165p7+jGvoW7sfO88sor4dJLLw1f/vKXQ6tWrUJZWVno1atXGD16dHjzzTcbvdyVK1eGu+66K5x22mnhkEMOCS1btgzNmzcPrVu3Dj179gznnHNOuOOOO8K8efPy7s6oqfdLXdMsWrQo3HjjjeGoo44Kbdu2DS1atAgdO3YMQ4cODVOnTk1rEGZ6uf3790+Wd9ddd6W9DX77298m8x1zzDF5887CTMnEvsqmph6bdR3/6Vyy4qWXXkrir2vXrmHYsGEN3s7555+fjOXy8vLw8ssvZ2xd6jv5XHrppWH9+vWhtLQ0TJw4MTPvQmykphyXe+sY7NGjR/L95s2bsxp96R6zmYipTB/Pme6MnPwxkK2HoWs+l96nT5+MLjvdebZu3RpHjhyZ8h1OY8aMiZWVlWkt989//nPcf//9s/6upD11v+w4zR133BFbtGjR4DY89dRTUz4tmunlPvTQQ8l0Xbt2TfvFz/369Uvme+CBB5r8qZ6QwaefMrWvsrW++TA2wy6+2P+mm25K/n3MmDFp3dY111yTzHPzzTdnbF3qct999yXT/vKXv9zlfRZ28yngXI/LvXEM7mjBggXJsnv27JmT7RSy/EaZTB3P2eqMXJ0nshKAlZWV8bzzzkvm+fGPf5zz0Kiqqopnn3122gfU1VdfnXK5s2fPjkVFRTl5W/qeul9qTnP99denvR3PPffctG87E8vdtGlTbNOmTTLdU089lfL3f+ONN5LpW7Vq1ag74XwPwEzuq2ysb76MzV29/W9961vJv0+fPj2t25o+fXoyz7e//e2sBeDChQuT16gec8wxO109IJcBmOtxuTeOwR3PGcOGDUuWe9tttxV8AGbyeM5GZxRkAG7atCl+8MEHcdKkSfFrX/taMn1ZWVn89NNPcx4ad999d63pjj766Dh16tS4fPnyuHXr1rhs2bI4ZcqUWn8Zplru4MGDa71D7+67745z586NGzZsiFVVVXHDhg1x4cKF8cknn4w33nhj7NWrV5PfseTbfqlrWw8aNCg+/vjjcfny5XHbtm1x1apV8e9///tO++all17K6XJ/9KMfJdMMGTIk5e9/xRVXJNOPHDky7e22devWZL5mzZrl5cknk/sqG+tbiGOzpp49eybT/+tf/0prnrfffjuZp6HfZ3eOgaqqqnjCCSfEEEIsLS2Nc+bM2a3lhwy8CSRX43JvHYNbt26NH3/8cZwyZUqty6Ice+yxcdOmTXm3zRobbJk8nrPRGQ0pLi5O+80xWQnAxnz17ds3vvfeexkfHKnmWb9+fa2ngoYPH17vNe+2bdtW6y+chpa7/VpBuzO4muovpnzYL3Wt8+23317vtBs3boxHHnlkMu2oUaNyutyFCxcmjyoVFxfHjz76qN5lbtiwIe63337JMv/xj3+kvd0WLVpUK8zz9eSTqX2VjfXN57GZjvbt2yfTl5eXpzVPeXl5Mk+HDh2ycgzcddddKR/9yXUA5mpc7k1jsKHzRbNmzeLFF18cN2zYkJfbrDHTZvJ4zlZnNOSAAw5I5q3vKgF5EYCDBw+O77zzTlYGR6p5HnzwweTnnTt3jhs3bky5Izt16pRyufvss0/y82XLlhVkADblftlxmqFDh6Zc5pQpUxr9msVMLrfmBUmvu+66eqebMGFCWo/G1GXs2LHJvF//+tfz8uSTyW2ajfXN57GZjn333TeZPt1HWTZu3JjWZSF2dZvOmzcv2a5HHXVUvSe30ASXgcnFuNybxmB954vi4uL4k5/8JC5fvjxvt1m602b6eM5WZzSk5rN4d955Z34/AlhUVBRHjx7d4CdOZCM0hg8fvtO1fVK5/fbbUy73qKOOSn7eo0ePOGnSpLhq1aqCewSwqfbLjtPMnDkz5TKXLVuW1qNj2Vru3/72t2S6du3axS1bttQ53YABA5Lpfv3rX6e8/a1bt8YPP/ww3nnnnbXipaG/8Jvy5JPJbZqN9c3nsZmOmk/tVFVVpTVPVVVVWi8d2JVtWllZGfv37x9DCLF58+bx3//+d85O1ulMk61xmc8BmM0xmOqcUVpaGm+55Za0j818C8BsHM/Z6ox0599nn33inXfeGRctWhS3bt2amwBs6IS2YsWK+Pzzz8cxY8bEli1bJvNcccUVOQ2N7t27Jz9/880301rm66+/nnK5kyZNqvMvpH79+sUrr7wy/vGPf4yffPJJXt2x5NN+2XGaNWvWpFxmRUVFrW2d6+VWVlbW+pSOyZMn7zTN3Llza30813/+859durM9/fTTM/55m5k6+WRym2ZjfQtxbNZU80Lg+fAI4C9+8YtknltuuSWnJ+t0T+iZHpf5HoC5GoMbN26MixcvjtOmTdvpDQ6XX355QQZgNo7nbHVGQzZv3lzrwty7+5Ry1i4DM3/+/Fqva6nvdTnZCI2az5OvXbs2rWWuWbMmrXX51a9+FZs3b97gX0snnnhinDFjRl7esTTlfinE5e5453Hcccft9PMxY8bUeh1IY//aLikpif/3f/+X1yefXNze7s5fyGMzn14D+M477ySfR/zVr341o5/EkMmxnOlxme8BmKsxWNejrTUvPZPOO6/zKQCzdTxnszNSue222+q8r8ubAIyx9sesXHzxxTk7wJs1a5b8vLKyMq1l1vzLKdW6LFmyJN50002xb9++tZ662fHrBz/4QV7esTTVfinUAFyxYkVyBxJCiG+//Xbysy1btsQDDzywUZ/jW9/xcv755zf4tLwATK1Qx2Y+vQt4+zsWS0pKah3r+RaAmR6XAjC92D7rrLMKKgCzdTxnuzPqm/+CCy7I/0cAY4zx008/TeY77LDDcnaA13xHYLbLfN26dXHWrFnxtttuiyeccMJO1yJ75JFH8u6Opan2S6EGYIy1X+9x2WWXJf/+6KOP7tKFaTdv3hznz58fr7vuulqhcs899wjADJ28CmlsZuM6gLu6Lrv62uJ0TkiZHsuZHpcCsG5Lly6t9TnVhRSA2Tqec9kZ291zzz21Xvd7ww03xPnz5+/yS4eyGoDbtm2r9RqMutQ8+aVT0atXr065Pt26dcv5c/PbffDBB/Hoo4/OyYdnF9p+KeQAfOmll2pdTHb763FOOeWU3X4DR83rmh1//PECMEsXas7nsbm7nwTys5/9bK8MwGyOSwH4PzWvVdq8eXMB2ESdUfNNTddee+1ub+esfRZwCCF89tlnyfctWrSoc5r99tsv+b68vDzlMt96662U09T8rMfnnnsurXVNd7pUunfvHiZOnJj8/zvvvJN3nyXZVPulkA0cODD06dMnhBDCpk2bwsMPPxw+/PDDMHv27BBCCCUlJeF73/veLi374osvTr5fsGBBIDvyeWyecsopyfdPPPFEyg96r66uDjNmzEj+f9CgQXvlPs3muOR/li5dmnzftm1bG6SJOqPm+eGiiy7a7d8hqwH4xBNPJN937ty5zmk6deqUfF/XB5rv6De/+U3KaWreGT7wwANh06ZNDU6/YcOG8MADD2Ts9+7WrVvyfTY/PLvQ9kuh+/73v598/7vf/S48+OCDyYdyn3XWWaFDhw67tNyaH7a+bt0696xZlKux2bJly+T7VPc/IYRw8sknh7KyshBCCIsXLw6PPfZYg9NPnz49LF68ODkhDxw4MGPr8t9nhtL+amjeQh6X/M+kSZOS74888siCWvdsHc9N0Rk1zw/du3fPyMbJykPKc+fOjW3btk35ubOjRo1KpunXr1+913OKcedr6NS3Pp9//nmtq783dIXuioqKeP7556e13FNPPTW+9tprKX/3hx9+OFnO4YcfnldPLTTlfinkp4Bj/OJCnjWPq5rvjNudd5ZWV1fn/WcB5/tTwPk2NmteouStt95Ka54bbrih1rXt6rvS/6JFi2qN4Ztvvjnj69JUT9fl07j0FPAXpk2bVusdp+PHjy+op4CzddvZ6oyc/q6ZutFt27bFzz77LLneXM2L27Zq1SouXbq0zvlefPHFWss/9thj44wZM+Lq1atjRUVFXLFiRXz88cfjaaed1qh3vdT8yJfw3w99njZtWlyxYkXctm1bXLFiRZw6dWqtC8iGNF9L0K9fvzh27Nj46quvxvLy8uR3f/XVV+Po0aNrDZYf/vCHTTpI8m2/FHIAxhjjVVddtdPveuihh6b9LrBcv/ZtbwnAfBubQ4YMSW7ntNNOi3PmzEl5+Ym1a9fWCrs2bdrE++67Ly