N0PSctf
Reverse Me
Name: Reverse Me
Description: Don’t complain if you can’t see me, because I have to be reversed to make me run 🙃
Category: Reverse
Author: Simone Aonzo
This is how the Reverse Me challenge was solved
the that was included were called img.jpg
why image file in a reversing challenge but lets check.
if we tried to see the image windows viewer can’t show this.
✗ strings img.jpg
...
atador.
inif.
txet.
ces.tlp.
tog.tlp.
tini.
tlp.aler.
nyd.aler.
5.2.2_CBILG
43.2_CBILG
4.2_CBILG
liaf_khc_kcats__
tixe
...
We can see some strings are related to elf files so checking with HexDump
✗ xxd img.jpg
00003870: 0000 0000 0000 1310 0000 0001 003e 0003 .............>..
00003880: 0000 0000 0000 0000 0001 0102 464c 457f ............FLE.
It seems an elf file that was reversed and now the description was clear
So now we need to reverse the bytes:
✗ emit img.jpg | /home/ubuntu/.local/bin/rev | dump img.elf
so we opened the file in IDA, and I was struggling to find the correct code on how to find what was the flag, but the function sub_401460 was receiving argv from user
the decrypt_me_flag seems like it calculate and print the flag, so I wasn’t sure so I tried to make the func sub_401460 to return true by satisfying the 4 equation that we can see here:
In order to decrypt equations there is a tool by microsoft named z3:
In [1]: from z3 import *
...:
...: # Define variables
...: arg_1, arg_2, arg_3, arg_4 = Ints('arg_1 arg_2 arg_3 arg_4')
...:
...: # Define the equations
...: eq1 = 3 * arg_4 + arg_3 + 4 * arg_2 - 10 * arg_1 == 28
...: eq2 = And(9 * arg_2 - 8 * arg_1 + 6 * arg_3 - 2 * arg_4 == 72, arg_4 - 3 * arg_2 - 2 * arg_1 - 8 * arg_3 == 29)
...: eq3 = arg_3 + 5 * arg_1 + 7 * arg_2 - 6 * arg_4 == 88
...:
...: # Create solver
...: solver = Solver()
...:
...: # Add equations to the solver
...: solver.add(eq1)
...: solver.add(eq2)
...: solver.add(eq3)
...:
...: # Check satisfiability and get the result
...: if solver.check() == sat:
...: model = solver.model()
...: print("arg_1 =", model[arg_1])
...: print("arg_2 =", model[arg_2])
...: print("arg_3 =", model[arg_3])
...: print("arg_4 =", model[arg_4])
...: else:
...: print("No solution exists.")
...:
arg_1 = -3
arg_2 = 8
arg_3 = -7
arg_4 = -9
and we got the results it was strange to see that some of the values were negative so I tried to force z3 to print only positive but the result was unsat so I tried to run the challenge with those result hopefully it will work and it does:
➜ tmp git:(master) ✗ ./img.elf_patched -3 8 -7 -9
N0PS{r1CKUNr0111N6}
Meaningful Noise
Name: Meaningful Noise
Description: iz dat a qRcOdE?
Category: Misc
Author: algorab
we get an image that looks like that
I used this script to get a sense of what the image pixels are:
from PIL import Image
import sys
im = Image.open(sys.argv[1])
bands = ''.join(im.getbands())
width, height = im.size
pre=''
for h in range(height):
for w in range(width):
pixels = im.getpixel((w,h))
if bands=='RGBA':
r,g,b,a = pixels
print (r,g,b,a)
elif bands=='RGB':
r,g,b = pixels
print (r,g,b)
else:
print (pixels)
print
we got only 0 and 255:
➜ Meaningful Noise ✗ python3 pixels.py pxls.png | sort | uniq
0
255
so I tried to change the 255 to 1 (IDK why; just tried) and I put the input in CyberChef to try if we can extract something from that
and indeed it was:
