0xL4ugh CTF 2023

Challenges

easybesy

we are presented with an exe file that is written in OOP here’s a quick blog post about how to understand OOP in assemply

Once you opened it you will be asked to enter the flag.

So let’s reverse it out. I started with correcting the naming on the assembly as mentioned in my blog post

Our input length is compared at the start with “26” So we now know the length of the flag.

What happens here is a shift left operation with 4 digits and because a 4-digit shift in binary is one digit shift in hexadecimal we are actually flipping the ASCII of the entered character

41 --> 14
42 --> 24 ...etc

So We just need to flip the reference that our input will be compared with to get our flag.

So this

will be this

snaky

Here we are presented with a python byte code assembly you may take a while if it’s the first time looking at a python byte code assembly

  2           0 LOAD_CONST               1 (0)
              2 LOAD_CONST               0 (None)
              4 IMPORT_NAME              0 (base64)
              6 STORE_FAST               0 (base64)

  3           8 LOAD_CONST               1 (0)
             10 LOAD_CONST               2 (('Fernet',))
             12 IMPORT_NAME              1 (cryptography.fernet)
             14 IMPORT_FROM              2 (Fernet)
             16 STORE_FAST               1 (Fernet)
             18 POP_TOP

  4          20 LOAD_CONST               3 (b'gAAAAABj7Xd90ySo11DSFyX8t-9QIQvAPmU40mWQfpq856jFl1rpwvm1kyE1w23fyyAAd9riXt-JJA9v6BEcsq6LNroZTnjExjFur_tEp0OLJv0c_8BD3bg=')
             22 STORE_FAST               2 (encMessage)

  5          24 LOAD_FAST                0 (base64)
             26 LOAD_METHOD              3 (b64decode)
             28 LOAD_CONST               4 (b'7PXy9PSZmf/r5pXB79LW1cj/7JT6ltPEmfjk8sHljfr6x/LyyfjymNXR5Z0=')
             30 CALL_METHOD              1
             32 STORE_FAST               3 (key_bytes)

  6          34 BUILD_LIST               0
             36 STORE_FAST               4 (key)

  7          38 LOAD_FAST                3 (key_bytes)
             40 GET_ITER
        >>   42 FOR_ITER                 9 (to 62)
             44 STORE_FAST               5 (k_b)

  8          46 LOAD_FAST                4 (key)
             48 LOAD_METHOD              4 (append)
             50 LOAD_FAST                5 (k_b)
             52 LOAD_CONST               5 (160)
             54 BINARY_XOR
             56 CALL_METHOD              1
             58 POP_TOP
             60 JUMP_ABSOLUTE           21 (to 42)

 10     >>   62 LOAD_GLOBAL              5 (bytes)
             64 LOAD_FAST                4 (key)
             66 CALL_FUNCTION            1
             68 STORE_FAST               4 (key)

 11          70 LOAD_FAST                1 (Fernet)
             72 LOAD_FAST                4 (key)
             74 CALL_FUNCTION            1
             76 STORE_FAST               6 (fernet)

 12          78 LOAD_FAST                6 (fernet)
             80 LOAD_METHOD              6 (decrypt)
             82 LOAD_FAST                2 (encMessage)
             84 CALL_METHOD              1
             86 LOAD_METHOD              7 (decode)
             88 CALL_METHOD              0
             90 STORE_FAST               7 (decMessage)

 13          92 LOAD_GLOBAL              8 (print)
             94 LOAD_FAST                7 (decMessage)
             96 CALL_FUNCTION            1
             98 POP_TOP
            100 LOAD_CONST               0 (None)
            102 RETURN_VALUE
None

You will notice by looking carefully at the use of the fornet module for encrypting the FLAG So take a look at the fornet documentation and you will notice a lot of similarities between the assembly and the code presented there.

just the key is not randomly generated it’s base64 encoded value XORed with key “160”

here is the script that can reverse it back

note:
  the script takes the assembly file as an argument.

from cryptography.fernet import Fernet
import base64

key_bytes=base64.b64decode(b'7PXy9PSZmf/r5pXB79LW1cj/7JT6ltPEmfjk8sHljfr6x/LyyfjymNXR5Z0=')

_key = []
for k_b in key_bytes:
  _key.append(k_b^160)

key = bytes(_key)
f = Fernet(key)

token = b'gAAAAABj7Xd90ySo11DSFyX8t-9QIQvAPmU40mWQfpq856jFl1rpwvm1kyE1w23fyyAAd9riXt-JJA9v6BEcsq6LNroZTnjExjFur_tEp0OLJv0c_8BD3bg='


decmessage= f.decrypt(token).decode("utf-8") 
print(decmessage)

And here is the result.

Let’s Go

We are given a Linux binary which also asks for Flag to check if it’s right.

So for reversing I used a remote debugging session from Linux to my windows machine.

I found the binary is not stripped which makes it easier than it’s

There are two paths in that binary the first one is doing something to our input and the second one is comparing the result to a constant value.

u507rv78qr5t6q99941422uursv94464

So let’s check what happens in our input. Here we have three paths to follow and the variable that determines which of them will be taken is an operation on the input character.

To make it easy, the assembly here checks where is the region of the character in the ASCII table.

and take an action based on if it’s

• Small Letter
• Capital Letter
• Number
• Symbol

And if it’s a letter, it will add 16 to its ASCII code.

So we need to subtract 16 from each char in our constant to get our flag.

So our flag will be e507bf78ab5d6a99941222eebcf94464

0xL4UGH{e507bf78ab5d6a99941222eebcf94464}