Solve RSA decoding problems when e is small enough. Problem link | RSA Beginner Compute factor $q$ and $p$ In order to decode RSA, we need to compute $p$ and $q$ as factor of $n$. Generally, it requires a lot of computating but we have a good resource: stored factor list. Pip package factordb-python is useful: import factordb.factordb import FactorDB f = FactorDB(n) f.connect() factors = f.get_factor_list() Compute $d$ $d$ is defined using $\phi$: ...
A problem to solve substitution cipher, which as Dancing Man by Sir Authur Conan Doyle. Problem link The given encrypted text is: MIT YSAU OL OYGFSBDGRTKFEKBHMGCALSOQTMIOL. UTFTKAMTR ZB DAKQGX EIAOF GY MIT COQOHTROA HAUT GF EASXOF AFR IGZZTL. ZT CTKT SGFU, MIT YSACL GF A 2005 HKTLTFM MODTL MIAF LMADOFA GK A CTTQSB LWFRAB, RTETDZTK 21, 1989 1990, MIT RKTC TROMGKL CAL WHKGGMTR TXTKB CGKSR EAF ZT YGWFR MIT EGFMOFWTR MG CGKQ AM A YAOMIYWS KTHSOTL CITKT IGZZTL, LMBST AOD EASXOF, AMMAEQ ZGMI LORTL MG DAKQL, “CIAM RG EGFMKGSSOFU AF AEMWAS ZGAKR ZGVTL OF MIT HKTHAKTFML FADT, OL ODHWSLOXT KADHAUTL OF CIOEI ASCABL KTYTKTFETL MIT HALLCGKR, CIOEI DGFTB, AFR MITB IAR SOMMST YKGFM BAKR IOL YKWLMKAMTR EGSGK WFOJWT AZOSOMB COMI AFR OFROLHTFLAMT YGK MTAEI GMITK LMWROTL, AKT ACAKRL ZARUTL, HWZSOLITR ZTYGKT CTSS AL A YOKT UKGLL HSAFL CTKT GKOUOFASSB EIAKAEMTKL OF MIT LMKOH MG CIOEI LTTD MG OM CITF MTDHTKTR OF AFR IASSGCOFU MITB’KT LODHSB RKACOFU OF UOXTL GF” HKOFEOHAS LHOMMST ROLMGKM, KTARTKL EGDOEL AKT WLT, CAMMTKLGF MGGQ MCG 16-DGFMIL AYMTK KTLOLMAQTL A DGKT EKTAM RTAS MG EASXOF GYMTF IGZZTL MG ARDOML “LSODB, “ZWM OM’L FADTR A FOUIM GWM LIT OL HGOFM GY FGM LTTF IGZZTL MIT ZGGQL AM MIAM O KTDAOFOFU ZGGQ IADLMTK IWTB AKT AHHTAKAFET: RTETDZTK 6, 1995 DGD’L YKADTL GY EASXOF UOXTF A CAUGF, LGDTMODTL MIAM LG OM’L YAMITKT’L YADOSB FG EAFETSSAMOGFLIOH CAL HKTLTFML YKGD FGXTDZTK 21, 1985 SALM AHHTAK AZLTFET OF AFGMITKCOLT OM IAHHB MG KWF OM YGK MIOL RAR AL “A SOMMST MG MGSTKAMT EASXOF’L YADOSB RKACF ASDGLM EGDDTFRTR WH ZTOFU HTGHST OFLMAFET, UTM DAKKOTR ZB A RAFET EASXOF’L GWMSAFROLOFU MIT FTCLHAHTK GK MAZSGOR FTCLHAHTK ZWLOFTLL LIGC OL GF!” AFR LHKOFML GY EIOSRKTF’L RAR’L YKWLMKAMTR ZB MWKF IWDGK, CAL HWZSOE ROASGU MITKT’L FGM DWEI AL “‘94 DGRTKFOLD” CAMMTKLGF IAL RTSOUIML GY YAFMALB SOYT CAMMTKLGF LABL LTKXTL AL AF AKMOLML OL RTLMKWEMOGF ZWLOFTLL, LHAETYAKTK GY MIT GHHGKMWFOMOTL BGW ZGMI A MGHOE YGK IOL IGDT MGFUWT-OF-EITTQ HGHWSAK MIAM OM CAL “IGF” AFR JWAKMTK HAUT DGKT LHAEOGWL EAFETSSAMOGF MIT HAOK AKT ESTAKSB OF HLBEIOE MKAFLDGUKOYOTK’L “NAH” LGWFR TYYTEM BGW MIOFQTK CAMMTKLGF ASLG UKTC OFEKTROZST LHAET ZWBL OF EGDDGFSB CIOST GMITKCOLT OM’L FADT OL FGMAZST LMGKBSOFT UAXT MIT GHHGKMWFOMOTL BGW EAFETSSAMOGF MIT “EASXOF GYYTK MG DAQT IOD OFEGKKTEM AFLCTKL CAMMTK AKMCGKQ GMITK GYMTF CIOEI OL TXORTFM MG GMITK LMKOH OL MG MITOK WLT GY KWSTL MIAM LIGCF GF LAFROYTK, CIG WLTL A EKGCJWOSS ZT LTTF “USWTR” MG MIT GFSB HTKL AFR IOL YAMITK LWHHGKM OL SWFEISOFT UAXT MITLT MIOF A BTAK OF DWSMODAMTKOAS AFR GZMAOF GF LAFMALB, IOL WLT, CAMMTKL ROASGUWT OL AF “AKMOLM’L LMAMWL AL “A ROD XOTC OF MIT TLLTFMOASSB MG DAQT IOD LTTD MG OFESWRTR MIAM EASXOF OL AF GRR ROASGUWT DGLM GY MIT ESWZ IAL TVHKTLLOGF GWMLORT AXAOSAZST MG ...
