Q1

웹 문제인데 Super Super Guessing Chall.. 대충 요약하자면 QR Code Recovery + No Cookie Send Data + Command Injection + /etc/shadow + /etc/passwd + Login Account 이정도....

FLAG : h39dmxieYdne

Q2

#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdint.h>
#include <sys/stat.h>
#include <fcntl.h>

int Solution(unsigned int *data)
{

        if ( 316 * data[0]
     - 901 * data[1]
     + 0 * data[2]
     - 984 * data[3]
     + 359 * data[4]
     - 986 * data[5]
     - 869 * data[6]
     - 733 * data[7]
     - 800 * data[8]
     + 621 * data[9] == -347560 ){
                if ( 754 * data[0]
                     + 103 * data[1]
                     - 230 * data[2]
                     + 359 * data[3]
                     - 516 * data[4]
                     + 133 * data[5]
                     - 16 * data[6]
                     - 500 * data[7]
                     - 343 * data[8]
                     + 980 * data[9] == 31039 ){
                        if ( 641 * data[0]
                             +262 * data[1]
                             - 415 * data[2]
                             - 889 * data[3]
                             + 621 * data[4]
                             - 855 * data[5]
                             - 818 * data[6]
                             - 785 * data[7]
                             - 866 * data[8]
                             - 799 * data[9]== -262955 ){
                                if ( 473 * data[0]
                                 - 57 * data[1]
                                 - 477 * data[2]
                                 + 164 * data[3]
                                 - 22 * data[4]
                                 - 865 * data[5]
                                 - 784 * data[6]
                                 - 768 * data[7]
                                 + 416 * data[8]
                                - 121 * data[9]== -180990){
                                        if ( 944 * data[0]
                                      - 912 * data[1]
                                      + 667 * data[2]
                                      + 303 * data[3]
                                      + 524 * data[4]
                                      - 523 * data[5]
                                      + 227 * data[6]
                                      + 799 * data[7]
                                      - 618 * data[8]
                                      - 739 * data[9]== 156060 ){
                                                if ( 597 * data[0]
                                              - 381 * data[1]
                                              - 996 * data[2]
                                              + 109 * data[3]
                                              + 476 * data[4]
                                              - 48 * data[5]
                                              - 710 * data[6]
                                              - 384 * data[7]
                                              - 390 * data[8]
                                              - 507 * data[9]== -143022){
                                                        if (164 * data[0]
                                                      - 300 * data[1]
                                                      - 808 * data[2]
                                                      + 308 * data[3]
                                                      + 311 * data[4]
                                                      - 144 * data[5]
                                                      + 230 * data[6]
                                                      + 251 * data[7]
                                                      + 998 * data[8]
                                                      - 469 * data[9]== 18791){
                                                                if (301 * data[0]
                                                              + 571 * data[1]
                                                              + 955 * data[2]
                                                              - 462 * data[3]
                                                              - 4 * data[4]
                                                              - 541 * data[5]
                                                              - 380 * data[6]
                                                              + 96 * data[7]
                                                              - 62 * data[8]
                                                              - 452 * data[9]== 60199){
                                                                 if (703 * data[0]
                                                                      - 635 * data[1]
                                                                      - 733 * data[2]
                                                                      + 119 * data[3]
                                                                      - 549 * data[4]
                                                                      + 220 * data[5]
                                                                      + 739 * data[6]
                                                                      + 102 * data[7]
                                                                      + 812 * data[8]
                                                                      - 770 * data[9]== -48454){
                                                                 if (207 * data[0]
                                                                       + 426 * data[1]
                                                                       + 324 * data[2]
                                                                       + 403 * data[3]
                                                                       + 149 * data[4]
                                                                       + 257 * data[5]
                                                                       + 765 * data[6]
                                                                       - 368 * data[7]
                                                                       + 707 * data[8]
                                                                       - 221 * data[9]== 202674 ){


                                                                 return 1;

