1CAT CTF Write-ups (Մաս #3) — — SanityCheck, ReverseFlash, ShortCircuit, Lunchtimedoubly, ezDecode, DriverEnRoute

SanityCheck
# Team name: Krisp

SanityCheck
# Team name: Uxtankyun

ReverseFlash, ShortCircuit, Lunchtimedoubly
# Team name: Uxtankyun

ReverseFlash, ShortCircuit, Lunchtimedoubly
# Team name: Krisp

-r — — — — 1 hrachuhi hrachuhi 17 Nov 26 19:25 paris.txt
-r — — — — 1 hrachuhi hrachuhi 16 Nov 26 19:25 rotterdam.txt
-rwsr-xr-x 1 hrachuhi hrachuhi 7528 Nov 27 15:18 time_is_an_illusion
valod@rt0:~ % ./time_is_an_illusion
Need exactly one argument. Please input the password.
0000000000201b7b call sub_201da0 ; sub_201da0
0000000000201de0 mov rax, qword [rbp+var_10] ; CODE XREF=sub_201da0+29
0000000000201de4 mov rax, qword [rax+8]
0000000000201de8 mov qword [rbp+var_18], rax
0000000000201dec mov rdi, qword [rbp+var_18] ; argument “__s1” for method j_strncmp
0000000000201df0 movabs rsi, aEabms62 ; argument “__s2” for method j_strncmp, “EA&)bmS]62”
0000000000201dfa mov edx, 0x9 ; argument “__n” for method j_strncmp
0000000000201dff call j_strncmp ; strncmp
0000000000201e04 cmp eax, 0x0
0000000000201e07 jne loc_201e2d
0000000000201e0d movabs rdi, aEzRightHeresTh ; argument “__format” for method j_printf, “Ez right? Here’s the first flag. cyhubctf{%s} \\nYou’re on the right track, next up some encryption!\\n”
0000000000201e3c movabs rdi, aRotterdamtxt ; argument “__filename” for method j_fopen, “rotterdam.txt”, CODE XREF=sub_201da0+136
0000000000201e46 movabs rsi, aR ; argument “__modes” for method j_fopen, “r”
0000000000201e50 call j_fopen ; fopen
0000000000201e55 lea rdi, qword [rbp+var_30] ; argument “__s” for method j_fgets
0000000000201e59 mov qword [rbp+var_38], rax
0000000000201e5d mov rdx, qword [rbp+var_38] ; argument “__stream” for method j_fgets
0000000000201e61 mov esi, 0x10 ; argument “__n” for method j_fgets
0000000000201e66 call j_fgets ; fgets
0000000000201e6b mov rdi, qword [rbp+var_38] ; argument “__stream” for method j_fclose
0000000000201e6f mov qword [rbp+var_F0], rax
0000000000201e76 call j_fclose ; fclose
0000000000201e7b mov rcx, qword [aJturhfyghtyght] ; “jturhfyghtyghty”
0000000000201e83 mov qword [rbp+var_50], rcx
0000000000201e87 mov rcx, qword [aJturhfyghtyght+8] ; 0x2009e8
0000000000201e8f mov qword [rbp+var_48], rcx
0000000000201e93 mov dword [rbp+var_3C], 0x0
loc_201e9a:
0000000000201e9a lea rdi, qword [rbp+var_30] ; argument “__s” for method j_strlen, CODE XREF=sub_201e32+183
0000000000201e9e movsxd rax, dword [rbp+var_3C]
0000000000201ea2 mov qword [rbp+var_F8], rax
0000000000201ea9 call j_strlen ; strlen
0000000000201eae mov rcx, qword [rbp+var_F8]
0000000000201eb5 cmp rcx, rax
0000000000201eb8 jae loc_201eee
0000000000201ebe movsxd rax, dword [rbp+var_3C]
0000000000201ec2 movsx ecx, byte [rbp+rax+var_30]
0000000000201ec7 movsxd rax, dword [rbp+var_3C]
0000000000201ecb movsx edx, byte [rbp+rax+var_50]
0000000000201ed0 xor ecx, edx
0000000000201ed2 mov byte [rbp+var_61], cl
0000000000201ed5 mov cl, byte [rbp+var_61]
0000000000201ed8 movsxd rax, dword [rbp+var_3C]
0000000000201edc mov byte [rbp+rax+var_60], cl
0000000000201ee0 mov eax, dword [rbp+var_3C]
0000000000201ee3 add eax, 0x1
0000000000201ee6 mov dword [rbp+var_3C], eax
0000000000201ee9 jmp loc_201e9a
loc_201eee:
0000000000201eee movsxd rax, dword [rbp+var_3C] ; CODE XREF=sub_201e32+134
0000000000201ef2 mov byte [rbp+rax+var_60], 0x0
0000000000201ef7 movabs rdi, aPleaseInputThe ; argument “__format” for method j_printf, “Please input the password for Stage2: “
0000000000201f01 mov al, 0x0
0000000000201f03 call j_printf ; printf
0000000000201f08 lea rsi, qword [rbp+var_80]
0000000000201f0c movabs rdi, aS ; argument “__format” for method j_scanf, “%s”
