CTFの問題の解説
某所で解いたCTFの問題の解説。
iCTF 2011 Challenge 33
The file contains JPEG image. By removing 0-72ac7 bytes, we can see the image with the answer.
bank account 901729374207-162837465036
iCTF 2011 Challenge 30
The file name "reverse2.7z.enc" tells us that the file is an encrypted 7z file. First 8 bytes of reverse2.7z.enc are "4D 4E AE 3F 5D 28 12 93" and one of 7z files are "37 7A BC AF 27 1C 00 03". 4D4EAE3F5D281293 xor 377ABCAF271C0003 is 7A3412907A341290. By XORing reverse2.7z.enc and 7A3412907A3412907A341290..., we can obtain an original 7z file (reverse2.7z).
reverse2.7z contains two files "a" and "b". File "a" is a x86 machine code:
00000000 55 push ebp 00000001 8BEC mov ebp,esp 00000003 83EC44 sub esp,byte +0x44 00000006 53 push ebx 00000007 56 push esi 00000008 57 push edi 00000009 C745FC00000000 mov dword [ebp-0x4],0x0 00000010 6868120160 push dword 0x60011268 00000015 FF1538A20160 call dword near [dword 0x6001a238] 0000001B 83C404 add esp,byte +0x4 0000001E C745FC00000000 mov dword [ebp-0x4],0x0 00000025 EB09 jmp short 0x30 00000027 8B45FC mov eax,[ebp-0x4] 0000002A 83C001 add eax,byte +0x1 0000002D 8945FC mov [ebp-0x4],eax 00000030 837DFC18 cmp dword [ebp-0x4],byte +0x18 00000034 7339 jnc 0x6f 00000036 8B4508 mov eax,[ebp+0x8] 00000039 0345FC add eax,[ebp-0x4] 0000003C 0FB600 movzx eax,byte [eax] 0000003F 99 cdq 00000040 B90A000000 mov ecx,0xa 00000045 F7F9 idiv ecx 00000047 83C230 add edx,byte +0x30 0000004A 52 push edx 0000004B 6864120160 push dword 0x60011264 00000050 FF1538A20160 call dword near [dword 0x6001a238] 00000056 83C408 add esp,byte +0x8 00000059 837DFC0C cmp dword [ebp-0x4],byte +0xc 0000005D 750E jnz 0x6d 0000005F 6860120160 push dword 0x60011260 00000064 FF1538A20160 call dword near [dword 0x6001a238] 0000006A 83C404 add esp,byte +0x4 0000006D EBB8 jmp short 0x27 0000006F 5F pop edi 00000070 5E pop esi 00000071 5B pop ebx 00000072 8BE5 mov esp,ebp 00000074 5D pop ebp 00000075 C3 ret : 0000009F CC int3 000000A0 55 push ebp 000000A1 8BEC mov ebp,esp 000000A3 83EC44 sub esp,byte +0x44 000000A6 53 push ebx 000000A7 56 push esi 000000A8 57 push edi 000000A9 C745FC00000000 mov dword [ebp-0x4],0x0 000000B0 C745FC00000000 mov dword [ebp-0x4],0x0 000000B7 EB09 jmp short 0xc2 000000B9 8B45FC mov eax,[ebp-0x4] 000000BC 83C001 add eax,byte +0x1 000000BF 8945FC mov [ebp-0x4],eax 000000C2 837DFC18 cmp dword [ebp-0x4],byte +0x18 000000C6 730D jnc 0xd5 000000C8 8B4508 mov eax,[ebp+0x8] 000000CB 0345FC add eax,[ebp-0x4] 000000CE 8A4DFC mov cl,[ebp-0x4] 000000D1 8808 mov [eax],cl 000000D3 EBE4 jmp short 0xb9 000000D5 C745FC00000000 mov dword [ebp-0x4],0x0 000000DC EB09 jmp short 0xe7 000000DE 8B45FC mov eax,[ebp-0x4] 000000E1 83C001 add eax,byte +0x1 000000E4 8945FC mov [ebp-0x4],eax 000000E7 837DFC18 cmp dword [ebp-0x4],byte +0x18 000000EB 7320 jnc 0x10d 000000ED 8B4508 mov eax,[ebp+0x8] 000000F0 0345FC add eax,[ebp-0x4] 000000F3 0FB608 movzx ecx,byte [eax] 000000F6 8B55FC mov edx,[ebp-0x4] 000000F9 0FB6045588120160 movzx eax,byte [edx*2+0x60011288] 00000101 33C8 xor ecx,eax 00000103 8B5508 mov edx,[ebp+0x8] 00000106 0355FC add edx,[ebp-0x4] 00000109 880A mov [edx],cl 0000010B EBD1 jmp short 0xde 0000010D 5F pop edi 0000010E 5E pop esi 0000010F 5B pop ebx 00000110 8BE5 mov esp,ebp 00000112 5D pop ebp 00000113 C3 ret
and file "b" is a memory image. Place "b" at 0x60011260 and call 0x000000a0 and 0x00000000 in this order, then we can get the answer. Note that [dword 0x6001a238] may be printf(). Following python code emulates this code.
a = "1f829d233f5f5c5917f795afec2bc65e" \ + "11eb33fe35f6f78728aaa032cea92b40" \ + "5e42cd53e707d28d9801a1e2123754ea".decode("hex") # 000000a0 b = [ord(x)^i for i,x in enumerate(a[::2])] # 00000000 c = "".join(str(x%10) for x in b) print "Bank account: "+c[:13]+"-"+c[13:]
The answer is "1615944358326-32680530047".