                                                                 }
                                                                 else
                                                                 {
                                                                 }
                                                                 }
                                                                 else
                                                                 {
                                                                 }
                                                                 }
                                                                 else
                                                                 {
                                                                 }
                                                                 }
                                                                 else
                                                                 {
                                                                 }
                                                                }
                                                                else
                                                                {
                                                                }
                                                        }
                                                        else
                                                        {
                                                        }
                                                }
                                                else
                                                {
                                                }
                                        }
                                        else
                                        {
                                        }
                                }
                                else
                                {
                                }
                        }
                        else
                        {
                        }

        return 0;
}

int main(){
        unsigned int data[10];

    puts(" ** enjoy **");
        fflush(stdin);
        int i; 
        for (i = 0; i < sizeof(data)/sizeof(int); i++) {
                printf(" Input[%d] : ", i);
                fflush(stdin);
                scanf("%u", &data[i]);
        }

        if ( (unsigned int)Solution(data) ) {

            printf(" [+] flag {%c%c%c%c%c%c%c%c%c%c}\n", data[0], data[1], data[2], data[3], data[4], data[5], data[6], data[7], data[8], data[9]);
        }
        else {
                puts(" [-] nope!!");
        }
        return 0;
}

Ez

from z3 import *

s = Solver()
data = [BitVec('a%i'%i,8)for i in range(10)]

s.add(( 316 * data[0]
     - 901 * data[1]
     + 0 * data[2]
     - 984 * data[3]
     + 359 * data[4]
     - 986 * data[5]
     - 869 * data[6]
     - 733 * data[7]
     - 800 * data[8]
     + 621 * data[9] == -347560 ))

s.add(( 754 * data[0]
                     + 103 * data[1]
                     - 230 * data[2]
                     + 359 * data[3]
                     - 516 * data[4]
                     + 133 * data[5]
                     - 16 * data[6]
                     - 500 * data[7]
                     - 343 * data[8]
                     + 980 * data[9] == 31039 ))
s.add(641 * data[0]
                             +262 * data[1]
                             - 415 * data[2]
                             - 889 * data[3]
                             + 621 * data[4]
                             - 855 * data[5]
                             - 818 * data[6]
                             - 785 * data[7]
                             - 866 * data[8]
                             - 799 * data[9]== -262955)
s.add(( 473 * data[0]
                                 - 57 * data[1]
                                 - 477 * data[2]
                                 + 164 * data[3]
                                 - 22 * data[4]
                                 - 865 * data[5]
                                 - 784 * data[6]
                                 - 768 * data[7]
                                 + 416 * data[8]
                                - 121 * data[9]== -180990))
s.add(944 * data[0]
                                      - 912 * data[1]
                                      + 667 * data[2]
                                      + 303 * data[3]
                                      + 524 * data[4]
                                      - 523 * data[5]
                                      + 227 * data[6]
                                      + 799 * data[7]
                                      - 618 * data[8]
                                      - 739 * data[9]== 156060)
s.add(597 * data[0]
                                              - 381 * data[1]
                                              - 996 * data[2]
                                              + 109 * data[3]
                                              + 476 * data[4]
                                              - 48 * data[5]
                                              - 710 * data[6]
                                              - 384 * data[7]
                                              - 390 * data[8]
                                              - 507 * data[9]== -143022)
s.add((164 * data[0]
                                                      - 300 * data[1]
                                                      - 808 * data[2]
                                                      + 308 * data[3]
                                                      + 311 * data[4]
                                                      - 144 * data[5]
                                                      + 230 * data[6]
                                                      + 251 * data[7]
                                                      + 998 * data[8]
                                                      - 469 * data[9]== 18791))
s.add((301 * data[0]
                                                              + 571 * data[1]
                                                              + 955 * data[2]
                                                              - 462 * data[3]
                                                              - 4 * data[4]
                                                              - 541 * data[5]
                                                              - 380 * data[6]
                                                              + 96 * data[7]
                                                              - 62 * data[8]
                                                              - 452 * data[9]== 60199))
s.add((703 * data[0]
                                                                      - 635 * data[1]
                                                                      - 733 * data[2]
                                                                      + 119 * data[3]
                                                                      - 549 * data[4]
                                                                      + 220 * data[5]
                                                                      + 739 * data[6]
                                                                      + 102 * data[7]
                                                                      + 812 * data[8]
                                                                      - 770 * data[9]== -48454))
s.add((207 * data[0]
                                                                       + 426 * data[1]
                                                                       + 324 * data[2]
                                                                       + 403 * data[3]
                                                                       + 149 * data[4]
                                                                       + 257 * data[5]
                                                                       + 765 * data[6]
                                                                       - 368 * data[7]
                                                                       + 707 * data[8]
                                                                       - 221 * data[9]== 202674 ))
print s.check()
m = s.model()
print m
print ''.join(chr(int(str(m.evaluate(data[i])))) for i in range(10))

FLAG : hello\0o0/

Q3

암호학 Diffie-Hellman 문제였다.

