Dream Hack write-up(4)

BigTreeยท2023๋…„ 5์›” 18์ผ
EVI$IONdreamhack
0
post-thumbnail

rev-basic-5

๐Ÿ‡LEVEL 1 : Reversing

๋ฌธ์ œ
์ด ๋ฌธ์ œ๋Š” ์‚ฌ์šฉ์ž์—๊ฒŒ ๋ฌธ์ž์—ด ์ž…๋ ฅ์„ ๋ฐ›์•„ ์ •ํ•ด์ง„ ๋ฐฉ๋ฒ•์œผ๋กœ ์ž…๋ ฅ๊ฐ’์„ ๊ฒ€์ฆํ•˜์—ฌ correct ๋˜๋Š” wrong์„ ์ถœ๋ ฅํ•˜๋Š” ํ”„๋กœ๊ทธ๋žจ์ด ์ฃผ์–ด์ง‘๋‹ˆ๋‹ค.
ํ•ด๋‹น ๋ฐ”์ด๋„ˆ๋ฆฌ๋ฅผ ๋ถ„์„ํ•˜์—ฌ correct๋ฅผ ์ถœ๋ ฅํ•˜๋Š” ์ž…๋ ฅ๊ฐ’์„ ์ฐพ์œผ์„ธ์š”!
ํš๋“ํ•œ ์ž…๋ ฅ๊ฐ’์€ DH{} ํฌ๋งท์— ๋„ฃ์–ด์„œ ์ธ์ฆํ•ด์ฃผ์„ธ์š”.

chall5.exe์˜ main ํ•จ์ˆ˜๋ฅผ ์ฐพ์•„ decompile ํ•œ ๊ฒฐ๊ณผ
ํ•จ์ˆ˜ sub_140001000()

ํ•จ์ˆ˜ sub_140001000()์˜ ์ฝ”๋“œ๋ฅผ python์œผ๋กœ ์ž‘์„ฑํ•ด๋ณด๋ฉด ์•„๋ž˜์™€ ๊ฐ™๋‹ค๋Š” ๊ฒƒ์„ ํ•  ์ˆ˜ ์žˆ๋‹ค. 

for i in range(23):
	if (input[i+1] + input[i] != byte_140003000[i]):
    	return False

byte_140003000์—๋Š” ์•„๋ž˜์™€ ๊ฐ™์€ ๊ฐ’์ด ์ €์žฅ๋˜์–ด์žˆ๋‹ค.
AD D8 CB CB 9D 97 CB C4 92 A1 D2 D7 D2 D6 A8 A5 DC C7 AD A3 A1 98 4C 00 00 00 00 00 00 00 00 00

flag๋ฅผ ๋’ค์—์„œ ๋ถ€ํ„ฐ ํ•œ ๊ธ€์ž์”ฉ ๊ตฌํ•œ๋’ค, byte_140003000์— ์ €์žฅ๋œ ๊ฐ’๊ณผ ๋นผ๋ฉด flag๋ฅผ ์–ป์„ ์ˆ˜ ์žˆ๋‹ค. 

value = ['AD', 'D8', 'CB', 'CB', '9D', '97', 'CB', 'C4', '92', 'A1', 'D2', 'D7', 'D2',
         'D6', 'A8', 'A5', 'DC', 'C7', 'AD', 'A3', 'A1', '98', '4C']
result = []
prev_value = 0

for i in range(len(value)-1, -1, -1):
    flag_value = int(value[i], 16) - prev_value
    result.append(chr(flag_value))
    prev_value = flag_value

flag = ''
for i in range(len(result)-1, -1, -1):
    flag += result[i]

print(flag)

๋”ฐ๋ผ์„œ flag๋Š” DH{All_l1fe_3nds_w1th_NULL}์ด๋‹ค.

rev-basic-6

๐Ÿ‡LEVEL 1 : Reversing

๋ฌธ์ œ
์ด ๋ฌธ์ œ๋Š” ์‚ฌ์šฉ์ž์—๊ฒŒ ๋ฌธ์ž์—ด ์ž…๋ ฅ์„ ๋ฐ›์•„ ์ •ํ•ด์ง„ ๋ฐฉ๋ฒ•์œผ๋กœ ์ž…๋ ฅ๊ฐ’์„ ๊ฒ€์ฆํ•˜์—ฌ correct ๋˜๋Š” wrong์„ ์ถœ๋ ฅํ•˜๋Š” ํ”„๋กœ๊ทธ๋žจ์ด ์ฃผ์–ด์ง‘๋‹ˆ๋‹ค.
ํ•ด๋‹น ๋ฐ”์ด๋„ˆ๋ฆฌ๋ฅผ ๋ถ„์„ํ•˜์—ฌ correct๋ฅผ ์ถœ๋ ฅํ•˜๋Š” ์ž…๋ ฅ๊ฐ’์„ ์ฐพ์œผ์„ธ์š”!
ํš๋“ํ•œ ์ž…๋ ฅ๊ฐ’์€ DH{} ํฌ๋งท์— ๋„ฃ์–ด์„œ ์ธ์ฆํ•ด์ฃผ์„ธ์š”.

chall6.exe์˜ main ํ•จ์ˆ˜๋ฅผ decomfile ํ•œ ๊ฒฐ๊ณผ
ํ•จ์ˆ˜ sub_140001000()