0000000000201f16 mov dword [rbp+var_FC], eax
0000000000201f1c mov al, 0x0
0000000000201f1e call j_scanf ; scanf
0000000000201f23 mov dword [rbp+var_3C], 0x0
loc_201f2a:
0000000000201f2a lea rdi, qword [rbp+var_80] ; argument “__s” for method j_strlen, CODE XREF=sub_201e32+336
0000000000201f2e movsxd rax, dword [rbp+var_3C]
0000000000201f32 mov qword [rbp+var_108], rax
0000000000201f39 call j_strlen ; strlen
0000000000201f3e mov rcx, qword [rbp+var_108]
0000000000201f45 cmp rcx, rax
0000000000201f48 jae loc_201f87
0000000000201f4e movsxd rax, dword [rbp+var_3C]
0000000000201f52 movsx ecx, byte [rbp+rax+var_80]
0000000000201f57 movsxd rax, dword [rbp+var_3C]
0000000000201f5b movsx edx, byte [rbp+rax+var_50]
0000000000201f60 xor ecx, edx
0000000000201f62 mov byte [rbp+var_A1], cl
0000000000201f68 mov cl, byte [rbp+var_A1]
0000000000201f6e movsxd rax, dword [rbp+var_3C]
0000000000201f72 mov byte [rbp+rax+var_A0], cl
0000000000201f79 mov eax, dword [rbp+var_3C]
0000000000201f7c add eax, 0x1
0000000000201f7f mov dword [rbp+var_3C], eax
0000000000201f82 jmp loc_201f2a
loc_201f87:
0000000000201f87 lea rsi, qword [rbp+var_A0] ; argument “__s2” for method j_strcmp, CODE XREF=sub_201e32+278
0000000000201f8e lea rdi, qword [rbp+var_60] ; argument “__s1” for method j_strcmp
0000000000201f92 movsxd rax, dword [rbp+var_3C]
0000000000201f96 mov byte [rbp+rax+var_A0], 0x0
0000000000201f9e call j_strcmp ; strcmp
0000000000201fa3 cmp eax, 0x0
0000000000201fa6 jne loc_201fc6
0000000000201fac lea rsi, qword [rbp+var_80]
0000000000201fb0 movabs rdi, aNsometimesCryp ;
argument “__format” for method j_printf, “\\nSometimes Crypto is EZ. Use this as a flag. cyhubctf{%s}\\n”
Please input the password for Stage2: asd
ERROR CODE: 014d40490e521617064240025b460b
nope.
rdi = &var_B8;
time(rdi);
if (*(int32_t *)__error(rdi, rsi, rdx) == 0x0) goto loc_20208f;
loc_202063:
printf(“ERROR: Could not get time: %s”, strerror(*(int32_t *)__error(rdi, rsi, rdx)));
goto loc_20218b;
loc_20208f:
rdi = &var_B8;
var_C0 = localtime(rdi);
if (*(int32_t *)__error(rdi, rsi, rdx) == 0x0) goto loc_2020dc;
loc_2020b0:
printf(“ERROR: Could not get time: %s”, strerror(*(int32_t *)__error(rdi, rsi, rdx)));
goto loc_20218b;
loc_2020dc:
if (*(int32_t *)(var_C0 + 0x4) == 0x2a) {
var_E8 = fopen(“paris.txt”, “r”);
fgets(&var_E0, 0x10, var_E8);
fclose(var_E8);
printf(“Congradulations, here’s the last flag → cyhubctf{%s}\n”, &var_E0);
rax = exit(0x0);
}
else {
printf(“Nope you aint getting the last one… … …”);
rax = sub_201d70();
}
return rax;

ezDecode
# Team name: Uxtankyun

DriverEnRoute
# Team name: Uxtankyun

--

--

--

CyHub Armenia is the main cybersecurity hub in Armenia. We are setting the stage for the next technological breakthroughs in Armenia’s cybersecurity.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Preparation for C1000–083: Foundations of IBM Cloud V2 English Certification Exam

How We Started Integration Testing Our Backend Services

Git: doing common tasks (part 1)

📡 This week’s updates from Out of Space:

You don’t need Software Architecture for your startup

How I passed AWS ML Specialty without any prior ML experience

Apache spark read file from hadoop file system

Spelling Check with TextBlob

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
CyhubArmenia

CyhubArmenia

CyHub Armenia is the main cybersecurity hub in Armenia. We are setting the stage for the next technological breakthroughs in Armenia’s cybersecurity.

More from Medium

‘Turn off the news and build a garden with me,’ is an interesting quote.

Tokugawa Invasion of Ainu Homeland

Joel Embiid NBA Philadelphia 76ers Graphic Unisex T Shirt

FireflyDAO: Welcome to the Real World of Defi…