FLAG :

Q4

Chrome Extension 파일을 주는데 파일 추출하면 flag1.exe, flag2.exe, flag3.exe랑 암호화된 문자를 저장한 파일들이 나온다. python으로 만든 exe라 추출하려 했는데 실패했다.. 아쉬움

FLAG :

Q5

PPTX Format Problem? 아마.. 문제를 안봄 Guessing 같아서..

FLAG :

Q6

예선에서 나왔던 가위바위보 1000번 이기는 문제랑 유사하다.. WireShark Packet에서 ftp-data 추출하면 python exe가 나와서 추출하면 아래와 같이 나온다.

# Embedded file name: client.py
import Tkinter as tk
import tkMessageBox
import socket
from time import sleep
import threading
your_name = ''
opponent_name = ''
game_round = 0
game_timer = 4
your_choice = ''
opponent_choice = ''
TOTAL_NO_OF_ROUNDS = 1000
client = None
flag = None
window_main = tk.Tk()
window_main.title('Game Client')
serverFrame = tk.Frame(window_main)
lblHOST = tk.Label(serverFrame, text='Address:').pack(side=tk.LEFT)
entHost = tk.Entry(serverFrame)
entHost.pack(side=tk.LEFT)
lblPORT = tk.Label(serverFrame, text='Port:').pack(side=tk.LEFT)
entPort = tk.Entry(serverFrame)
entPort.pack(side=tk.LEFT)
serverFrame.pack(side=tk.TOP, pady=(5, 0))
top_welcome_frame = tk.Frame(window_main)
lbl_name = tk.Label(top_welcome_frame, text='Name:')
lbl_name.pack(side=tk.LEFT)
ent_name = tk.Entry(top_welcome_frame)
ent_name.pack(side=tk.LEFT)
btn_connect = tk.Button(top_welcome_frame, text='Connect', command=lambda : connect())
btn_connect.pack(side=tk.LEFT)
top_welcome_frame.pack(side=tk.TOP)
top_message_frame = tk.Frame(window_main)
lbl_line = tk.Label(top_message_frame, text='***********************************************************').pack()
lbl_welcome = tk.Label(top_message_frame, text='')
lbl_welcome.pack()
lbl_line_server = tk.Label(top_message_frame, text='***********************************************************')
lbl_line_server.pack_forget()
top_message_frame.pack(side=tk.TOP)
top_frame = tk.Frame(window_main)
top_left_frame = tk.Frame(top_frame, highlightbackground='green', highlightcolor='green', highlightthickness=1)
lbl_your_name = tk.Label(top_left_frame, text='Your name: ' + your_name, font='Helvetica 13 bold')
lbl_opponent_name = tk.Label(top_left_frame, text='Opponent: ' + opponent_name)
lbl_your_name.grid(row=0, column=0, padx=5, pady=8)
lbl_opponent_name.grid(row=1, column=0, padx=5, pady=8)
top_left_frame.pack(side=tk.LEFT, padx=(10, 10))
top_right_frame = tk.Frame(top_frame, highlightbackground='green', highlightcolor='green', highlightthickness=1)
lbl_game_round = tk.Label(top_right_frame, text='Game round (x) starts in', foreground='blue', font='Helvetica 14 bold')
lbl_timer = tk.Label(top_right_frame, text=' ', font='Helvetica 24 bold', foreground='blue')
lbl_game_round.grid(row=0, column=0, padx=5, pady=5)
lbl_timer.grid(row=1, column=0, padx=5, pady=5)
top_right_frame.pack(side=tk.RIGHT, padx=(10, 10))
top_frame.pack_forget()
middle_frame = tk.Frame(window_main)
lbl_line = tk.Label(middle_frame, text='***********************************************************').pack()
lbl_line = tk.Label(middle_frame, text='**** GAME LOG ****', font='Helvetica 13 bold', foreground='blue').pack()
lbl_line = tk.Label(middle_frame, text='***********************************************************').pack()
round_frame = tk.Frame(middle_frame)
lbl_round = tk.Label(round_frame, text='Round')
lbl_round.pack()
lbl_your_choice = tk.Label(round_frame, text='Your choice: None', font='Helvetica 13 bold')
lbl_your_choice.pack()
lbl_opponent_choice = tk.Label(round_frame, text='Opponent choice: ' + 'None')
lbl_opponent_choice.pack()
lbl_result = tk.Label(round_frame, text=' ', foreground='blue', font='Helvetica 14 bold')
lbl_result.pack()
round_frame.pack(side=tk.TOP)
final_frame = tk.Frame(middle_frame)
lbl_line = tk.Label(final_frame, text='***********************************************************').pack()
lbl_final_result = tk.Label(final_frame, text=' ', font='Helvetica 13 bold', foreground='blue')
lbl_final_result.pack()
lbl_line = tk.Label(final_frame, text='***********************************************************').pack()
final_frame.pack(side=tk.TOP)
middle_frame.pack_forget()
button_frame = tk.Frame(window_main)
photo_rock = tk.PhotoImage(file='rock.gif')
photo_paper = tk.PhotoImage(file='paper.gif')
photo_scissors = tk.PhotoImage(file='scissors.gif')
btn_rock = tk.Button(button_frame, text='Rock', command=lambda : choice('rock'), state=tk.DISABLED, image=photo_rock)
btn_paper = tk.Button(button_frame, text='Paper', command=lambda : choice('paper'), state=tk.DISABLED, image=photo_paper)
btn_scissors = tk.Button(button_frame, text='Scissors', command=lambda : choice('scissors'), state=tk.DISABLED, image=photo_scissors)
btn_rock.grid(row=0, column=0)
btn_paper.grid(row=0, column=1)
btn_scissors.grid(row=0, column=2)
button_frame.pack(side=tk.BOTTOM)

