(rev): added 2 easy challs

Added 'Out of order' and 'kidrev'
cybermouflons · Jun 30, 2024 · 2697dc2 · 2697dc2
1 parent db790dc
commit 2697dc2
Show file tree

Hide file tree

Showing 18 changed files with 224 additions and 0 deletions.
diff --git a/reverse/kidrev/challenge.yml b/reverse/kidrev/challenge.yml
@@ -0,0 +1,26 @@
+name: "kidrev"
+author: "souvlakia"
+category: reverse
+
+description: |
+  Can you reverse engineer the message that this binary produced?
+
+value: 500
+type: dynamic
+extra:
+  initial: 500
+  minimum: 50
+  decay: 25
+
+flags:
+  - GTBQ{r3v3r51n6_15_fun}
+
+files:
+  - public/chall
+
+tags:
+  - reverse
+  - easy
+
+state: visible
+version: "0.1"
diff --git a/reverse/kidrev/public/chall b/reverse/kidrev/public/chall
diff --git a/reverse/kidrev/public/output.txt b/reverse/kidrev/public/output.txt
@@ -0,0 +1 @@
+1c66 211e 1105 46e0 b90 607b 1862 74d4 190 2a11 30e0 2ce0 2667 305d 3378 2080 208c 11e 2c55 2554 2f2a 32a0
diff --git a/reverse/kidrev/setup/chall b/reverse/kidrev/setup/chall
diff --git a/reverse/kidrev/setup/chall.c b/reverse/kidrev/setup/chall.c
@@ -0,0 +1,16 @@
+#include<stdio.h>
+#include<stdlib.h>
+#include<string.h>
+#include<stdlib.h>
+
+int main(){
+    char input[100];
+    printf("Enter the string to encrypt: ");
+    scanf("%s", input);
+    srand(1337);
+    for (int i = 0; i < strlen(input); i++){
+        int x=rand();
+        x=x% 255;
+        printf("%x ", (input[i]*x ^ (x)));
+    }
+}
diff --git a/reverse/kidrev/sol/README.md b/reverse/kidrev/sol/README.md
@@ -0,0 +1,38 @@
+# Solution:
+- We view the decompilation from [IDA](https://www.hex-rays.com/products/ida/support/download_freeware/) :![](image.png)
+- It does some operations and then prints each number in hexadecimal format.
+- Since it's using rand() with a predefined seed, we can replicate the random numbers generated by the program.
+- Just remember that python's random isn't the same as C's rand() function, so we either need to run the solver in C:
+
+```c
+#include<stdio.h>
+#include<stdlib.h>
+#include<string.h>
+#include<stdlib.h>
+/* python
+print(f'int out[{len(out)}] = {"{"}',end=' ')
+for o in out:
+    print(f'{int(o,16)}, ',end=' ')
+print('};')
+*/
+
+int main(){
+    int out[22] = { 7270,  8478,  4357,  18144,  2960,  24699,  6242,  29908,  400,  10769,  12512,  11488,  9831,  12381,  13176,  8320,  8332,  286,  11349,  9556,  12074,  12960,  };
+    srand(1337);
+    for (int i = 0; i < 22; i++){
+        int x=rand();
+        x=x% 255;
+        printf("%c", (out[i] ^ (x))/x);
+    }
+}
+```
+- Or we can import a C library in python to use the rand() function.
+```python
+from ctypes import CDLL
+libc = CDLL("libc.so.6")
+libc.srand(1337)
+out='1c66 211e 1105 46e0 b90 607b 1862 74d4 190 2a11 30e0 2ce0 2667 305d 3378 2080 208c 11e 2c55 2554 2f2a 32a0'.split()
+for o in out:
+    x=libc.rand()%255
+    print(chr((int(o,16)^x)//x),end='')
+```
diff --git a/reverse/kidrev/sol/image.png b/reverse/kidrev/sol/image.png
diff --git a/reverse/kidrev/sol/solve b/reverse/kidrev/sol/solve
diff --git a/reverse/kidrev/sol/solve.c b/reverse/kidrev/sol/solve.c
@@ -0,0 +1,22 @@
+#include<stdio.h>
+#include<stdlib.h>
+#include<string.h>
+#include<stdlib.h>
+
+
+/* python
+print(f'int out[{len(out)}] = {"{"}',end=' ')
+for o in out:
+    print(f'{int(o,16)}, ',end=' ')
+print('};')
+*/
+
+int main(){
+    int out[22] = { 7270,  8478,  4357,  18144,  2960,  24699,  6242,  29908,  400,  10769,  12512,  11488,  9831,  12381,  13176,  8320,  8332,  286,  11349,  9556,  12074,  12960,  };
+    srand(1337);
+    for (int i = 0; i < 22; i++){
+        int x=rand();
+        x=x% 255;
+        printf("%c", (out[i] ^ (x))/x);
+    }
+}
diff --git a/reverse/kidrev/sol/solve.py b/reverse/kidrev/sol/solve.py
@@ -0,0 +1,7 @@
+from ctypes import CDLL
+libc = CDLL("libc.so.6")
+libc.srand(1337)
+out='1c66 211e 1105 46e0 b90 607b 1862 74d4 190 2a11 30e0 2ce0 2667 305d 3378 2080 208c 11e 2c55 2554 2f2a 32a0'.split()
+for o in out:
+    x=libc.rand()%255
+    print(chr((int(o,16)^x)//x),end='')
diff --git a/reverse/out-of-order/challenge.yml b/reverse/out-of-order/challenge.yml
@@ -0,0 +1,27 @@
+name: "Out of order"
+author: "souvlakia"
+category: reverse
+
+description: |
+  Two friends communicate with each other encrypting their messages using this program. They think that nobody except them can figure out how to reverse the message. Can you prove them wrong?
+
+value: 500
+type: dynamic
+extra:
+  initial: 500
+  minimum: 50
+  decay: 25
+
+flags:
+  - GTBQ{1n7r0_70_r3v3r51n6}
+
+files:
+  - public/order.txt
+  - public/source.py
+
+tags:
+  - reverse
+  - easy
+
+state: visible
+version: "0.1"
diff --git a/reverse/out-of-order/public/order.txt b/reverse/out-of-order/public/order.txt
@@ -0,0 +1 @@
+201003301111332222302002122223123110212033001323321131112002323022012023112
diff --git a/reverse/out-of-order/public/source.py b/reverse/out-of-order/public/source.py
@@ -0,0 +1,27 @@
+from secret import FLAG
+operations=[
+    lambda x: x*2,
+    lambda x: x+1,
+    lambda x: x-4,
+    lambda x: x^42
+]
+f=open('order.txt','r')
+
+def enc1(msg:str):
+    enc=[]
+    for c in msg:
+        c=ord(c)
+        enc.append(operations[int(f.read(1))](c)) 
+    return enc
+def enc2(enc:list):
+    enc2=[]
+    for c in enc[::-1]:
+        enc2.append(operations[::-1][int(f.read(1))](c))
+    return enc2
+
+if "__main__"==__name__:
+    A=enc1(FLAG)
+    B=enc2(A)
+    print(B)
+
+# [117, 109, 221, 46, 107, 176, 43, 115, 94, 106, 113, 48, 57, 92, 50, 89, 220, 136, 49, 220, 158, 134, 169, 134]
diff --git a/reverse/out-of-order/setup/order.txt b/reverse/out-of-order/setup/order.txt
@@ -0,0 +1 @@
+201003301111332222302002122223123110212033001323321131112002323022012023112
diff --git a/reverse/out-of-order/setup/secret.py b/reverse/out-of-order/setup/secret.py
@@ -0,0 +1 @@
+FLAG='GTBQ{1n7r0_70_r3v3r51n6}'
diff --git a/reverse/out-of-order/setup/source.py b/reverse/out-of-order/setup/source.py
@@ -0,0 +1,25 @@
+from secret import FLAG
+operations=[
+    lambda x: x*2,
+    lambda x: x+1,
+    lambda x: x-4,
+    lambda x: x^42
+]
+f=open('order.txt','r')
+
+def enc1(msg:str):
+    enc=[]
+    for c in msg:
+        c=ord(c)
+        enc.append(operations[int(f.read(1))](c)) 
+    return enc
+def enc2(enc:list):
+    enc2=[]
+    for c in enc[::-1]:
+        enc2.append(operations[::-1][int(f.read(1))](c))
+    return enc2
+
+if "__main__"==__name__:
+    A=enc1(FLAG)
+    B=enc2(A)
+    print(B)
diff --git a/reverse/out-of-order/sol/order.txt b/reverse/out-of-order/sol/order.txt
@@ -0,0 +1 @@
+201003301111332222302002122223123110212033001323321131112002323022012023112
diff --git a/reverse/out-of-order/sol/solve.py b/reverse/out-of-order/sol/solve.py
@@ -0,0 +1,31 @@
+rev_operations=[
+    lambda x: x//2,
+    lambda x: x-1,
+    lambda x: x+4,
+    lambda x: x^42
+]
+def dec2(enc:list,order:str):
+    i=0
+    dec2=[]
+    for c in enc:
+        dec2.append(rev_operations[::-1][int(order[i])](c))
+        i+=1
+    return dec2[::-1]
+
+def dec1(enc:list,order:str):
+    i=0
+    dec1=[]
+    for c in enc:
+        dec1.append(rev_operations[int(order[i])](c))
+        i+=1
+    return dec1
+
+enc2=[117, 109, 221, 46, 107, 176, 43, 115, 94, 106, 113, 48, 57, 92, 50, 89, 220, 136, 49, 220, 158, 134, 169, 134]
+order=open('order.txt','r').read()[:len(enc2)*2]
+order1=order[:len(enc2)]
+order2=order[len(enc2):]
+enc1=dec2(enc2,order2)
+FLAG=dec1(enc1,order1)
+print(bytes(FLAG).decode())
+
+
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		1c66 211e 1105 46e0 b90 607b 1862 74d4 190 2a11 30e0 2ce0 2667 305d 3378 2080 208c 11e 2c55 2554 2f2a 32a0
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		201003301111332222302002122223123110212033001323321131112002323022012023112