UMass CTF 2021 - easteregg

Notice

Recent Posts

Recent Comments

Link

« 2024/05 »
일	월	화	수	목	금	토
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Tags more

Archives

관리 메뉴

히공

UMass CTF 2021 - easteregg 본문

write up/UMass CTF 2021

UMass CTF 2021 - easteregg

heegong 2021. 3. 30. 17:46

728x90

문제

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int i; // [rsp+4h] [rbp-18Ch]
  __int64 v5; // [rsp+8h] [rbp-188h]
  __int64 v6; // [rsp+8h] [rbp-188h]
  char *gets_value; // [rsp+10h] [rbp-180h] BYREF
  char *v8; // [rsp+18h] [rbp-178h]
  _QWORD *v9; // [rsp+20h] [rbp-170h] BYREF
  __int64 v10; // [rsp+28h] [rbp-168h]
  int v11; // [rsp+30h] [rbp-160h]
  __int64 v12[8]; // [rsp+40h] [rbp-150h] BYREF
  char s[264]; // [rsp+80h] [rbp-110h] BYREF
  unsigned __int64 v14; // [rsp+188h] [rbp-8h]

  v14 = __readfsqword(0x28u);
  if ( (unsigned int)initialize_rooms(v12, argv, envp) == -1 )
  {
    fwrite("Failed to initialize rooms!\n", 1uLL, 0x1CuLL, stderr);
    return 1;
  }
  gets_value = 0LL;
  v8 = 0LL;
  v9 = (_QWORD *)v12[0];
  v10 = 0LL;
  v11 = 0;
  puts("Welcome to Strong Bad's Cool Game for Attractive People Episode 6 - Dangeresque 4: The Criminally-Dull Projective!");
  puts("Okay, you're Dangeresque. Nobody do anything... Dangeresque!");
  putchar(10);
  puts("\"Man. That warehaus was full of action and suspense.\"");
  puts("\"Dangeresque! You're outta line!\"");
  puts("\"Oh crap! It's the chief! I was supposed to solve a case for him months ago.\"");
  puts("\"Better try and 'solve' his case quick.\"\n");
  describe_room((__int64)v9);
  do
  {
    printf("a> ");
    fflush(stdout);
    fgets(s, 256, stdin);
    if ( (unsigned int)parse_input((__int64)s, (void **)&gets_value) )
      exit(1);
    if ( !strcmp(gets_value, "look") )
    {
      describe_room((__int64)v9);
      continue;
    }
    if ( !strcmp(gets_value, "inventory") )
    {
      describe_inventory(v10);
      continue;
    }
    if ( !strcmp(gets_value, "go") )
    {
      if ( !v8 )
      {
        puts("Gotta be more specific than that, bud!");
        continue;
      }
      if ( !strcmp(v8, "north") )
      {
        if ( v9[4] )
        {
          v9 = (_QWORD *)v9[4];
          describe_room((__int64)v9);
          continue;
        }
LABEL_36:
        puts("Can't go that way!");
        continue;
      }
      if ( !strcmp(v8, "south") )
      {
        if ( v9[5] )
        {
          v9 = (_QWORD *)v9[5];
          describe_room((__int64)v9);
          continue;
        }
        goto LABEL_36;
      }
      if ( !strcmp(v8, "east") )
      {
        if ( v9[6] )
        {
          v9 = (_QWORD *)v9[6];
          describe_room((__int64)v9);
          continue;
        }
        goto LABEL_36;
      }
      if ( !strcmp(v8, "west") )
      {
        if ( v9[7] )
        {
          v9 = (_QWORD *)v9[7];
          describe_room((__int64)v9);
          continue;
        }
        goto LABEL_36;
      }
      if ( !strcmp(v8, "up") )
      {
        if ( v9[8] )
        {
          v9 = (_QWORD *)v9[8];
          describe_room((__int64)v9);
          continue;
        }
        goto LABEL_36;
      }
      if ( !strcmp(v8, "down") )
      {
        if ( v9[9] )
        {
          v9 = (_QWORD *)v9[9];
          describe_room((__int64)v9);
          continue;
        }
        goto LABEL_36;
      }
      printf("Where the hell is a \"%s\"?\n", v8);
    }
    else if ( !strcmp(gets_value, "take") )
    {
      v5 = take_item(v9, v8);
      if ( v5 )
      {
        printf("Got the %s!\n", v8);
        add_to_inventory(&v9, v5);
      }
      else
      {
        printf("There's no \"%s\" here!\n", v8);
      }
    }
    else if ( !strcmp(gets_value, "drop") )
    {
      v6 = remove_from_inventory(&v9, v8);
      if ( v6 )
      {
        printf("Dropped the %s!\n", v8);
        insert_item(v9, v6);
      }
      else
      {
        printf("I ain't got no \"%s\"!\n", v8);
      }
    }
    else if ( !strcmp(gets_value, "use") )
    {
      use_item(&v9, v8);
    }
    else if ( !strcmp(gets_value, "jhiezetfmvirlnjfbobk") )
    {
      JHIEZETFMVIRLNJFBOBK = 1;
    }
    else
    {
      printf("I don't know how to \"%s\"\n", gets_value);
    }
  }
  while ( !v11 );
  if ( JHIEZETFMVIRLNJFBOBK )
  {
    for ( i = 0; i <= 34; ++i )
      putchar(COJASZQHPZXKLAPHRHOK[i] ^ LHEIBZNXEKQSAPHHUWTQ[i]);
    putchar('\n');
  }
  if ( gets_value )
    free(gets_value);
  if ( v8 )
    free(v8);
  free_rooms(v12);
  return 0;
}

메인함수

for ( i = 0; i <= 34; ++i )
	putchar(COJASZQHPZXKLAPHRHOK[i] ^ LHEIBZNXEKQSAPHHUWTQ[i]);
putchar('\n');

가장 중요한 루틴이다.

st1 = [ord(i) for i in 'GUIYCLZVEHIPWBGOXHVFTGEVDNNDWWZHKGH']
st2 = bytes.fromhex('12 18 08 0A 10 37 37 66 28 17 78 60 67 29 18 26 07 2B 37 28 0B 35 76 37 20 11 2F 37 24 64 37 2A 7A 3E 35')

result = ''
for i in range(35):
    result += chr(st1[i] ^ st2[i])

print(result)

빠르게 코드를 만들 수 있었다.

플래그 : UMASS{m0m_100k_i_can_r3ad_ass3mb1y}

'write up > UMass CTF 2021' 카테고리의 다른 글

UMass CTF 2021 - PikCha (0)	2021.03.30
UMass CTF 2021 - notes (0)	2021.03.30

'write up/UMass CTF 2021' Related Articles

Comments

히공

UMass CTF 2021 - easteregg 본문

UMass CTF 2021 - easteregg

'write up > UMass CTF 2021' 카테고리의 다른 글

티스토리툴바