def game_logic(you, opponent):
    winner = ''
    rock = 'rock'
    paper = 'paper'
    scissors = 'scissors'
    player0 = 'you'
    player1 = 'opponent'
    if you == opponent:
        winner = 'draw'
    elif you == rock:
        if opponent == paper:
            winner = player1
        else:
            winner = player0
    elif you == scissors:
        if opponent == rock:
            winner = player1
        else:
            winner = player0
    elif you == paper:
        if opponent == scissors:
            winner = player1
        else:
            winner = player0
    return winner

def enable_disable_buttons(todo):
    if todo == 'disable':
        btn_rock.config(state=tk.DISABLED)
        btn_paper.config(state=tk.DISABLED)
        btn_scissors.config(state=tk.DISABLED)
    else:
        btn_rock.config(state=tk.NORMAL)
        btn_paper.config(state=tk.NORMAL)
        btn_scissors.config(state=tk.NORMAL)

def connect():
    global HOST_ADDR
    global your_name
    global HOST_PORT
    HOST_ADDR = entHost.get()
    HOST_PORT = int(entPort.get())
    if len(ent_name.get()) < 1:
        tkMessageBox.showerror(title='ERROR!!!', message='You MUST enter your first name <e.g. John>')
    else:
        your_name = ent_name.get()
        lbl_your_name['text'] = 'Your name: ' + your_name
        connect_to_server(your_name, HOST_ADDR, HOST_PORT)

def count_down(my_timer, nothing):
    global game_round
    if game_round <= TOTAL_NO_OF_ROUNDS:
        game_round = game_round + 1
    lbl_game_round['text'] = 'Game round ' + str(game_round) + ' starts in'
    while my_timer > 0:
        my_timer = my_timer - 1
        print 'game timer is: ' + str(my_timer)
        lbl_timer['text'] = my_timer
        sleep(1)

    enable_disable_buttons('enable')
    lbl_round['text'] = 'Round - ' + str(game_round)
    lbl_final_result['text'] = ''