5dujRu2bIlLlmyJN57772xrKwsmaZ9+/bx888/z/i6FFIAZnNc7qljsEePHnHMmDHxkUceiW+++WZcsWJF3Lx5c/K52QsWLIiTJ0/e6ZpzRxxxREaPnUIOwGx1Rl4HYGO/iouL45/+9KcGl1/zHXCpvq6//vq0NkJVVVX85je/mfZyr7766lrXZcvEdujUqVNWP42gEPdLoQdgzYvLpvsIjADM3PGbqWVle2zWfKSxMb/L7Nmza13apKGvFi1axJdffjlr61JIAZitcbmnjsFdGXsdO3aMH3zwQd5ts6YMwGx0xh4TgJ07d47PPPNMyuWvXbs2Dho0KOVH0Wx/N1e6G2HLli1xxIgRKT8WbcyYMXHdunXJvx144IF1Lu/555+PAwcOTOt3P/744+t9dK2pA7Ap90uhB2CMMZ500km1QnrJkiUZ3ZeZvGTF3hKA+TY2KysrU46d+sycOTN27NixwXkPOeSQOGvWrKyvS6EEYLbGpQD84mvYsGE5/YztQgnAbHRGfWq+VKioqCi/ArCkpCS2adMm9unTJ15yySXxsccea9Tn01VXV8epU6fGs88+Ox588MGxtLQ0lpWVxT59+sRrr702LliwYJd30IsvvhgvueSSePjhh8d99tkntm7dOvbs2TNeddVV8fXXX48xfnGJiO3L7N69e4PLmzNnTrzhhhvigAED4oEHHhhLSkri/vvvH3v37h1HjhwZn3rqqZxcd6oQ98ueEIA//elPk/nOOOOMjOzLmh8Ftm7dOgG4i6GSL2Mzxi9e9zN+/Pg4ePDg2KFDh50e2WvImjVr4rhx4+LAgQOTcXfwwQfHk046KY4bNy7t645lYl0KJQCzMS731DG4ePHiOGHChHjllVfGE088MXbq1Cm2bNkyFhcXx/322y926dIlnnnmmfHWW2+NCxcuzOtt1tQBmK3OqOsBmZDGRz82RtF/f+G93h/+8IcwatSoEEIIw4YNC9OnT7dR2El1dXU47LDDwieffJK8G3PYsGG7vdwuXbqEjz/+OIQQwqxZs8Kpp55qY0MTj0vIl8544YUXkvNCly5dwpIlS3Z7fYrtkhAqKirCuHHjkv8fMGCAjUKdnn766eQk065du3DOOedkZLl9+/ZNvr/66qvDs88+G1atWpXyenBA9sYlNGVnVFdXh9WrV4eZM2eGa665Jvn37de+3F0le/tO2bZtW7jsssvC3LlzQwghlJaW1rowL9Q0duzY5PsRI0aE5s2bZ2S55513XnJh33nz5oVvfOMbtX7ugXrI/biEpuqMoqKiBs8XAjCFnj17hqFDh4YTTjghHH744aF9+/ahTZs2YcuWLWHp0qVh9uzZ4f777w/vv/9+Ms8VV1wRDjroIEcsteLr008/DWPHjk0uit2sWbMwevTojN3GiBEjwpQpU8Kzzz5rg0OejEvIt84YPHhwGDFiREbWfY9+DWBDBV2XY445Jrz88su1rpzP3q2+Y2jUqFHh97//fUZvq7q6OkyfPj389a9/DXPmzAnLli0LGzduDJWVlR4BhCYal9AUnVFUVBRKSkpCq1atQseOHUOfPn3CueeeGy688MJQXJyZV+8JwP9Od9FFF4Xx48eHfffdN28OlPr+6qVpj6EePXqEf/7zn8lHd7H33Ykbm4U/Lu1zY2dP7IzG2KOfAp4/f36YMWNGePXVV8PixYvD6tWrw6pVq0JVVVUoKysLXbt2DSeddFL4zne+E3r37u1elXo1a9YsdOzYMQwdOjTceuut4g+MSyjoznAZGH8pgbFpbNrn9rntuLftOwEIALB3cR1AAAABCACAAAQAQAACACAAAQAQgAAACEAAAAQgAAACEAAAAQgAgAAEAEAAAgAgAAEAEIAAAAIQAAEABCAAAAIQgAAEAEAAAgAIQAAABCAAAAIQgAAEABCAAAAIIAABABCAAAAIAAACEABAANoEAAEAEIAAAAhAAAAEIAAAAhAAAAEIAIAABABAAAIAIAABAAQgAACy5v8BjDWwa4oYZqgAAAAASUVORK5CYII=

Finally we get Bugs_Bunny{Th1s_t0t4lly_Th3_fl4g}

Leave a Comment