# 3kctf rev writeup ## Pyzzle1 1. Transform cst ast to python code ```python3= from libcst import * ast = Module(...) print(ast.code) ``` 2. Recover plaintext ```python3= K1 = '..' K2 = '..' R3 = '..' L3 = '..' n = 26936 def exor(a, b): temp = "" for i in range(n): if (a[i] == b[i]): temp += "0" else: temp += "1" return temp import binascii from Crypto.Util.number import long_to_bytes p1 = exor(exor(L3,R3),K2) p2 = exor(exor(R3, K1), K2) print(binascii.unhexlify( long_to_bytes(int(p2+p1,2))).decode("ascii")) ``` ## Pyzzle2 1. Graph the file 2. Guess the chars ```python3= edges = [(1, 2), ... (143, 144)] coords = [(1, 5, 5), ... (144, 1845, 105)] tdic = {} import networkx as nx import matplotlib.pyplot as plt G=nx.Graph() for num, x, y in coords: G.add_node(num, pos=(x, y)) tdic[num] = (x, y) for e1, e2 in edges: G.add_edge(e2, e1, color='g',weight=10) weights = nx.get_edge_attributes(G,'weight').values() nx.draw(G, tdic, weights) plt.show() ``` ## Game2 1. Extract the scene using utinyripper 2. load it in a unity project 3. read the flag on the wall ## Game1 1. Strings on level0 2. extract names 3. bruteforce ```csharp= class Program { static void Main(string[] args) { var lines = new List<string> { "Tanit", "Astarté", "Amilcar", "Melqart", "Dido", "Hannibal" }; foreach (string line1 in lines) { foreach (string line2 in lines) { foreach (string line3 in lines) { foreach (string line4 in lines) { foreach (string line5 in lines ) { foreach (string line6 in lines) { string key = line1 + line2 + line3 + line4 + line5 + line6; string cipherText = "jR9MDCzkFQFzZtHjzszeYL1g6kG9+eXaATlf0wCGmnf62QJ9AjmemY0Ao3mFaubhEfVbXfeRrne/VAD59ESYrQ=="; byte[] array = Convert.FromBase64String(cipherText); string result; using (Aes aes = Aes.Create()) { Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(key, new byte[] { 73, 118, 97, 110, 32, 77, 101, 100, 118, 101, 100, 101, 118 }); aes.Key = rfc2898DeriveBytes.GetBytes(32); aes.IV = rfc2898DeriveBytes.GetBytes(16); // Console.WriteLine(aes.Key); try { using (MemoryStream memoryStream = new MemoryStream()) { using (CryptoStream cryptoStream = new CryptoStream(memoryStream, aes.CreateDecryptor(), CryptoStreamMode.Write)) { cryptoStream.Write(array, 0, array.Length); cryptoStream.Close(); } cipherText = Encoding.ASCII.GetString(memoryStream.ToArray()); Console.WriteLine(cipherText); } result = cipherText; } catch (Exception) { result = "wrong Order mate "; } } } } } } } } } ``` ## microscopic 1. Identify child code ![](https://i.imgur.com/Y3p2rfX.png) 2. Understand Handler function. ![](https://i.imgur.com/ye5ILrL.png) 3. Recover flag. ```python= array = [ 0x00000014, 0x0000004D, 0x0000005E, 0x0000004C, 0x0000004A, 0x0000004E, 0x0000001D, 0x00000051, 0x00000056, 0x0000005C, 0x0000004C, 0x0000005F, 0x00000084, 0x0000004F, 0x0000005F, 0x00000051, 0x00000065, 0x0000006F, 0x00000062, 0x00000062, 0x00000056, 0x0000006A, 0x00000058, 0x0000008F, 0x0000005A, 0x0000006A, 0x0000005C, 0x00000070, 0x0000007A, 0x00000070, 0x0000006C, 0x00000069, 0x00000062, 0x00000099, 0x00000063, 0x00000076, 0x00000074, 0x0000002B, 0x00000080 ] flag = "" for i, c in enumerate(array): flag += chr(((c - i)^39)&0xff) print(flag) ``` # Passage 1. Identify the code Easy since we get symbols. ```$ nm -a turing_says```. Search for bf_BACKWARD_N_fmt1 in github. We get https://github.com/HexHive/printbf 2. Read the python tokenizer. Understand the bytecode 3. Dump it in the program 4. Identify code that does stuff and sequences of 0x5 x 0x6 x, those are print byte. See a lot code at the end after print. 5. Set breakpoint on ret in loop function 6. Dump flag that is calculated ![](https://i.imgur.com/xfYSdjw.png) ## Crypto++ 1. Identify md5 function 2. crack chars 3. Code has SSE, see how hashes are loaded in stack 4. Write down reordered flag chars. Flag is 87 chars 5. Make a mapping function from ordered -> unordered ![](https://i.imgur.com/cEQaYvn.png) 6. Find solution ```python3= swap_flag= "k_3l73na1b_0_yc{5?0liwf0ecs3f88he8?__0ntnsd1u7640d42_35glg'9h_90c07}k814gbsds30hs9_tcr1" f = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!'#$%&()*+,-./:;<=>?@{}[]" out = "170jV9Ma?}tTy8(2&FQ3Hq<:='PoY%.Ez>GRIBAJmc;{C-Srwx4WflXDkud@hO#!g*)]N/ZinUs+5[vKe,p6$bL" dd = {} for i, b in enumerate(f): dd[i] = out.index(b) flag = "" for i, z in enumerate(swap_flag): flag += swap_flag[dd[i]] print(flag) ```