def choice(arg):
    global opponent_choice
    global flag
    global client
    global your_choice
    global game_round
    your_choice = arg
    lbl_your_choice['text'] = 'Your choice: ' + your_choice
    lbl_opponent_choice['text'] = 'Opponent choice: ' + opponent_choice
    if client:
        enable_disable_buttons('disable')
    who_wins = game_logic(your_choice, opponent_choice)
    if who_wins == 'you':
        lbl_result['text'] = 'Result: WIN'
        client.send('round$' + str(game_round))
        if flag == None:
            client.send('state$Yes')
        else:
            client.close()
    elif who_wins == 'opponent':
        game_round = 0
        lbl_result['text'] = 'Result: LOSS'
        lbl_final_result['text'] = 'Game Out'
        lbl_final_result.config(foreground=color)
        client.close()
    else:
        game_round = 0
        lbl_result['text'] = 'Result: DRAW'
        lbl_final_result['text'] = 'Game Out'
        lbl_final_result.config(foreground=color)
        client.close()
    if game_round == TOTAL_NO_OF_ROUNDS:
        final_result = ''
        color = ''
        enable_disable_buttons('disable')
        game_round = 0
    return

def connect_to_server(name, HOST_ADDR, HOST_PORT):
    global client
    try:
        client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        client.connect((HOST_ADDR, HOST_PORT))
        client.send(name)
        btn_connect.config(state=tk.DISABLED)
        ent_name.config(state=tk.DISABLED)
        lbl_name.config(state=tk.DISABLED)
        enable_disable_buttons('disable')
        threading._start_new_thread(receive_message_from_server, (client, 'm'))
    except Exception as e:
        tkMessageBox.showerror(title='ERROR!!!', message='Cannot connect to host: ' + HOST_ADDR + ' on port: ' + str(HOST_PORT) + ' Server may be Unavailable. Try again later')

def receive_message_from_server(sck, m):
    global opponent_choice
    global opponent_name
    global flag
    while True:
        from_server = sck.recv(4096)
        if not from_server:
            break
        if from_server.startswith('welcome'):
            if from_server == 'welcome':
                lbl_welcome['text'] = 'Welcome ' + your_name
                lbl_line_server.pack()
        elif from_server.startswith('opponent_name$'):
            opponent_name = from_server.replace('opponent_name$', '')
            lbl_opponent_name['text'] = 'Opponent: ' + opponent_name
            top_frame.pack()
            middle_frame.pack()
            if client:
                client.send(str(game_round))
                client.send('state$Yes')
            lbl_welcome.config(state=tk.DISABLED)
            lbl_line_server.config(state=tk.DISABLED)
        elif from_server.startswith('$opponent_choice'):
            opponent_choice = from_server.replace('$opponent_choice', '')
            threading._start_new_thread(count_down, (game_timer, ''))
        elif from_server.startswith('flag$'):
            flag = from_server.replace('flag$', '')
            lbl_final_result['text'] = 'flag={' + str(flag) + '}'
            color = 'red'
            lbl_final_result.config(foreground=color)
            break

def on_closing():
    if tkMessageBox.askokcancel('Quit', 'Do you want to quit?'):
        if client:
            try:
                client.send('close$close')
                window_main.destroy()
                client.close()
            except:
                window_main.destroy()

        else:
            window_main.destroy()

window_main.protocol('WM_DELETE_WINDOW', on_closing)
window_main.mainloop()

문제가 조금 이상한게 guessing 요소가 너무 많다.. XOR까진 이해하겠는데 다음부터.. 모르겠다. 최대한 한 부분까지 넣었다.

from pwn import *

context.log_level = 'debug'

p = remote('192.168.10.25', 1231)

p.sendafter('Input the name=','Sung')
p.recv(4096)
sleep(2)
p.send('0')
# sleep(0.1)
p.send('state$Yes')
sleep(2)
p.recv(4096)
# p.send('flag$')
p.send('round$1000')

# p.send('state$Yes')
sleep(2)
# 
p.recv(4096)

p.send('Hihisecure')

p.send('state$Yes')
sleep(2)
p.recv(4096)
p.send('round$1000')

# a = 'Hihisecure'
# b = 'Secretcode'
# p.sendafter('Input the Decryption=',';\x0ccretcode')

p.interactive()

# Secretcode=3b0c63726574636f6465

코드에 루틴도 없는데 ㅋㅋ.. Super Guessing! 결론은 못품 아무도.

