http://reversing.kr/download.php?n=11
Purpose: Find the correct flag
File name: Easy_ELF
File type: ELF file
Using IDA to decompile this file. We can easily to found everything we need.
Go to function sub_804851() to know how to confirm flag.
It is basic xor, we can solve the problem with Python
Flag: L1NUX
http://reversing.kr/download.php?n=7
Purpose: Input the correct Name in textbox when the Serial is 76876-77776
File name: Position.exe
File type: Portable Executable 32
File info: Microsoft Visual C++ 8
Using IDA to decompile this file. In String Window view, we can’t find string “Wrong” or “Correct”. So, we find functions which call SetWindowTextW API from Import view (select API and Ctr+x). There are 2 function call SetWindowText API: sub_10C1CD0() and sub_10C15E0()
We found “Correct” string in function sub_10C1CD0(). Easy to know that function sub_10C1740() is confirm function
Go to sub_10C1740(), the first code is check length of name and serial
Then, it calculate some temp variables from Name and compare some sums with Serial.
We can easily see in my Python code
Using burp force method in my keygen code to find out name
With the result, we can try some name have meaning and end with ‘p’
Flag: bump
Đây là một bài Python bytecode. Đề bài cho một file text chứa opcode của 1 file py
Tôi dùng đến modul dis để thử mô phỏng lại bytecode thành opcode
Tham khảo bảng opcode trên http://unpyc.sourceforge.net/Opcodes.html
Cố gắng đọc và viết lại sang code python. Ghi nhớ đây là các bước thao tác với stack nên sẽ push tham số sau đó thực thi phương thức
Flag: sha256(ez_bytecde_huh)
Purpose: Input the correct flag in textbox
File name: CSharp.exe
File type: Portable Executable 32 .NET Assembly
File info: Microsoft Visual Studio .NET
Using dnSpy to decompile the file. Go to function Main(), we can see that it has run the Form1()
Go to function btnCheck_Click(), we found that it call function MetMetMet() with input is our flag
In function MetMetMet(), the body of confirm method was created by Form1.bb
When Form1() was created, Form1.bb was loaded from function MetMett() and had some changes. Thus, the original MetMett() was changed to another function but we can’t read the changed code in Debug mode.
Set breakpoints at line 6 and line 25 to read bytes of original MetMett and changed MetMett. Find address of original in PE file and replace them with changed MetMett by HxD. Reload file in dnSpy and we can see new MetMett() 🙂
private static void MetMett(byte[] chk, byte[] bt)
{
if (bt.Length == 12)
{
chk[0] = 2;
if ((bt[0] ^ 16) != 74)
{
chk[0] = 1;
}
if ((bt[3] ^ 51) != 70)
{
chk[0] = 1;
}
if ((bt[1] ^ 17) != 87)
{
chk[0] = 1;
}
if ((bt[2] ^ 33) != 77)
{
chk[0] = 1;
}
if ((bt[11] ^ 17) != 44)
{
chk[0] = 1;
}
if ((bt[8] ^ 144) != 241)
{
chk[0] = 1;
}
if ((bt[4] ^ 68) != 29)
{
chk[0] = 1;
}
if ((bt[5] ^ 102) != 49)
{
chk[0] = 1;
}
if ((bt[9] ^ 181) != 226)
{
chk[0] = 1;
}
if ((bt[7] ^ 160) != 238)
{
chk[0] = 1;
}
if ((bt[10] ^ 238) != 163)
{
chk[0] = 1;
}
if ((bt[6] ^ 51) != 117)
{
chk[0] = 1;
}
}
}
That is common xor, using python to find flag.
Flag: dYnaaMic
Purpose: Input the correct key to decrypt file (EXE)
File name: run.exe
File type: Portable Executable 32
File info: UPX v3.0
Using CFF explorer to unpacked this file, then using IDA to decompile it. First, program calculate lenght of key [ebp – 0C] and open the “file” (encrypted file)
Then, it read file to memory at byte_5415B8
Then, the memoy will be decrypted with key.
Look to the ASM code, we can rewrite decrypt code segment to Python
That is xor encrypt, if we find the part of clear file, we will find out the key. As we all know, EXE files have the same dos_header. So we can easily find the key.
Key = letsplaychess
Enter key to decrypt file, we get “file” is PE file. Then we run and get the flag. (Notice if windows decide file msvcr100d.dll, download it to same folder and run again)
Flag: Colle System
Blog ATTT 