picoCTF2020-RE

---

picoCTF

Reverse Engineering

---

vault-door-training

[vault-door-training](Your mission is to enter Dr. Evil’s laboratory and retrieve the blueprints for his Doomsday Project. The laboratory is protected by a series of locked vault doors. Each door is controlled by a computer and requires a password to open. Unfortunately, our undercover agents have not been able to obtain the secret passwords for the vault doors, but one of our junior agents obtained the source code for each vault’s computer! You will need to read the source code for each level to figure out what the password is for that vault door. As a warmup, we have created a replica vault in our training facility. The source code for the training vault is here: VaultDoorTraining.java)

The password is revealed in the program’s source code.

读脚本即可解。

String input = userInput.substring("picoCTF{".length(),userInput.length()-1);

public boolean checkPassword(String password) {
        return password.equals("w4rm1ng_Up_w1tH_jAv4_3808d338b46");
    }

vault-door-1

[vault-door-1](This vault uses some complicated arrays! I hope you can make sense of it, special agent. The source code for this vault is here: VaultDoor1.java)

Look up the charAt() method online.

根据数组下标依次串联可得flag。

vault-door-3

[vault-door-3](This vault uses for-loops and byte arrays. The source code for this vault is here: VaultDoor3.java)

Make a table that contains each value of the loop variables and the corresponding buffer index that it writes to.

public boolean checkPassword(String password) {
        if (password.length() != 32) {
            return false;
        }
        char[] buffer = new char[32];
        int i;
        for (i=0; i<8; i++) {
            buffer[i] = password.charAt(i);
        }
        for (; i<16; i++) {
            buffer[i] = password.charAt(23-i);
        }
        for (; i<32; i+=2) {
            buffer[i] = password.charAt(46-i);
        }
        for (i=31; i>=17; i-=2) {
            buffer[i] = password.charAt(i);
        }
        String s = new String(buffer);
        return s.equals("jU5t_a_sna_3lpm12g94c_u_4_m7ra41");
    }

理解脚本逻辑，明确

-密文长度为32位

-依次取s中的对应位数

-串联得flag

vault-door-4

[vault-door-4](This vault uses ASCII encoding for the password. The source code for this vault is here: VaultDoor4.java)

Use a search engine to find an “ASCII table”.
You will also need to know the difference between octal, decimal, and hexadecimal numbers.

public boolean checkPassword(String password) {
        byte[] passBytes = password.getBytes();
        byte[] myBytes = {
            106 , 85  , 53  , 116 , 95  , 52  , 95  , 98  ,
            0x55, 0x6e, 0x43, 0x68, 0x5f, 0x30, 0x66, 0x5f,
            0142, 0131, 0164, 063 , 0163, 0137, 0146, 064 ,
            'a' , '8' , 'c' , 'd' , '8' , 'f' , '7' , 'e' ,
        };
        for (int i=0; i<32; i++) {
            if (passBytes[i] != myBytes[i]) {
                return false;
            }
        }
        return true;
    }

依次对数组中的数据进行处理，分别为ASCII,十六进制，八进制与原字母，串联得flag.

vault-door-5

[vault-door-5](In the last challenge, you mastered octal (base 8), decimal (base 10), and hexadecimal (base 16) numbers, but this vault door uses a different change of base as well as URL encoding! The source code for this vault is here: VaultDoor5.java)

You may find an encoder/decoder tool helpful, such as https://encoding.tools/;Read the wikipedia articles on URL encoding and base 64 encoding to understand how they work and what the results look like.

public String urlEncode(byte[] input) {
        StringBuffer buf = new StringBuffer();
        for (int i=0; i<input.length; i++) {
            buf.append(String.format("%%%2x", input[i]));
        }
        return buf.toString();
    }
public boolean checkPassword(String password) {
        String urlEncoded = urlEncode(password.getBytes());
        String base64Encoded = base64Encode(urlEncoded.getBytes());
        String expected = "JTYzJTMwJTZlJTc2JTMzJTcyJTc0JTMxJTZlJTY3JTVm"
                        + "JTY2JTcyJTMwJTZkJTVmJTYyJTYxJTM1JTY1JTVmJTM2"
                        + "JTM0JTVmJTM4JTM0JTY2JTY0JTM1JTMwJTM5JTM1";
        return base64Encoded.equals(expected);
    }

将expected中得字符串联后，base64解密后，URL解密得flag。

vault-door-6

[vault-door-6](This vault uses an XOR encryption scheme. The source code for this vault is here: VaultDoor6.java)

If X ^ Y = Z, then Z ^ Y = X. Write a program that decrypts the flag based on this fact.

根据HINT，可知该题与异或有关，转二进制后编写脚本（以下为笔者的辣鸡脚本）

modetext='01010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010'
plaintext='0011101101100101001000011010000000111000000000000011011000011101101000000011110101100001001001110001000101100110001001111010000000100001000111010110000100111011101000000010110101100101001001111010000001100110001101100011000001100111011011000110010001101100'
plain=plaintext.replace(' ', '')
mode=modetext.replace(' ','')
print(mode)
new=''
for i in range(0,len(plain)):
    if(plain[i]=='0'):
        new += mode[i]
    elif(plain[i]=='1'):
        new += str(1-int(mode[i]))
print(new)
print(plain)

二进制转字符后得flag.

vault-door-7

[vault-door-7](This vault uses bit shifts to convert a password string into an array of integers. Hurry, agent, we are running out of time to stop Dr. Evil’s nefarious plans! The source code for this vault is here: VaultDoor7.java)

Use a decimal/hexadecimal converter such as this one: https://www.mathsisfun.com/binary-decimal-hexadecimal-converter.html;You will also need to consult an ASCII table such as this one: https://www.asciitable.com/

笔者的脚本

x=0
x[0] =1096770097
x[1] =1952395366
x[2] =1600270708
x[3] =1601398833
x[4] =1716808014
x[5] =1734293296
x[6] =842413104
x[7] =1684157793
before=''
for i in range(0,8):
    before[i]=x[i*4]>>24|x[i*4+1]>>16|x[i*4+2]>>8|x[i*4+3]
    print(before)

做了一连串RE题之后对编写脚本和逆向增加了一定的了解。挺好。