FLAG :

Q7

Unity 문제인데 C# IL Patch해서 풀었다.

FLAG : gdiojcggemie

Q8

FLAG :

Q9

주요 메소드 기능을 통해서 설명해보겠습니다.

nklib 라이브러리를 불러옴

package com.example.ndklib;

public class NativeWrapper {
    public native boolean nativeSum(boolean z, String str);

    static {
        System.loadLibrary("ndklib");
    }
}

여기서 랜덤 값으로 대충 비교해서 맞추면 this.value1++ 해준다. 추가로 boolean a() 메소드가 존재하는데 이걸 이용해서 이따가 Hooking 하게 될 것이다.

public void winCheck(int i, int i2) {
    int i3 = ((i + 3) - i2) % 3;
    new javaBisic();
    this.kk = a(this.value1);
    if (i3 == 0) {
        Toast makeText = Toast.makeText(getApplicationContext(), "비겼습니다, 아깝네요!!", 0);
        this.myToast = makeText;
        makeText.show();
    } else if (i3 == 1) {
        Toast makeText2 = Toast.makeText(getApplicationContext(), "이겼습니다. 점수 1점을 획득하셨습니다", 0);
        this.myToast = makeText2;
        this.value1++;
        makeText2.show();
    } else if (i3 == 2) {
        this.myToast = Toast.makeText(getApplicationContext(), "졌습니다..다시 시도 해 주세요", 0);
        System.out.println(this.kk);
        this.myToast.show();
    }
}

public boolean a(int i) {
    return this.value1 > 10000;
}

아까 맞추면 this.value1이 계속 1씩 증가했는데 이걸 boolean a의 리턴이 True면 축하한다고 뜨면서 플래그를 제출 할 수 있게된다. 여기서 여기서 Library의 Native 함수를 이용해서 Edit에 입력한 문자를 인자로 넣어준다.

this.Check_Score.setOnClickListener(new View.OnClickListener() {
    public void onClick(View view) {
        MainActivity mainActivity = MainActivity.this;
        final boolean a = mainActivity.a(mainActivity.value1);
        MainActivity.this.et = new EditText(MainActivity.this);
        AlertDialog.Builder builder = new AlertDialog.Builder(MainActivity.this);
        builder.setIcon((int) R.mipmap.ic_launcher);
        if (a) {
            builder.setIcon((int) R.mipmap.ic_launcher);
            builder.setTitle((CharSequence) "Title");
            builder.setMessage((CharSequence) "축하합니다!!!!!!\n관리자에게 플레그를 문의하세요!!");
            builder.setView((View) MainActivity.this.et);
        } else {
            builder.setTitle((CharSequence) "Title");
            builder.setMessage((CharSequence) "당신의 수는 " + MainActivity.this.value1 + "입니다 \n점수를 10000점 이상 받으시고, 관리자에게 플레그를 받으세요!!");
        }
        builder.setPositiveButton((CharSequence) "확인", (DialogInterface.OnClickListener) new DialogInterface.OnClickListener() {
            public void onClick(DialogInterface dialogInterface, int i) {
                MainActivity.this.aaa = nativeWrapper.nativeSum(a, MainActivity.this.et.getText().toString());
                String str = MainActivity.this.aaa ? "축하드립니다!! 플레그를 제출 해 주세요" : "코드를 다시 확인 해 주세요";
                AlertDialog.Builder builder = new AlertDialog.Builder(MainActivity.this);
                AlertDialog.Builder title = builder.setTitle((CharSequence) MainActivity.this.et.getText().toString());
                title.setMessage((CharSequence) str + "\n");
                builder.create().show();
                dialogInterface.dismiss();
            }
        });
        builder.show();
    }
});

그래서 nativeSum 함수를 보면 매우 복잡하게 되어있다.. 그래서 Native 함수도 후킹해서 strncmp가 호출되니까 v9을 후킹해서 값을 가져오면 된다.