ํ•จ์ˆ˜ sub_140001000()์˜ ์ฝ”๋“œ๋ฅผ python์œผ๋กœ ์ž‘์„ฑํ•ด๋ณด๋ฉด ์•„๋ž˜์™€ ๊ฐ™๋‹ค๋Š” ๊ฒƒ์„ ํ•  ์ˆ˜ ์žˆ๋‹ค. 

for i in range(18):
	if (byte_140003020[input[i]]!= byte_140003000[i]):
    	return False

์Œ.. ใ…Žใ…Ž ๋‚œ byte_140003020์˜ ๋ชจ๋“  ์ˆซ์ž๋ฅผ ๋‹ค ์ฝ”๋“œ๋กœ ์˜ฎ๊ธธ ์ƒ๊ฐ์ด ์—†๋‹ค... flag๋Š” ๋ˆˆ์œผ๋กœ ์ฐพ์•˜๋‹ค. ์ˆซ์ž 12๊ฐœ๋งŒ ์ฐพ์œผ๋ฉด ๋˜๋‹ˆ ์ด์ชฝ์ด ๋” ๋น ๋ฅด๋‹ค.
์˜ˆ๋ฅผ ๋“ค์–ด์„œ, byte_140001000์˜ ์ฒซ๋ฒˆ์งธ ์ˆซ์ž๋Š” 0์ด๊ณ , 0์€ byte_140003020์—์„œ 83๋ฒˆ์งธ์— ์œ„์น˜ํ•œ ์ˆซ์ž์ด๋‹ค. ๋”ฐ๋ผ์„œ ์ฒซ๋ฒˆ์งธ ๊ธ€์ž๋Š” char(82)์ธ R์ด๋‹ค. ์ด ์ง“์„ 12๋ฒˆ ํ•˜๋ฉด flag๋ฅผ ์–ป์„ ์ˆ˜ ์žˆ๋‹ค.

๋”ฐ๋ผ์„œ flag๋Š” DH{Replac3_the_w0rld}

rev-basic-8

๐Ÿ‡LEVEL 1 : Reversing

๋ฌธ์ œ
์ด ๋ฌธ์ œ๋Š” ์‚ฌ์šฉ์ž์—๊ฒŒ ๋ฌธ์ž์—ด ์ž…๋ ฅ์„ ๋ฐ›์•„ ์ •ํ•ด์ง„ ๋ฐฉ๋ฒ•์œผ๋กœ ์ž…๋ ฅ๊ฐ’์„ ๊ฒ€์ฆํ•˜์—ฌ correct ๋˜๋Š” wrong์„ ์ถœ๋ ฅํ•˜๋Š” ํ”„๋กœ๊ทธ๋žจ์ด ์ฃผ์–ด์ง‘๋‹ˆ๋‹ค.
ํ•ด๋‹น ๋ฐ”์ด๋„ˆ๋ฆฌ๋ฅผ ๋ถ„์„ํ•˜์—ฌ correct๋ฅผ ์ถœ๋ ฅํ•˜๋Š” ์ž…๋ ฅ๊ฐ’์„ ์ฐพ์œผ์„ธ์š”!
ํš๋“ํ•œ ์ž…๋ ฅ๊ฐ’์€ DH{} ํฌ๋งท์— ๋„ฃ์–ด์„œ ์ธ์ฆํ•ด์ฃผ์„ธ์š”.

chall8.exe์˜ main ํ•จ์ˆ˜๋ฅผ ์ฐพ์•„ decompile ํ•œ ๊ฒฐ๊ณผ
ํ•จ์ˆ˜ sub_140001000

ํ•จ์ˆ˜ sub_140001000()์˜ ์ฝ”๋“œ๋ฅผ ๋ณด๋ฉด, ์ž…๋ ฅํ•œ ๊ฐ’๊ณผ -5๋ฅผ ๊ณฑํ•œ ํ›„ unsigned__int8๋กœ ํ˜•๋ณ€ํ™˜ ํ•œ ํ›„์— byte_140003000์˜ ๊ฐ’๊ณผ ๋น„๊ตํ•œ๋‹ค.

์ฆ‰, 2^8(0-255)์˜ ๊ฐ’๊ณผ -5๋ฅผ ๊ณฑํ•œ ํ›„, ๋’ค์˜ 8bit๋งŒ ์–ป์€ ํ›„์— byte_140003000์˜ ๊ฐ’๊ณผ ์ผ์น˜ํ•˜๋Š” ๊ฒƒ์„ brute forece ๋ฐฉ์‹์œผ๋กœ ์ฐพ์•„์•ผํ•œ๋‹ค.

๋”ฐ๋ผ์„œ flag๋Š” DH{Did_y0u_brute_force?}

rev-basic 8๋กœ rev basic ๋ฌธ์ œ์˜ write-up์„ ๋ชจ๋‘ ์ž‘์„ฑํ•˜์˜€๋‹ค. ๋‹ค์Œ์ฃผ์—๋Š” ๋‹ค๋ฅธ ๋ฆฌ๋ฒ„์‹ฑ level-1 ๋ฌธ์ œ๋ฅผ ๊ฐ€์ ธ์™€์•ผ๊ฒ ๋‹ค.

profile
BigTree
์ด์ „ ํฌ์ŠคํŠธ

Dream Hack write-up(3)

0๊ฐœ์˜ ๋Œ“๊ธ€