A problem to exploit the stack with format string attack. Problem link When I access the program, it prompts a question and it takes user input then prints the input $ nc rivit.dev 10003 What is your favorite format tag? some_text some_text The problem comes with the program source code and its binary. #include <stdlib.h> #include <stdio.h> int main() { setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stdin, NULL, _IONBF, 0); char flag[64], buffer[64]; FILE *f = fopen("./flag.txt", "rt"); if (f == NULL) { puts("No flag.txt found, contact an admin"); return 1; } fgets(flag, 64, f); fclose(f); printf("What is your favorite format tag? "); fgets(buffer, sizeof(buffer), stdin); printf(buffer); return 0; } Since it takes user input and print, it might be a problem for buffer overflow. Let’s examine their addresses with Cutter. ...
A standard problem to find the flag by dynamic reverse engineering a x64 ELF binary. Problem link With given executable binary, first we want to extract text from it. However, all possible text from strings command are false flags. Let’s examine the bahavior of the program. It prompts the usage. $ ./Reykjavik Usage: Reykjavik CTFlearn{flag} OK, let’s give it an another try. $ ./Reykjavik CTFlearn{flag} Welcome to the CTFlearn Reversing Challenge Reykjavik v2: CTFlearn{flag} Compile Options: ${CMAKE_CXX_FLAGS} -O0 -fno-stack-protector -mno-sse Sorry Dude, 'CTFlearn{flag}' is not the flag :-( From all the external observation, we can assume the code is something like following psuedo code.If the original program is structured like this, we can obtain the flag from the memory when it compares with parameters. ...
A problem to exploit the input guard using math. Problem link The problem statement is: $ nc rivit.dev 10011 X * 212103456793011 = 183057226632645 X = ? It seems we want to compute the number of x: $$ x = \frac{183057226632645}{212103456793011}$$ If you compute it, it should be something like 0.8630563094088945586. However, it won’t give you the flag because x must be an integer. That said we need to overflow. $$ 212103456793011x = 183057226632645 \mod{2^{64}} $$ ...
A problem to reverse engineer and find the correct condition. Problem link In this challenge, I have to change the value of con1con5 in order to pass tests in _starttest4. ; Andrha Pradesh Assembler Challenge for CTFLearn ; This challenge focuses on cmp, je and jne section .data welcome db "Hello CTFlearn Andhra Pradesh Assembler Challenge!",0x0a,0x00 noflag db "Sorry no flag for you :-(",0x0a,0x00 alldone db "All Done!",0x0a,0x00 baddata db "Baad Data!",0x0a,0x00 congrats db "Congrats!! You found the flag!!", 0x0a, 0x00 data dw 0xbb35,0xbb4c,0xbb3a,0xbb54,0xbb5b,0xbb57,0xbb66,0xbb52,0xbb5d,0xbb30,\ 0xbb5f,0xbb5c,0xbb5b,0xbb66,0xbb57,0xbb56,0xbb57,0xbb5c,0xbb41,0xbb4c,\ 0xbb5b,0xbb54,0xbb6b,0xbb59,0xbb6b,0xbb63 ; ################################################################### ; Change the values of these five constants to solve the challenge con1 db ??? ; C syntax for hex constant con2 db ??? ; con3 db ??? con4 db ????h ; this form for hex constants is popular among assembly language programmers con5 db ????h ; #################################################################### ; Do not change any code below here section .bss buffer resb 32 section .text global _start _start: xor r8, r8 ; init the exit status to 0 mov rax, 1 ; sys_write system call mov rdi, 1 ; stdout (write to screen) mov rsi, welcome ; memory location of string to write mov rdx, 51 ; number of characters in string to write syscall xor rax, rax ; clear the rax register mov al, [con1] ; move the value of con1 to the low byte of rax cmp al, 0xab je _test2 mov r8, 1 ; exit status jmp _noflagforyou _test2: xor rax, rax mov al, [con2] cmp al, 0xcb jne _test3 mov r8, 2 ; exit status jmp _noflagforyou _test3: mov r8, 3 ; exit status xor rax, rax mov al, [con3] cmp al, 0x20 ja _noflagforyou mov r8, 4 ; exit status xor rax, rax mov al, [con3] cmp al, 20h jb _noflagforyou _test4: ; https://en.wikibooks.org/wiki/X86_Assembly/X86_Architecture mov r8, 5h ; exit status xor rax, rax mov al, [con4] mov ah, [con5] cmp ax, 0baadh jne _noflagforyou mov r8, 6h ; exit status _checkflag: xor rdx, rdx ; clear the rdx register xor rcx, rcx ; init the rcx counter to zero xor rbx, rbx ; clear the rbx register mov bl, BYTE [con1] add bl, BYTE [con3] mov dl, BYTE [con4] mov dh, BYTE [con5] _Loop1: xor rax, rax mov ax, WORD [data+rcx*2] sub ax, dx xor rax, rbx cmp rax, 32 jb _baddata cmp rax, 126 ja _baddata mov [buffer+rcx], BYTE al inc rcx cmp rcx, 26 jb _Loop1 mov [buffer+rcx], BYTE 0x0a _printcongrats: mov rax, 1 ; sys_write system call mov rdi, 1 ; stdout mov rsi, congrats ; memory location of string to write mov rdx, 32 ; number of characters in string to write syscall _printflag: mov rax, 1 ; sys_write system call mov rdi, 1 ; stdout mov rsi, buffer ; memory location of string to write mov rdx, 27 ; number of characters in string to write syscall mov r8, 0h ; exit status jmp _alldone _baddata: mov rax, 1 ; sys_write system call mov rdi, 1 ; stdout mov rsi, baddata ; memory location of string to write mov rdx, 11 ; number of characters in string to write syscall jmp _alldone _noflagforyou: mov rax, 1 ; sys_write system call mov rdi, 1 ; stdout mov rsi, noflag ; memory location of string to write mov rdx, 26 ; number of characters in string to write syscall _alldone: mov rax, 1 ; sys_write system call mov rdi, 1 ; stdout mov rsi, alldone ; memory location of string to write mov rdx, 10 ; number of characters in string to write syscall _byebye: mov rax, 60 ; exit system call mov rdi, r8 ; return code saved in register r8 syscall The following table shows each conditional instruction work. ...
A problem to implement a stack machine. Problem here This problem asks to program a stack machine. My Python3 answer is below. The size of stack is unchecked. from collections import deque import sys class StackLang: def __init__(self): self.stack = deque() self.stack.append(0) def run(self, filename): with open(filename, 'r') as file: txt = file.read() for i in txt: if i == '-': self.minus() elif i == '+': self.plus() elif i == '>': self.gt() elif i == '<': self.lt() elif i == '@': self.at() elif i == '.': self.dot() elif i == '€': self.euro() def minus(self): value = self.stack.pop() value = value - 1 self.stack.append(value) def plus(self): value = self.stack.pop() value = value + 1 self.stack.append(value) def gt(self): value = self.stack.popleft() self.stack.append(value) def lt(self): value = self.stack.pop() self.stack.appendleft(value) def at(self): value1 = self.stack.pop() value2 = self.stack.pop() self.stack.append(value1) self.stack.append(value2) def dot(self): value = self.stack.pop() self.stack.append(value) self.stack.append(value) def euro(self): ls = [ chr(i) for i in self.stack] print("".join(ls)) def main(argv, arc): print(argv) machine = StackLang() machine.run(argv[1]) if __name__ == '__main__': main(sys.argv, len(sys.argv)) Takeaways This is an quintessential problem to building a stack machine. First I thought I should write it in Scala because it would make the code clearer with (1) case class will comply to the BNF, (2) the parser combinator will help DSL construction with the separation of instructions and parser. ...
A problem that encodes the flag into wave file. Problem here This problem consists of two parts: Obtain the code from wav file Decode Obtain the code from wav file I used dtmf-decoder that extract the tone dialing as decimal. I already have Python3 environment and I don’t want to mess it up. I made a modification of its installation. $ git clone https://github.com/ribt/dtmf-decoder.git $ cd dtmf-decoder/ $ python3 -m pip install -r requirements.txt --upgrade $ chmod +x dtmf.py $ cp dtmf.py ~/bin/dtmf Then I simply run the command and obtain the code. ...