unsigned __int64 __fastcall Java_com_example_ndklib_NativeWrapper_nativeSum(__int64 a1, __int64 a2, __int64 a3, __int64 a4)
{
  __int64 v4; // r14
  unsigned int v5; // er15
  const char *v6; // rax
  const char *v7; // r12
  unsigned __int64 result; // rax
  __int128 v9; // [rsp+0h] [rbp-58h]
  char v10; // [rsp+10h] [rbp-48h]
  char v11; // [rsp+11h] [rbp-47h]
  char v12; // [rsp+12h] [rbp-46h]
  char v13; // [rsp+13h] [rbp-45h]
  char v14; // [rsp+14h] [rbp-44h]
  char v15; // [rsp+15h] [rbp-43h]
  char v16; // [rsp+16h] [rbp-42h]
  char v17; // [rsp+17h] [rbp-41h]
  char v18; // [rsp+18h] [rbp-40h]
  unsigned __int64 v19; // [rsp+28h] [rbp-30h]

  v4 = a4;
  v19 = __readfsqword(0x28u);
  v5 = 0;
  v6 = (const char *)(*(__int64 (__fastcall **)(__int64, __int64, _QWORD))(*(_QWORD *)a1 + 1352LL))(a1, a4, 0LL);
  v9 = xmmword_880;
  *(__int128 *)((char *)&v9 + 10) = *(__int128 *)((char *)&xmmword_880 + 10);
  LOBYTE(v9) = 102;
  _mm_storeu_si128(
    (__m128i *)((char *)&v9 + 1),
    _mm_add_epi8(_mm_loadu_si128((const __m128i *)((char *)&v9 + 1)), (__m128i)xmmword_870));
  v11 -= 17;
  v13 -= 19;
  v14 -= 20;
  v15 -= 21;
  v17 -= 23;
  v18 -= 24;
  v7 = v6;
  BYTE9(v9) = BYTE1(v9) + 8;
  BYTE14(v9) = BYTE4(v9) + 9;
  v12 = BYTE2(v9) + 2;
  BYTE11(v9) = BYTE2(v9) + 19;
  BYTE12(v9) = BYTE5(v9) + 22;
  HIBYTE(v9) = (BYTE1(v9) + 8) ^ BYTE5(v9);
  v16 = BYTE7(v9) | BYTE5(v9);
  BYTE8(v9) = (BYTE1(v9) + 8) | (BYTE2(v9) + 19);
  v10 = 97;
  if ( !strncmp(v6, (const char *)&v9, 0x19uLL) )
  {
    (*(void (__fastcall **)(__int64, __int64, const char *))(*(_QWORD *)a1 + 1360LL))(a1, v4, v7);
    LOBYTE(v5) = 1;
  }
  result = __readfsqword(0x28u);
  if ( result == v19 )
    result = v5;
  return result;
}

Frida Hookin 코드입니다. public boolean a() 함수의 리턴 값을 true로 변경해서 플래그를 입력할 수 있는 단계까지 간다. 그 다음에 native 함수를 이용해서 문자열 비교를 하니까 strncmp함수를 후킹해서 Memory.readByteArray()로 값을 긁어오면 된다.

Java.perform(function(){
    console.log('START!');
    var ptr = Java.use('com.example.ctf.MainActivity');
    ptr.a.implementation = function(){
        return true;
    }
});

var nativeSum = Module.findExportByName(null,'Java_com_example_ndklib_NativeWrapper_nativeSum');
//Interceptor.attach(Module.findExportByName(null,'strncmp'),{
Interceptor.attach(Module.getExportByName('libndklib.so','strncmp'),{
    onEnter: function(args){
        console.log('strncmp args[2] : ' + args[2]);
        console.log(Memory.readByteArray(ptr(parseInt(args[1])),0x20));
    }
});

결과

FLAG : flag_A99ttEtW4h5a8c6ABy3E

Q10

Guessing zz;

FLAG : databaseencryption

후기

Super Guessing 대회지만 Q2, Q9 안드로이드 문제는 그렇게 Guessing은 아니라 재밌게 푼 거 같다. 너무 시행착오 많이 겪어서 시간 버려서 아쉬웠다. 굳굳

  1. mhibio 2020.10.30 22:16 신고

    제가 본선갔으면 더 잘했을거같아요.

  2. p1nkjelly 2020.11.02 00:23

    섹섹보

  3. cha512 2020.11.02 00:24

    제가 본선갔으면 더 잘했을거같아요.

+ Recent posts